Hey all, more of a spec question than anything specific to ory, however in utilizing/implementing fosite, it's hard to miss the attention to detail for the specification that is given by the ory developers. So I figured ory will have some far more knowledgeable people than me who can answer this, and rather than clogging up GitHub issues I thought this would be a good place. My specific question is in relation to consent. From my reading of
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest (see prompt) seems to indicate that users can remember consent (see pre-configured consent) but should be prompted for consent if the prompt type is consent, and
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess explicitly states the prompt type MUST be consent if the offline_access scope is requested, however
https://openid.net/specs/openid-connect-core-1_0.html#Consent indicates the consent form may be in a variety of forms.
In addition several implementations of OpenID Connect seems to allow administrators to configure this consent process to be implicit rather than explicit; which I don't think is a good measure for what you
should implement, but combined with the last link it is an indication there is room for providers to decide how to handle this. Is this understanding correct? Or am I way off base?