Skip to main content
OAuth allows applications to access APIs on the user’s behalf. Before an application can act on a user’s behalf, the user must explicitly approve the requested permissions. This approval step is called user consent. For third-party applications, user consent is always required. The user must approve every authorization request. For first-party applications, consent can be skipped when configured, because you control the application and trust it to act appropriately. When a third-party application redirects a user to the /authorize endpoint and requests access to an API, Auth0 displays a consent dialog listing the permissions the application is requesting. The following authorization request displays a consent dialog asking the user to approve the read:posts and write:posts permissions for the API: 
GET /authorize?
  client_id=tpc_THIRD_PARTY_CLIENT_ID
  &redirect_uri=https://partner.example.com/callback
  &response_type=code
  &scope=read:posts write:posts
  &audience=https://social.example.com
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256
  &state=STATE_VALUE
Authorization - User consent and applications - consent-dialog
If the user approves, Auth0 creates a user grant representing the user’s consent to this combination of application, API, and requested scopes. The application receives an authorization code as usual. Once consent has been given, the user does not see the consent dialog during subsequent logins until consent is revoked explicitly.
Third-party applications with enhanced security controls do not support OIDC scopes (openid, profile, email) in this release. The consent dialog shows API scopes only. OIDC support for third-party applications is planned for a future release.

Scope descriptions

By default, the consent page uses scope names to prompt for the user’s consent. As shown below, define scopes using the action:resource_name format for clear display:
Authorization - User consent and applications - Consent scopes
The consent page groups scopes for the same API and displays all actions in a single line. For example, the configuration above results in Posts: read and write your posts. To display the Description field instead of the scope name, set the tenant’s use_scope_descriptions_for_consent flag to true: This setting affects consent prompts for all APIs on the tenant.

Handle rejected permissions

When a user declines consent, the behavior depends on the application’s redirection policy:
  • open_redirect_protection (default for third-party apps): Auth0 displays an error page instead of redirecting. This prevents open redirect attacks.
  • allow_always: Auth0 redirects to the redirect_uri with an access_denied error:
HTTP/1.1 302 Found
Location: https://partner.example.com/callback?
    error=access_denied
    &state=STATE_VALUE
First-party applications can skip the consent dialog when the API has the Allow Skipping User Consent option enabled. To navigate to the Allow Skipping User Consent toggle, select Applications > APIs > (select the API) > Settings > Access Settings. Third-party applications always require consent and cannot skip the consent dialog.
Even when consent is skipped for first-party applications, a login confirmation prompt may still appear when the application uses a non-verifiable callback URI (such as localhost or a custom URI scheme). This protects users against application impersonation on the same device. To learn more, read Measures Against Application Impersonation.
To revoke a user’s consent for a specific application:
  1. Navigate to Auth0 Dashboard > User Management > Users.
  2. Select the user.
  3. Select the Authorized Applications tab.
  4. Select Revoke next to the application.

Password-based flows

When using the Resource Owner Password Flow, no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user’s account. To force users to provide consent on every login (even if they have an existing grant), include prompt=consent in the /authorize request: 
GET /authorize?
  client_id=tpc_THIRD_PARTY_CLIENT_ID
  &redirect_uri=https://partner.example.com/callback
  &response_type=code
  &scope=read:posts write:posts
  &audience=https://social.example.com
  &prompt=consent
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256
  &state=STATE_VALUE

Learn more