This article provides a potential cause and solutions when certain users of an OpenID Connect (OIDC) application are not receiving a Custom Scope, despite the application having requested it.
- API Access Management
- OAuth Consent
- Custom Scope
When creating a custom Scope for a custom Authorization Server, there is an option for User consent.
If set to Optional, indicating that the scope is optional for the custom integration, the authenticating user will be able to deny access to that scope for the target application when they access it. If the user does not grant consent to that scope, tokens issued to that user for that application will not contain the requested scope (nor any custom claims configured for that scope).
Once the user has granted or denied consent to the application's scope, they will not be prompted for consent again unless the application explicitly prompts the user for consent.
Depending on the use case, see the options below that will ensure that a requested scope is granted to the user:
- Configure the Custom Scope to have User consent set to Implicit.
- When using this option, users do not need to confirm the scope can be granted to the application, it will be granted implicitly.
- Configure the Custom Scope to have User consent set to Required.
- When using this option, users must allow consent to the scope, or they will not be able to log into an application requesting it
- Configure the application to prompt the user for user consent using the
prompt=consentquery parameter in the /authorize request.- Even if the user has previously deselected an Optional scope, sending this option will prompt them for it again.
- See documentation about this parameter in the /authorize API docs.
