This is about how to handle consents for token-exchange.

So far, the proposal is, that if requester-client has consent required, we can allow token-exchange if user already granted consent to this client to all requested scopes. Otherwise not allow token-exchange. AFAIK we are doing something like that for refresh-token grant (and maybe for other as well).

See the docs and also question 3 under the document

Maybe we can use protected method on StandardTokenExchangeProvider for consent check to allow people to eventually override the default behaviour around consents if default behaviour is not ideal for them... (For example see #31797 and related PR).