diff --git a/consent/strategy_default.go b/consent/strategy_default.go
index 00f813d67d7..19f2bb240f9 100644
--- a/consent/strategy_default.go
+++ b/consent/strategy_default.go
@@ -560,9 +560,13 @@ func (s *DefaultStrategy) requestConsent(
 		// The OpenID Connect Test Tool fails if this returns `consent_required` when `prompt=none` is used.
 		// According to the quote above, it should be ok to allow https to skip consent.
 		//
+		// Device initiated flows are never allowed to skip consent, the user must always implicitly authorize the device.
+		//
 		// This is tracked as issue: https://github.com/ory/hydra/issues/866
 		// This is also tracked as upstream issue: https://github.com/openid-certification/oidctest/issues/97
-		if !(ar.GetRedirectURI().Scheme == "https" || (fosite.IsLocalhost(ar.GetRedirectURI()) && ar.GetRedirectURI().Scheme == "http")) {
+		if f.DeviceChallengeID != "" {
+			return s.forwardConsentRequest(ctx, w, r, ar, f, nil)
+		} else if !(ar.GetRedirectURI().Scheme == "https" || (fosite.IsLocalhost(ar.GetRedirectURI()) && ar.GetRedirectURI().Scheme == "http")) {
 			return s.forwardConsentRequest(ctx, w, r, ar, f, nil)
 		}
 	}