Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Some providers choose to skip consent in first-party scenarios. This is not fully OpenID Connect spec compliant but since it’s usually for only a specific set of clients, it does not get properly validated by the OpenID Connect certification, thus doesn’t come up during audit :wink:

I actually noticed that dex utilizes this mode specifically for compliance testing, but never mention it anywhere else in their docs, so that kind of makes sense now.

I'm kind of curious what your interpretation of this section here is, specifically "this MAY be done through an interactive dialogue with the End-User that makes it clear what is being consented to or by establishing consent via conditions for processing the request or other means" and "previous administrative consent":

<https://openid.net/specs/openid-connect-core-1_0.html#Consent>