Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

No built-in consent screen at first

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2023-05-11

Context and Problem Statement#

While not strictly required most OAuth2 implementations include a consent screen.

Considered Options#

  • Build consent screen in the first version
  • No built-in consent screen at first
  • No built-in consent screens

Decision Outcome#

Chosen option: No built-in consent screen at first, because

  • We can get initial support earlier
  • We can ensure future versions will not need migration

What we need store to enable this in the future:

  • enabled scopes (per client):
    • required anyway
  • auto allowed scopes (per client):
    • these scopes are allowed ("consented to") by default for every user, meaning
    • in the future these will be the scopes that cannot be disabled on the consent screen
    • required/optional scopes can be described in the authorization request

Pros and Cons of the Options#

Build consent screen in the first version#

  • No migration needed later
  • Starts with full support
  • Delays initial iteration

    • No built-in consent screen at first#

  • No migration needed later
  • Earlier initial iteration

    • No built-in consent screen support#

  • Earlier initial iteration
  • Doesn't support a main use-case (or could need migration in the future)
    • Which UI do you use?
    Custom UI
    Pre built UI