Enable consent for scopes

On This Page

Use the following steps to display the user consent dialog box as part of an OpenID Connect or OAuth 2.0 request.

Note: Currently OAuth Consent works only with custom authorization servers. See Authorization Servers for more information on the types of authorization servers available to you and what you can use them for.

  1. In the Admin Console, select Applications and then Applications.

  2. Select the OpenID Connect app that you want to require user consent for.

  3. Select the General tab and click Edit.

  4. Scroll down to the User Consent section and select Require consent.

    Note: If the User Consent section doesn't appear, you don't have the API Access Management and the User Consent features enabled. To enable these features, contact Support (opens new window).

  5. In this example, we use the Implicit flow for testing purposes. In the Application section, select Implicit flow and then both Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.

    For the Authorization Code flow, the response type is code. You can exchange an authorization code for an ID token and/or an access token using the /token endpoint.

  6. Click Save.

  7. To enable consent for the scopes that you want to require consent for, select Security and then API.

  8. On the Authorization Servers tab, select default (Custom Authorization Server) in the table. In this example, we are enabling consent for default Custom Authorization Server scopes.

  9. Select the Scopes tab.

  10. Click the edit icon for the phone scope. The Edit Scope dialog box appears.

  11. Select Require user consent for this scope and click Save.

The following section provides example requests for enabling the consent dialog box using the APIs. You must first set the consent_method property and then enable consent for the scope.

Update the App

This example shows the JSON body of a PUT request to an existing OpenID Connect app (https://${yourOktaDomain}/api/v1/apps/${applicationId}). The request updates the consent_method parameter from TRUSTED (which is the default) to REQUIRED. The value that you specify for consent_method depends on the values for prompt and consent.

Note: Check the Settings table in the Add OAuth 2.0 Client Application section of the Apps API reference for information on these three properties. In most cases, REQUIRED is the correct value.

Note: You need the applicationId of the app that you want to update. Do a List Applications to locate that ID.

    "id": "0oaosna3ilNxgPTmk0h7",
    "name": "oidc_client",
    "label": "ConsentWebApp",
    "status": "ACTIVE",
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.login}",
            "type": "BUILT_IN"
        "signing": {
            "kid": "5gbe0HpzAYj2rsWSLxx1fYHdh-SzWqyKqwmfJ6qDk5g"
        "oauthClient": {
            "autoKeyRotation": true,
            "client_id": "0oaosna3ilNxgPTmk0h7",
            "token_endpoint_auth_method": "client_secret_basic"
   "settings": {
        "app": {},
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                "message": null,
                "helpUrl": null
        "oauthClient": {
            "client_uri": null,
            "logo_uri": null,
            "redirect_uris": [
            "response_types": [
            "grant_types": [
            "initiate_login_uri": "http://${yourOktaDomain}/authorization-code/callback",
            "application_type": "web",
            "consent_method": "REQUIRED",
            "issuer_mode": "CUSTOM_URL"

To enable consent for a scope that you want to require consent for, you need to update the appropriate scope by setting the consent property for the scope from IMPLICIT (the default) to REQUIRED.

This example shows the JSON body for a PUT request to the default Custom Authorization Server (https://${yourOktaDomain}/api/v1/authorizationServers/${authServerId}/scopes/${scopeId}) to update the phone scope. You need the following information for the request:

    "id": "scpixa2zmc8Eumvjb0h7",
    "name": "phone",
    "displayName": "phone",
    "description": "Allows this application to access your phone number.",
    "system": true,
    "metadataPublish": "ALL_CLIENTS",
    "consent": "REQUIRED",
    "default": false