I've implemented IPersistedGrantStore, and defined a Client that has properties RequireConsent and AllowRememberConsent set to true. I've also removed offline access scope from that client as I've read somewhere that Consent is always forced if offline access scope is requested, as per OAuth specification. When I go to the login screen for the first time, I'm presented with consent view, click allow and remember my decision, I can see the record in DB table PersistedGrants being added with type user_consent. Next time I try to login, that record is fetched from database by my implementation of IPersistedGrantStore, but the consent view is still presented. If I then click allow again, DB throws an exception because IS4 is trying to insert another PersistedGrant record with the same key.
Did I overlook certain setting that would make it behave as expected? PS. I've implemented all major stores and everything is kept in SQL Server db, not using any of those InMemory stores.
After substantial amount of debugging, here's what the problem was: _ScopeListItem.cshtml from 6_AspNetIdentity sample, has this section of code
@if (Model.Required)
{
input type="hidden" name="ScopesConsented" value="@Model.Name" />
}
This is evidently rendered only if the scope is marked as required. Those scopes that are marked as Required are only ones that get posted to controller action. In my case I had a Client requesting OpenId and Profile as standard scopes, and also three scopes defined by my ApiResource. Admittedly I didn't mark the Api scopes as required, but the problem was also that the Profile scope wasn't required by default. So when saving the Consent, the Data property didn't contain Profile scope, and there was a mismatch of requested and consented scopes on all following login attempts, which triggered the Consent process.