Recommendation for managing OAuth2 user consent


I went through RFC6749 to learn about OAuth2 but I found that the RFC didn’t talk much about how to store/manage the user consent at the authorization server. A common question when handling the user consent is that how long it should live: to have a defined TTL, per login session, or permanent until revoked explicitly.

I couldn’t find an answer for this when looking at several OAuth2 implementations such as Auth0, Google Identity Platform or Okta. Looks like each platform handles user consent in it own ways and there is no standard recommendation for it.

Does anyone has experience on this, or has any source of recommendation for managing OAuth2 user consent to be shared?

Thank you.