Making an OAuth or OIDC consent decision using access policy

Edit online

You can use an access policy to prompt the user to enter further information via a web page or redirect the user to another website. This logic could be used to perform the consent step when advanced logic beyond "prompt once", "always prompt", or "never prompt" is required.

This advanced logic is undefined. But it is assumed that as a result of it, the author of the policy will be able to decide whether the user has consented, and if they have consented, which scopes the user has granted the client.

The following snippet can be used to set the list of scopes consented:

// Get the protocol Context:
var pctx = context.getProtocolContext();
// Construct our array of scopes
var scopes = java.lang.reflect.Array.newInstance(java.lang.String,2);
// Set the values
scopes[0] = "scope1";
scopes[1] = "scope2";
// Add this to the context
pctx.setConsentDecision(scopes);

If consent has been performed but no scope was granted, then the follow snippet can be used:

// Get the protocol Context:
var pctx = context.getProtocolContext();
var scopes = java.lang.reflect.Array.newInstance(java.lang.String,1);
scopes[0] = "";
// Add this to the context
pctx.setConsentDecision(scopes);