Trusted clients management

Advanced Access Control stores trusted client information that is based on the decisions of a resource owner on which clients to trust.

In an OAuth 2.0 flow, the resource owner is asked to provide consent on the scopes that are requested by a client to access the protected resource. The resource owner can either grant permission or deny the client from its access request.

The OAuth server or authorization server uses the trusted clients manager to manage information about trusted clients.

Administrators can configure the behavior of the trusted clients manager in the API protection page. They can configure whether a resource owner is prompted for consent in the Authorization code flow or the Implicit grant flow.

The following configuration options are available:
  • Never prompt a resource owner for consent - Resource owners are never prompted for consent and the authorization decision defaults to allow access to the resource.
  • Always prompt a resource owner for consent - Resource owners are always prompted for consent even if the client was previously allowed to access the resource.
  • Prompt the resource owner once and remember consent - Resource owners are prompted once for consent and later allows access to the resource.
Note: For the Prompt once and remember configuration options, the trusted client manager verifies whether the resource owner previously provided consent on the scopes that are requested by a client.