Configure Rich Authorization Requests (RAR)
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
Prerequisites
Before configuring Rich Authorization Requests (RAR) for an API, first set up:
A custom Universal Login Pages template. Read the Page templates API to learn how to customize a Universal Login Page template using the Management API.
Configure the resource server
Set the consent policy
The consent policy determines when and how Auth0 shows the consent prompt to the end user.
The resource server (i.e. the API) registered in an Auth0 tenant needs to define in advance which consent policy to apply to authorize the Rich Authorization Request (RAR).
The default consent policy is null or undefined. Auth0 also supports the consent policy, transactional-authorization-with-mfa, which covers the transactional authorization use case that always requires the explicit consent of the resource owner (i.e the end user). The table below summarizes Auth0's consent policy behavior:
| Is it a Rich Authorization Request? | MFA Required? | null or undefined (default) |
transactional-authorization-with-mfa |
|---|---|---|---|
| No | No | Standard consent is shown unless there is a grant that includes the requested access. | Customized consent is shown regardless of previously granted accesses. |
| Yes | No | Authorization request is rejected with invalid_request. |
Customized consent is shown regardless of previously granted accesses. |
| Yes | Yes, with an authentication factor that is not a push notification | Authorization request is rejected with invalid_request. |
Customized consent is shown after the user fulfills MFA challenges. |
| Yes | Yes, with a push notification factor | Authorization request is rejected with invalid_request. |
No consent is shown. The consent is handled in the mobile application that received the push notification challenge. |
Set the consent policy in your API settings using the Auth0 Dashboard.
Navigate to Auth0 Dashboard > Applications > APIs.
Select the Settings tab.
Under Access Settings, choose Transactional Authorization with MFA.
Save your changes.
The following PATCH request to Management API's Update a resource server endpoint sets the consent policy to transactional-authorization-with-mfa for an existing resource server:
curl --location --request PATCH 'https://$tenant/api/v2/resource-servers/$resource-server-id' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"consent_policy": "transactional-authorization-with-mfa"
}'Was this helpful?
Register authorization_details types
The resource server must register the authorization_details types that are accepted, similar to registering which scopes are allowed. Make sure the authorization_details follows these requirements:
Maximum 5Kb
Must be valid JSON
Must be an array of objects
Maximum of 5 entries in the array
Every object must have a
typeproperty (that is pre-registered on the API)Maximum of 10 properties per object
Maximum length of property names is 255
Maximum length of property value is 255
Maximum of 5 levels of nested objects
Property names can only contain the following characters:
a-zA-Z0-9_.-
You can register authorization_details types with the Auth0 Dashboard or Management API.
You can add authorization_details in the Auth0 Dashboard.
Navigate to Auth0 Dashboard > Applications > APIs.
Select the Permissions tab.
Under Add an Authorization Details type, add
payment_initiation. Select the +Add option. Addmoney_transferand select the +Add option.
The following PATCH request to Management API's Update a resource server endpoint registers payment_initiation and money_transfer as authorization_details types for an existing resource server:
curl --location --request PATCH 'https://$tenant/api/v2/resource-servers/$resource-server-id' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"authorization_details": [{"type": "payment_initiation"}, {"type": "money_transfer"}]
}'Was this helpful?
Create a resource server for Rich Authorization Requests
The following POST request creates and configures a resource server to receive Rich Authorization Requests:
curl --location --request POST 'https://$tenant/api/v2/resource-servers/' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "Payments API",
"identifier": "https://payments.api/",
"consent_policy": "transactional-authorization-with-mfa",
"authorization_details": [{"type": "payment_initiation"}]
}'Was this helpful?
Set customized consent prompt to render the authorization details
To render the authorization details of a Rich Authorization Request in the consent screen, you need to configure the customized-consent prompt with the appropriate template partials.
The following PUT request configures the customized consent partials:
curl --location --request PUT "https://$tenant/api/v2/prompts/customized-consent/partials" \
--header "Authorization: Bearer $management_access_token" \
--header "Content-Type: application/json" \
--data '{
"customized-consent": {
"form-content": "<div style=\"font-size: 1.3em; font-weight: bold;\">Operation Details</div><hr style=\"margin: 10px 0;\"><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Transaction Type</div><div>{{ transaction.params.authorization_details[0].type }}</div><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Amount</div><div>{{ transaction.params.authorization_details[0].instructedAmount.amount }} {{ transaction.params.authorization_details[0].instructedAmount.currency }}</div><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Recipient</div><div>{{ transaction.params.authorization_details[0].beneficiary }}</div><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Destination Account</div><div>{{ transaction.params.authorization_details[0].destinationAccount }}</div><div style=\"margin-bottom: 20px;\"></div>"
}
}'Was this helpful?
The customized consent template renders the authorization details in the following consent prompt that Auth0 shows to the end user:
To learn more about how to customize the consent prompt, read Customize New Universal Login Pages and Customize New Universal Login with the No-Code Editor.