---
title: Manage consent
description: Many OAuth 2.0 and OIDC flows require user consent to grant the client access to the user's resources.
component: pingam
version: 8.1
page_id: pingam:am-oauth2:oauth2-manage-consent
canonical_url: https://docs.pingidentity.com/pingam/8.1/am-oauth2/oauth2-manage-consent.html
keywords: ["OAuth 2.0", "OpenID Connect (OIDC)", "Authorization", "Setup &amp; Configuration"]
page_aliases: ["oauth2-guide:allowing-clients-to-skip-consent.adoc", "oauth2-guide:allowing-am-to-save-consent.adoc", "oauth2-guide:oauth2-manage-consent.adoc", "oauth2-guide:oauth2-user-consent.adoc"]
section_ids:
  skip-consent: Implied consent
  gather-consent: Gather consent
  store-consent-decisions: Store consent decisions
  revoke_consent: Revoke consent
---

# Manage consent

Many OAuth 2.0 and OIDC flows require user consent to grant the client access to the user's resources.

## Implied consent

OAuth 2.0 and OIDC client applications can use *implied consent*. With implied consent, *AM does not prompt for consent during authorization flows*. This simplifies the flows. The user has only to sign on to grant the client access to protected resources.

To enable implied consent, follow these steps:

1. In the AM admin UI, go to Realms > *realm name* > Applications > OAuth 2.0 > Clients > *client ID* > Advanced.

2. Select Implied Consent.

3. Save your changes.

4. Make sure AM lets users skip granting consent.

   By default, this is enabled in the OAuth 2.0 provider configuration, Realms > *realm name* > Services > OAuth2 Provider > Consent > Allow Clients to Skip Consent.

   If that is disabled for your deployment, switch to the OAuth2 Provider Overrides tab in the client profile, make the following changes to the settings, and save your work:

   * Enable OAuth2 Provider Overrides

     Enabled

   * Allow Clients to Skip Consent

     Enabled

To disable implied consent and force users to grant consent during authorization flows, disable the settings described in the previous steps.

## Gather consent

Configure how the client application appears to the user. The following alternatives are available:

* Customize the built-in consent screen:

  1. In the AM admin UI, go to Realms > *realm name* > Applications > OAuth 2.0 > Clients > *client ID*.

     Edit the following settings under the Advanced tab, then save your work:

     * Display name

       Display this name to the user when prompting for consent.

     * Display description

       Explain the decision to the user when prompting for consent.

     * Privacy Policy URI

       Add for the client applications privacy policy.

  2. Configure how scopes display.

     Users grant consent based on *scopes*. Scopes restrict what is shared with the client and limit what the client can do with the user's data. In OAuth 2.0, the meanings of scopes depend on the implementation. In OpenID Connect, scopes map to standard user data claims; for example, the `profile` scope requests access to the user's default profile claims.

     For details, refer to [Display scopes in the consent screen](oauth2-scopes.html#configure-scopes).

* Delegate consent gathering to another service.

  For details, refer to [Remote consent](oauth2-remote-consent.html).

## Store consent decisions

AM can store the consent decisions in the user profile. This minimizes redundant prompts and improves the user experience.

When an OAuth 2.0 client application requests scopes, AM checks the user profile for scopes the user has already consented to. AM does not prompt the user to consent again to the same scopes, only scopes the user has not consented to.

To save consent:

1. Add a multivalued string syntax attribute, such as `custom_consent`, to user profiles for saving consent decisions.

   The attribute must be of type `array`.

   For instructions on adding the attribute, refer to [Update the identity store for a custom attribute](../setup/customizing-data-stores.html#add-attr-to-identity-repository).

2. In the AM admin UI, go to Realms > *realm name* > Services > OAuth2 Provider and select the Consent tab.

3. In the Saved Consent Attribute field, add the name of the attribute you created, such as `custom_consent`.

4. Save your changes.

|   |                                                                                                      |
| - | ---------------------------------------------------------------------------------------------------- |
|   | To force AM to prompt for consent for a specific client request, add the `prompt=consent` parameter. |

## Revoke consent

You can revoke a client application's access at any time through the user dashboard page:

1. Sign on as an end user.

   Your dashboard page displays.

2. Expand Authorized Apps.

3. Click the delete icon [icon: times, set=fa]to revoke access:

   ![Revoke client application access through the user dashboard.](_images/xui-oauth2-self-service.png)Figure 1. Authorized Apps pane