How to implement user “auto-approval” with Forgerock OpenAM and OAuth2

Tagged: ,

This topic has 22 replies, 8 voices, and was last updated 3 years, 5 months ago by Andy Cory.

  • Author
  • #8680

    I had a similar question posted several weeks ago, and hadn’t got an elegant solution either. (, and voted on the JIRA ticket.

    I agree with Tom that adding additional “auto-consent” field on client registration (OAuth2 client agent) to be set on per client basis will be ideal.

    I’m not sure modifying openam source code is a good idea, since it will affect all realms/users managed by openam.

    My 2c,

     Tom Kofford

    I just added a comment with our implementation details to the Jira issue referenced earlier in the thread. Would love feedback. Not sure if the Jira ticket or this forum is the best place for feedback. I guess I’ll see either one.

     Andy Cory

    Tom, we implemented exactly the solution you proposed in a project recently, build on OpenAM 12. The reason we didn’t adopt Bill’s solution of pre-populating the relevant attributes in the directory in this case was similar to yours – the directory is (largely) already provisioned with many entries, and while we could add the attributes to provisioning of new users, there were issues with updating the many existing users.

    When I say we implemented exactly the solution you proposed, I do mean exactly – I lifted your code from the FR Jira ticket, and it’s working perfectly. Since I lifted your code, I thought it only appropriate to thank you on this thread!


     Miguel F

    I guys! You might know this already but just in case. This feature (“Skip user consent” for OAuth2) is supported officially in OpenAM 13.5+. :-)


     Tom Kofford

    That was a fast turn-around! We just updated our production OpenAM to 13.5 a couple of days ago. So far, so good.

     Andy Cory

    FYI, we’ve implemented the new auto Skip user consent feature in 13.5 in a project currently in test, go live Jan next year. Works flawlessly.


    Hi All,

    I am working openam oauth flow, but i am not getting user consent page after user authentication
    i have configured remote consent and created the agent profile for remote consent and enable remote consent in oauth provider, how to get consent page?
    i am using AM6.5


     Andy Cory

    When you say you’ve enabled remote consent in oauth provider… requiring explicit consent is the default behaviour, you don’t have to do anything to get the consent page. If you’ve configured something different in the OAauth2 provider, check you haven’t actually configured ‘skip user consent’, and done the same in the OAuth2 profile. If you have, then suppressing the consent page is the expected behaviour.

Viewing 8 posts - 16 through 23 (of 23 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?