-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC scope "offline_access" is missing #26
Comments
FYI: the default client of the aggregator has id "openeo-platform-default-client" and has the "offline_access" scope enabled in its EGI setup: However, the offline_access scope is indeed not listed by the back-end under the But this is intentional: the back-end has nothing to do with the refresh token, the back-end is only interested in scopes that identify the user. The refresh token is purely a client-side thing and should never be exchanged with the back-end. So the back-end has no business instructing whether the client should request that scope or not. In the python client, the "offline_access" scope is dynamically added to the list of desired scopes in the access token request, based on whether refresh tokens are desired. In pseudo code: scopes_to_request = scopes_from_backend_oidc_provider_settings
if user_wants_refresh_tokens and oidc_provider_supports_offline_access_scope:
scopes_to_request = scopes_to_request + ["offline_access"]
get_oidc_tokens(scopes_to_request, ...) |
Hmm... I understood the API spec differently, but it somewhat makes sense that the back-end doesn't advertise offline_access although it would be somewhat easier for a client to just mirror what they got. I think we should then improve the API documentation and clearly state in there that offline_access (and other optional scopes) can/should be requested by the clients as needed. |
my interpretation of the
Also note: in my testing, "offline_access" is only necessary with EGI and Microsoft, other providers I played with (Keycloak, Google) did not require an scope necessary to enable refresh tokens as far as I remember. |
Yes, I've updated the API spec to be a bit more clear (italic = additions):
The Web Editor and JS client also handle it properly now. |
The default clients don't list "offline_access" as scopes to be requested, which leads to "early logouts" in the clients as no refresh token is issued by default.
Related issues:
The text was updated successfully, but these errors were encountered: