OAuth2 - Imply/grant consent for trusted application

[stromb0li]

We are using OAuth2 between two systems we own for single-sign on. Given we own both services, we would like imply/grant consent on behalf of our users for that specific application.

Ask: Can you add a checkbox to Skip OAuth2 consent / trust the client application?

 

[Foxtrek_64]

IIRC not without breaking OAuth2 spec. The system requires explicit user consent.

Not saying it can't be done or that this is a good/bad suggestion, just that it would not be compliant.

Microsoft as an example of a bigger company has kept this - if you have an outlook account and you're signing into Xbox Live for the first time, you will get an OAuth prompt regardless of the fact that they're both the same company. Same thing when you're logging into the Minecraft launcher.

 

[stromb0li]

Microsoft as an example of a bigger company has kept this

This is true if using a consumer identity to another service (i.e. website X federated to Microsoft services A,B,C); however, as the identity provider (in their case Entra), you can do admin consent on behalf of the organization to suppress consent per federated application.

Grant tenant-wide admin consent to an application - Microsoft Entra ID

Learn how to grant tenant-wide consent to an application so that end-users aren't prompted for consent when signing in to an application.

learn.microsoft.com