User should only complete the "consent form" ONCE

[reginafcompton]

Currently, the authserver does not track if a user completed the "consent form".

Thus, a user must complete the form every-single-time-she-logs-in.

Solution

1. Add a field in the user model, e.g., consent_form_completed. The new field could either be a boolean field, or it could be the name of the public client (e.g., Facet).
2. The login route will check the value of this field. If the user has already given consent, then Authserver should go directly to the web application (e.g., Facet).

[gregmundy]

The solution is a bit more complicated than what you are suggesting @reginafcompton. Ideally, there will need to be a model that tracks a user's consent to each application. Also, an API endpoint needs to be exposed that at some point in the future will be used to show a user all clients that they have consented to and (thus be able to revoke consent).

[reginafcompton]

Ah, this: tracks a user's consent to each application

I seem to forget that clients (other than Facet) will interact with the AuthServer. Good catch @gregmundy.