Describe the bug
Some OIDC providers might not accept the offline_access scope. The scopes that Identity sends to an OIDC in the authorization uri are hard coded here
To Reproduce
Observed behavior
During a customer call, they showed that Identity was sending an authorization request url like this:
The customer's OIDC was based on Ping Federate and was returning a 500 http status because it doesn't support the offline_access scope
The customer demonstrated that another app was able to successfully authenticate using a auth url like this:
/as/authorization.oauth2?scope=openid+profile
Expected behavior
In this case, when OIDC doesn't support offline_access, it would be convenient to be able to configure the scope used to build the authorization url.
Related support issue Slack Discussion
Describe the bug Some OIDC providers might not accept the
offline_access
scope. The scopes that Identity sends to an OIDC in the authorization uri are hard coded hereTo Reproduce
Observed behavior During a customer call, they showed that Identity was sending an authorization request url like this:
/as/authorization.oauth2?scope=openid+email+offline_access
The customer's OIDC was based on Ping Federate and was returning a 500 http status because it doesn't support the
offline_access
scopeThe customer demonstrated that another app was able to successfully authenticate using a auth url like this:
/as/authorization.oauth2?scope=openid+profile
Expected behavior In this case, when OIDC doesn't support
offline_access
, it would be convenient to be able to configure the scope used to build the authorization url.Screenshots
Log/Stacktrace
Full Stacktrace
```
```
Environment:
offline_access
scopeAdditional context
:robot: This issue is automatically synced from: source