I totally agree with the Oauth2 authorization code grant type flow, but what about clients developed by the company owning the authorization server (trusted clients) ? I don't want to request user's consent (I mean, bore them with the scopes to allow or not) to let trusted clients access their data.
I could have used the password grant type for them, but I want to avoid mixing grant types for different clients, and stick to the authorization code grant type as recommended.
So is there a way in Spring Security, with Oauth2, to skip the user consent step for trusted clients when using the authorization code grant ?
Consent is handled by your authorization server, Spring Security has no control over that, you would need to configure auto approve scopes on your authorization server for your trusted clients, most Auth servers will give you the option to set which scopes can be auto approved.