From 5a8d38a9462a8891f9b3e3ffd496ba03d7ca141f Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 01:30:25 +0200
Subject: [PATCH] fix: enable skip consent on Traditional app for first-party
 SSO

Without this, Logto returns consent_required when the server tries
SSO because the scopes were never explicitly granted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/logto-bootstrap.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 7a04039..0c6ec0a 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -177,6 +177,10 @@ else
   log "Created Traditional app: $TRAD_ID"
 fi
 
+# Enable skip consent for the Traditional app (first-party SSO)
+api_put "/api/applications/$TRAD_ID" '{"isThirdParty": false, "customClientMetadata": {"alwaysIssueRefreshToken": true, "skipConsent": true}}' >/dev/null 2>&1
+log "Traditional app: skip consent enabled."
+
 # --- API resource ---
 EXISTING_RESOURCES=$(api_get "/api/resources")
 API_RESOURCE_ID=$(echo "$EXISTING_RESOURCES" | jq -r ".[] | select(.indicator == \"$API_RESOURCE_INDICATOR\") | .id")