In regards to the consent_required error- since localhost resolves to 127.0.0.1, I’m not positive that using that IP will actually solve the problem. This topic seems to have a solution.
For the definition of importance and regarding the code snippet from above. That snippet will only bypass the individual rule you added it to. If you have 10 rules and the 5th has that code, only the 5th will be passed over when the condition is met. If bypassing the rule lead to a security vulnerability then it would be important not to be able to skip if you are a malicious actor.
Typically a renewal is only happening after a client has already been granted an access or id token and it sounds like your user would have already granted consent at that point if I am not mistaken. Refresh tokens prevent the client from needing to authorize or authenticate again once an existing id/access token expires.
Rules run after successful login. Take a look at the documentation regarding GDPR compliance.