Do you always have to require consent? Currently u...
# talk-hydrac
colossal-cpu-47167
12/13/2022, 7:47 PMDo you always have to require consent? Currently using a Nextjs, with hydra in the api route, and was curious if it was possible to not require the consent view
l
late-balloon-3804
12/13/2022, 7:57 PMAFAICT, you must accept the consent request, but you don't necessarily need to show the consent UI
c
chilly-balloon-35803
12/14/2022, 10:39 AMYou can use something like this to accept the consent request programmatically
c
colossal-cpu-47167
12/14/2022, 7:38 PMYeah I'm looking at that now and just playing a bit with it.
colossal-cpu-47167
12/14/2022, 7:39 PMTrying to figure out if I need to use the
hydraAdmin.getConsentRequestcolossal-cpu-47167
12/14/2022, 7:40 PMTrying to figure how it would know if you can skip or not
s
steep-teacher-8664
12/15/2022, 7:21 AMsteep-teacher-8664
12/15/2022, 7:34 AMAs written here I understand that the skip value indicates if the user granted the same or a subset of the scopes that are requested in the time period of the remember_for seconds and ticked „remember this“ in the last consent screen.
If the client requests previously not granted scopes or the time frame is exceeded, the skip value is false. But it is still up to you to show the consent page or don’t. I would suppose you implement a list of trusted Client IDs where you don’t show the Consent page and manage this separately or in an Env-variable. My understanding of security is not, that it would be okay to skip parts of a well defined authentication and authorization process always.
But this is up to you. :)