feat: allow skipping consent for trusted clients (#3451)

This adds a new boolean parameter `skip_consent` to the admin APIs of
the OAuth clients. This parameter will be forwarded to the consent app
as `client.skip_consent`.

It is up to the consent app to act on this parameter, but the canonical
implementation accepts the consent on the user's behalf, similar to
when `skip` is set.

Author: hperl

client/.snapshots/TestHandler-common-case=create_clients-case=0-description=basic_dynamic_client_registration.json

@@ -20,6 +20,7 @@
   "token_endpoint_auth_method": "client_secret_basic",
   "userinfo_signed_response_alg": "none",
   "metadata": {},
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json

@@ -23,6 +23,7 @@
   "metadata": {
     "foo": "bar"
   },
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=2-description=metadata_fails_for_dynamic_client_registration.json

@@ -1,4 +1,4 @@
 {
   "error": "invalid_client_metadata",
-  "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. metadata cannot be set for dynamic client registration'"
+  "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. 'metadata' cannot be set for dynamic client registration"
 }

client/.snapshots/TestHandler-common-case=create_clients-case=6-description=setting_skip_consent_fails_for_dynamic_registration.json

@@ -0,0 +1,4 @@
+{
+  "error": "invalid_request",
+  "error_description": "'skip_consent' cannot be set for dynamic client registration"
+}

client/.snapshots/TestHandler-common-case=create_clients-case=7-description=setting_skip_consent_suceeds_for_admin_registration.json

@@ -0,0 +1,35 @@
+{
+  "client_name": "",
+  "client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
+  "redirect_uris": [
+    "http://localhost:3000/cb"
+  ],
+  "grant_types": null,
+  "response_types": null,
+  "scope": "offline_access offline openid",
+  "audience": [],
+  "owner": "",
+  "policy_uri": "",
+  "allowed_cors_origins": [],
+  "tos_uri": "",
+  "client_uri": "",
+  "logo_uri": "",
+  "contacts": null,
+  "client_secret_expires_at": 0,
+  "subject_type": "public",
+  "jwks": {},
+  "token_endpoint_auth_method": "client_secret_basic",
+  "userinfo_signed_response_alg": "none",
+  "metadata": {},
+  "skip_consent": true,
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=6-description=basic_dynamic_client_registration.json renamed to client/.snapshots/TestHandler-common-case=create_clients-case=8-description=basic_dynamic_client_registration.json

@@ -21,6 +21,7 @@
   "token_endpoint_auth_method": "client_secret_basic",
   "userinfo_signed_response_alg": "none",
   "metadata": {},
+  "skip_consent": false,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=7-description=empty_ID_succeeds.json renamed to client/.snapshots/TestHandler-common-case=create_clients-case=9-description=empty_ID_succeeds.json

@@ -21,6 +21,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "metadata": {},
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=admin.json

@@ -20,6 +20,7 @@
     "jwks": {},
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=selfservice.json

@@ -21,6 +21,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "metadata": {},
+    "skip_consent": false,
     "authorization_code_grant_access_token_lifespan": "31h0m0s",
     "authorization_code_grant_id_token_lifespan": "32h0m0s",
     "authorization_code_grant_refresh_token_lifespan": "33h0m0s",