The consent is typically associated with the user and client_id pair, the
authorization code is just a temporary artifact used for the client to
obtain a token regardless of consent.
Whether a client_id is used for a large number of instances of a client is
up to a particular deployment and is not
Hi Torsten,
1. You are right that consent can be preserved at the AS. The concern here
is what happens when the refresh token expires? Do we again go back to the
user and ask for consent or is there some way for the AS to bind the client
with the consent that has already been given? As I understand
Hi,
the consent is not bound to the code. As you correctly pointed out, the code is
a temporary artifact. It’s purpose is to bridge insecure frontchannel
communication to more secure backchannel communication. You don’t need to
preserve the code in order to preserve the consent. The code is me
