Skip to main content
OAuth allows applications to access APIs on the user’s behalf. Before an application can act on a user’s behalf, the user must explicitly approve the requested permissions. This approval step is called user consent. For third-party applications, user consent is always required. The user must approve every authorization request. For first-party applications, consent can be skipped when configured, because you control the application and trust it to act appropriately. When a third-party application redirects a user to the /authorize endpoint and requests access to an API, Auth0 displays a consent dialog listing the permissions the application is requesting. The following authorization request displays a consent dialog asking the user to approve the read:posts and write:posts permissions for the API:
GET /authorize?
  client_id=tpc_THIRD_PARTY_CLIENT_ID
  &redirect_uri=https://partner.example.com/callback
  &response_type=code
  &scope=read:posts write:posts
  &audience=https://social.example.com
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256
  &state=STATE_VALUE
Authorization - User consent and applications - consent-dialog
If the user approves, Auth0 creates a user grant representing the user’s consent to this combination of application, API, and requested scopes. The application receives an authorization code as usual. Once consent has been given, the user does not see the consent dialog during subsequent logins until consent is revoked explicitly.
Third-party applications with enhanced security controls do not support OIDC scopes (openid, profile, email) in this release. The consent dialog shows API scopes only. OIDC support for third-party applications is planned for a future release.

Scope descriptions

By default, the consent page uses scope names to prompt for the user’s consent. As shown below, define scopes using the action:resource_name format for clear display:
Authorization - User consent and applications - Consent scopes
The consent page groups scopes for the same API and displays all actions in a single line. For example, the configuration above results in Posts: read and write your posts. To display the Description field instead of the scope name, set the tenant’s use_scope_descriptions_for_consent flag to true: This setting affects consent prompts for all APIs on the tenant.

Handle rejected permissions

When a user declines consent, the behavior depends on the application’s redirection policy:
  • open_redirect_protection (default for third-party apps): Auth0 displays an error page instead of redirecting. This prevents open redirect attacks.
  • allow_always: Auth0 redirects to the redirect_uri with an access_denied error:
HTTP/1.1 302 Found
Location: https://partner.example.com/callback?
    error=access_denied
    &state=STATE_VALUE
First-party applications can skip the consent dialog when the API has the Allow Skipping User Consent option enabled. To navigate to the Allow Skipping User Consent toggle, select Applications > APIs > (select the API) > Settings > Access Settings. Third-party applications always require consent and cannot skip the consent dialog.
Even when consent is skipped for first-party applications, a login confirmation prompt may still appear when the application uses a non-verifiable callback URI (such as localhost or a custom URI scheme). This protects users against application impersonation on the same device. To learn more, read Measures Against Application Impersonation.
When a third-party application authenticates users in an Organization context, consent is scoped to the Organization. A user who consents to an application in one Organization has not consented to the same application in another Organization.
Consent dialog for Acme organization — third-party application requesting access to the user's Acme account
This means:
  • A user accessing the same third-party application from a new Organization sees the consent dialog again, even if they previously consented in a different Organization.
  • Revoking consent in one Organization does not affect consent in another.
  • The grant is stored per Organization.
Consent dialog for Contoso organization — the same user must consent again for a different Organization
To force re-consent in a specific Organization context, include prompt=consent in the /authorize request. To revoke a user’s consent for a specific application:
  1. Navigate to Auth0 Dashboard > User Management > Users.
  2. Select the user.
  3. Select the Authorized Applications tab.
  4. Select Revoke next to the application.

Password-based flows

The Resource Owner Password Flow is not available for third-party applications. It applies to first-party applications only. For first-party applications, no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user’s account. To force users to provide consent on every login (even if they have an existing grant), include prompt=consent in the /authorize request:
GET /authorize?
  client_id=tpc_THIRD_PARTY_CLIENT_ID
  &redirect_uri=https://partner.example.com/callback
  &response_type=code
  &scope=read:posts write:posts
  &audience=https://social.example.com
  &prompt=consent
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256
  &state=STATE_VALUE

Learn more