Let's say you have an OAuth2 Open-id connect authorization server, that can support many different clients through a client registration. Now a resource owner is logging into a 3rd party client, in which they will be redirected to the authorization server to grant access to their resources. Typically in this case you will see allow/deny button and show the permissions/scopes your granting for them to use.
Now taking that in mind, what would we do in the case for a client that the owner/organisation of the authorization server is hosting. If you're logging into a web app of let's say Google, it would be a bit weird for you to then be shown a screen saying google needs you to allow access to google. What would you do in this case? Would you have set client-id's for these types of clients, and say if this client is the web then grant all scopes/permissions ?
If anyone has any insight, and can help me understand this case that would be helpful. Also in turn , if you don't understand what I'm trying to ask then please probe me with questions :)
The canonical OAuth 2.0 / OpenID Connect flow is designed for a "consumer" use case where the Client is provided by a 3rd-party indeed. However, the same protocols are also often used in an "enterprise" scenario where all of the components involved are provided and managed by a 3rd-party. In that case the "consent" part is superfluous (since implicitly done when the employee enrolled in the company) as you suggested indeed. Most - if not all - Authorization Server implementations have an option in the Client configuration to skip user consent to cater for the latter scenario.