During the OAuth authorization flow, after a user authenticates, PingFederate directs the user to an authorization consent screen. On this screen, users can consent to a scope of privileges that the client has requested.
Instead of using the consent screen that is provided with PingFederate, you can direct users to your own application to process the consent requests. This gives you more control over the presentation of the consent request.
For more information, see Consent approval the section in the PingFederate documentation.
Identifying consent requests
PingFederate sends authentication requests and authorization consent requests to your application through the same endpoint URL. To process the request and display the appropriate page to the user, your application must be able to differentiate authentication requests from consent requests.
All consent requests contain the following attribute:
Key:
com.pingidentity.adapter.input.parameter.adapter.action
Value: com.pingidentity.adapter.action.external.consent
Because authentication requests do not contain this attribute, your application can differentiate authentication and consent requests based on whether this attribute is present.
Passing "consent declined" results to PingFederate
If a user rejects the scope of privileges requested by a client, your application needs to signal that rejection to PingFederate.
In this case, your application must drop off the following attribute to PingFederate:
Key:
com.pingidentity.adapter.refid.external.application.failure.message
Value: An optional error message.