Auto-forget consent sessions once all descendent tokens expire?

[tsoestini]

If I want to show the user their past authorizations, I need to remember their consent sessions.

Because the client can refresh refresh tokens in perpetuity as long as they do so before each token expires, I need to remember forever.

Is there a way to auto-forget consent sessions after all tokens descended from that consent session have expired (but no sooner)?

[aeneasr]

Consent can’t really be forgotten based on that criterium. In fact, you usually want consent to be remembered (like login to be remembered) for as long as the scope changes, the app changes. Think of it like this, how often does GitHub ask you for consent when signing into CircleCI? Exactly once and then never again! Because consent is remembered:)

[vinckr]

Hello @tsoestini,
did that answer your question?
I will be selecting an answer for now, to clean up the backlog.
Should your question remain or you are facing a similar issue, feel free to respond in this discussion or open an new one.
Thanks 🐝

[tsoestini]

Thanks for following up on this. Sorry for not marking this an answer sooner. I guess in my head it was sort of an answer to half of my situation.

I guess I understand the argument for wanting to remember consent sessions even though all descendent tokens expire. I'm having a hard time squaring that up with business/legal requirements that consent must be re-given every X months and how to enforce that.

This was merely one possible avenue for enforcing that. I'm okay if this avenue isn't pursued, but that makes pursuing other avenues for enforcing this all the more important. I have an open discussion on another avenue here: #2886
And an open issue on the larger requirement here: #2889

I think if one of those avenues is being actively pursued, I'd feel like this question is more conclusively settled.