First party application Allow Skipping User Consent

[sdandroid]

from auth0

Allow Skipping User Consent: 
Enable this setting for the API to skip user consent for applications flagged as "first party."

Setting in client Is useful for first party application.

[vinckr]

Hello @sdandroid

I understand what you are trying to achieve, but we recommend to not use OAuth2.0 in first-party scenarios.
It introduces unnecessary complexity, which leads to mistakes, which leads to security holes. Also it makes logout clunky, always requires a browser even on native apps, the list goes on...
This blogpost goes a bit more into details:
Why you probably do not need OAuth2 / OpenID Connect
Also Do You Need OAuth2?

If you are just looking for first party authentication, I recommend checking out Ory Kratos.

[vinckr]

Hello @holopekochan
I do not know much about your use case but both is an option. We recommend to use browser redirect flows in first-party scenarios, see also the Ory Security Model doc. This post explains when it is a good idea to use OAuth2.

To expand on the skipping user consent screen problem:

You can't skip the consent redirection, but you can accept the redirection to the redirect URL immediately. The user won't notice as this takes less than < 100ms. The example on how to skip the consent screen provides a good starting point: Skipping Consent Screen.

[frankljbe]

Interesting read. I wonder what you think about the following scenario. I own a few different website "coolshoppingwebsite.com", "excellentshoppingwebsite.com" and "niceshoppingwebsite.com". I want all of these to use the same identity-provider, however for I don't want users to see the consent screen. We need some sort of protocol besides cookies to manage this relationship, since cookies are limited by domain.

The most common way to solve this to me seems to be OAuth with a special 1st party client that skips the consent screen. Do you think this is an appropriate use of OAuth?

[kmherrmann]

Hi Frank,

yes, that is an acceptable use of OAuth2 :)
In Ory Cloud, we are also planning to support multiple custom domains on a single project, which will allow cookie based login in your scenario.
Adding an option to mark clients as "trusted, 1st party" and allowing them to skip consent automatically also makes sense for the use case, and we'll look into support for that, too. In the meantime, the link @vinckr provided for skipping the screen should make things work!

cheers
klaus

[sirkrisp]

@kmherrmann any updates on this? Thanks, Kris

[vinckr]

Hello @sirkrisp

You can now add up to 5 domains to one Ory Network (formerly known as Ory Cloud) project on the "Scale" plan. Check out our new pricing.

an option to mark clients as "trusted, 1st party"

AFAIK this is not yet implemented, but if you are interested in something like this for your Ory Network project, feel free to open a feature request in github.com/ory/network.