When using Implicit Flow, it should be OK to use the stored user consent
even if the client is public. The redirect uri checks should make sure
that the stored consent of another client cannot be misused to get a
consent to a site that is not related to the client.
It is also important to support this, since public clients using
Implicit Flow do not have a refresh token to update their access tokens,
so only way to keep their login session open is by issuing authorization
requests from an iframe with the "prompt=none" parameter (which does not
work without the previously stored consent). See the following links
for more info and examples on how to renew the access token with SPAs:
https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokenshttps://damienbod.com/2017/06/02/https://github.com/IdentityServer/IdentityServer3/issues/719#issuecomment-230145034