Build the upstream authorization redirect WITHOUT the per-client consent
gate, for flows that do their own consent enforcement. The
clientRedirectUri is still validated against the registered allowlist and
scheme rules (RFC 6749 §3.1.2.2 / RFC 8252) — the ungated path cannot relay
a code to an unregistered redirect_uri. For dynamically-registered clients
prefer the consent-gated authorize overload, which additionally enforces
the confused-deputy consent MUST.
Build the upstream authorization redirect WITHOUT the per-client consent gate, for flows that do their own consent enforcement. The clientRedirectUri is still validated against the registered allowlist and scheme rules (RFC 6749 §3.1.2.2 / RFC 8252) — the ungated path cannot relay a code to an unregistered redirect_uri. For dynamically-registered clients prefer the consent-gated authorize overload, which additionally enforces the confused-deputy consent MUST.