logo
Sign in
Get started
BLOG/PRODUCT

Introduction to the user consent screen

What is the user consent screen and how does it work? This article explains the basics ideas behind the user consent screen and how it should be used.
Simeng
SimengDeveloper
February 01, 20246 min read
Introduction to the user consent screen

What is user consent screen

Imagine you are signing up for a new social App using your Google account. You click the "Sign in with Google" button and you are redirected to a Google to complete the sign in process. After successfully authenticating with Google, you are redirected to a page that asks you to grant this App access to your Google account profile. Something like this:

Google Consent Screen

This page is what we call the consent page or consent screen. It is a user interface element displayed by applications or websites during the onboarding process. Its primary purpose is to inform users about the collection, processing, and usage of their personal data and to seek their explicit agreement or consent for these activities.

On a consent page, users are typically presented with information about the types of data that will be collected, how it will be used, and whether it will be shared with third parties. This information is crucial for transparency, allowing users to make informed decisions about their privacy and data security.

Consent pages are particularly important in the context of privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States, which require organizations to obtain clear and affirmative consent from users before processing their personal information.

When do we need a consent screen?

Before we can answer this question, we need to understand some basic concepts about user authentication.

Identity Provider (IdP) and Service Provider (SP)

As mentioned above, the primary purpose of the consent screen is to inform users about the collection, processing, and usage of their personal data and to seek their explicit agreement or consent for these activities. Therefore, we need a consent screen when we are collecting, processing, or using personal data that is owned by another party, such as Google.

In the context of user authentication, we call the party that owns the user data the Identity Provider (IdP). As for the application that is requesting access to the user data, we call it the Service Provider (SP). In the example above, Google is the IdP and the social App is the SP.

The IdP is responsible for authenticating the user and providing the user's profile information to the SP. The SP is the party that needs the user's profile information to provide its services.

Single sign-on (SSO)

In the example above, the social App is using Google as its IdP. This is a common scenario in the industry. Many applications use Google, Facebook, or other third-party services as their IdP. This is called Single Sign-On (SSO). SSO is a property of access control of multiple related, but independent software systems. With this property, a user sign-in with a single ID and password to gain access to any of several related applications. You can refer to CIAM 101: Authentication, Identity, SSO for more details.

First-party vs Third-party IdP

First party IdP is an IdP that is owned by the same organization as the SP. The SP may even share the same domain name as the IdP. So SP is requesting access to the user data that is owned by the same organization. For example, if you are using Google Workspace, then Google is your first-party IdP.

Third-party IdP, on the other hand, is an IdP that is owned by a different organization than the SP. The SP is requesting access to the user data that is not owned by it self. For example, if you are using Google as your IdP, and sign in to a social App like the example above, then Google is a third-party IdP for the social App.

Organization B
Organization A
IdP Service B
SP Service B
IdP Service A
SP Service A

Whenever a user signs in to an application it is crucial that the user is aware of what data is being collected and how it will be used.

For first-party IdP, those types of information are usually covered in the privacy policy and terms of service of the organization. The user is usually required to agree to the privacy policy and terms of service before signing up for the service. Therefore, the user is already aware of what data is being collected and how it will be used. In this case, the user consent is implicit.

However, it is important for the IdP to keep strict control over the data it owns. The IdP should not allow any third-party SP to access the user data without the explicit consent of the user. Any data access by a third-party SP is considered a data sharing activity. The user must be informed about the data sharing activity and must explicitly consent to it.

Therefore, for third-party IdP, the user consent is always required. That is why all the major IdPs, such as Google, Facebook, and Microsoft, require the SP to display a consent screen to the user before the user can sign in to the SP.

For example in the case of Google, when you trying to create a Google OAuth client, you will be asked to provide a detailed consent screen configuration.

Google consent screen configuration

This ensures that the user is aware of the data sharing activity and has explicitly consented to it.

What info should be included in the consent screen?

Consent Screen Demo

It is important for the consent screen to provide the user with enough information to make an informed decision. Including but not limited to:

  • Which party (SP) is requesting access to the user data?
  • What is the current user's identity?
  • What user data is being collected?
  • How will the user data be used?
  • What additional IdP provided services or API will be used?
  • What additional permissions will be granted to the SP?
  • What is the privacy policy of the SP?

All the information above should be included in the consent screen precisely and clearly. The user should be able to understand the information without any ambiguity. This is especially important for the user data that is being collected and how it will be used.

It is the IdP's responsibility to ensure that the user data is only used for the purpose that the user has consented to. The IdP should not allow the SP to use the user data for any other purpose without the explicit consent of the user.

Conclusion

In summary, a consent page serves as a mechanism to obtain explicit permission from users regarding the handling of their data, fostering transparency and compliance with privacy laws.It is currently required by all major IdPs for third-party SPs, and it plays an important role in protecting user privacy and data security. Especially your are providing a third-party IdP service.

Subscribe Logto newsletters
Stay on top of the latest product updates, development inspirations, blogs, and research prompt.
Email address
Subscribe
Products
Email and SMS passwordlessEnterprise SSO (SAML & OIDC)PasswordMachine-to-machineSocial sign-inManagement APIOmni sign-in experienceProtected AppMulti-factor authenticationIdP for 3rd-party appsUser managementRole-based access controlOrganizations (Multi-tenancy)
Pricing
Pricing plans
Solutions
Consumer appsSaaS productsAI appsEnterprise-readyMulti-app products
Developers
DocumentationAPI referencesSDK guideMigration guide
Resources
BlogBranding assetsYouTube channelSign-in experience assetsNewsletterLogto vs. Auth0Logto vs. ClerkLogto vs. StytchChangelogs
About
Trust and securityAbout us
Designed by Silverhand Inc.
Hosted in the 🇪🇺 EUTerms of usePrivacy policy