PingOne Advanced Identity Cloud

Manage consent

Many OAuth 2.0 and OIDC flows require user consent to grant the client access to the user’s resources.

By default, OAuth 2.0 and OIDC client applications in Advanced Identity Cloud use implied consent. Advanced Identity Cloud doesn’t prompt for consent during authorization flows. This simplifies the flows. The user has only to sign on to grant the client access to protected resources.

A client application can opt to disable implied consent, however, and prompt the user explicitly:

  1. In the Advanced Identity Cloud admin console, go to Applications > Client ID > Sign On > General Settings > Show advanced settings > Authentication.

  2. Clear Implied Consent.

  3. Save your changes.

If you opt to require explicit consent, configure how the client application appears to the user.

  • Customize the built-in Advanced Identity Cloud end-user UI consent screen:

    1. In the Advanced Identity Cloud admin console, go to Applications > Client ID > Sign On > General Settings > Show advanced settings > Consent Screen.

    2. Update the applicable fields:

      Display Name

      Display this name to the user when prompting for consent.

      Display Description

      Explain the decision to the user when prompting for consent.

      Privacy Policy URI

      Add for the client applications privacy policy.

    3. Save your work.

  • Delegate consent gathering to another service.

    Learn more in Remote consent service.

Display scopes

Users grant consent based on scopes. Scopes restrict what is shared with the client and limit what the client can do with the user’s data. In OAuth 2.0, the meanings of scopes depend on the implementation. In OIDC, scopes map to standard user data claims. For example, the profile scope requests access to the user’s default profile claims.

If you opt to require explicit consent and use the built-in Advanced Identity Cloud end-user UI consent screen, configure how the consent screen displays scopes and claims. Learn more in Display scopes in the consent screen.

If you opt to require explicit consent, Advanced Identity Cloud can store the consent decisions in the user profile. This minimizes redundant prompts and improves the user experience.

When an OAuth 2.0 client application requests scopes, Advanced Identity Cloud checks the user profile for scopes the user has already consented to. Advanced Identity Cloud doesn’t prompt the user to consent again to the same scopes, only scopes the user hasn’t consented to.

To save consent:

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider and select the Consent tab.

  2. In the Saved Consent Attribute field, enter the AM Attribute name of an unused multivalued general purpose extension attribute, such as fr-attr-multi2.

  3. Save your changes.

To force Advanced Identity Cloud to prompt for consent for a specific client request, add the prompt=consent parameter.

You can revoke a client application’s access at any time through the Advanced Identity Cloud end-user UI:

  1. Sign on as an end user.

    Your dashboard page displays.

  2. Click Edit Your Profile.

  3. Under Authorized Applications, expand the application’s entry.

  4. Click Revoke Access:

    Revoke client application access through the Advanced Identity Cloud end-user UI.
    Figure 1. Authorized Applications pane