Setting requireAuthorizationConsent is ignored for device code grant

[antoinelauzon-bell]

Hi,

Unsure if it's a feature request or a bug, feel free to adjust the category.

Expected Behavior

As documented on the requireAuthorizationConsent setting, I would expect its value to be considered during a device code grant. For example, if the value is set to false, the consent page (that includes the user code and the scopes by default) should be skipped.

Current Behavior

In the case of the device code grant (OAuth2DeviceVerificationAuthenticationProvider class), the check only does a difference between the current scopes and the requested scopes. It means that the first time the flow is executed, the user has to accept the scopes (and confirm the user code). After that, if the scopes remain unchanged, the consent page is skipped.

OAuth2DeviceVerificationAuthenticationProvider (sadly not as customizable as the class below)
vs
OAuth2AuthorizationCodeRequestAuthenticationProvider

Context

I would like to be able to always skip the consent page. More precisely, the user code validation would be done in a separated page (like in your example). This page would then POST to the device verification endpoint (that would always skip the consent).

Thank you