Consider a first party scenario, i.e. the authorization server is not used for giving consent for accessing third-party APIs, but to give out scope-limited access tokens for an SPA’s own backend. This is useful to limit the damage which can be done with a stolen access token.
So e.g. for an administrator, who has many permissions, it is better to give him an access token with the scopes only for the activity he is currently doing.
In this scenario, it doesn’t make sense to remember the user’s consent forever, or until it is explicitely revoked by the user. Otherwise, all consents ever given would accumulate in the access token over time until eventually scopes for all his permissions would be contained in it, making access with this token equivalent to impersonation.
IMHO it would rather make sense to remember consent only for the duration of the session, or for a certain amount of time.
Anything available in that sense in Hydra?
You can set remember_for (in seconds) while accepting the consent.
RememberFor sets how long the consent authorization should be remembered for in seconds. If set to
0, the authorization will be remembered indefinitely.