Open nverbos-godaddy opened 1 year ago
@nverbos-godaddy
I would like to change this behavior so that the the client must request the
offline_access
scope in order for a refresh token to be issued
Can you provide more details on your use case? Why do you need to change this behaviour?
I tried copying all of the code from OAuth2AuthorizationCodeAuthenticationProvider into my own custom implementation and edited the conditional statement that determines whether or not refresh token should be issued
In order to support the offline_access
scope within the framework, there are a few other requirements that need to be considered, for example:
MUST ensure that the
prompt
parameter containsconsent
FYI, the prompt
parameter is currently not supported either gh-501
Can you provide more details on your use case? Why do you need to change this behaviour?
We want clients to explicitly request a refresh token, only when it is needed. We also want to display special text to users on the consent page when offline_access
is requested. The special text on the consent page will let our users know that this client application will maintain access to their account, even when they are offline and not using the app. When the app does not need a refresh token, then it does not include the offline_access
and we do not need to display this special text on the consent page.
@nverbos-godaddy Thanks for the extra details. We will consider adding this enhancement depending on demand, which we assess based on upvotes on this issue.
Is there a way to customize this for our implementation?
Please keep track of gh-1430 as it will likely provide a hook that will allow you to customize and implement offline_access
in your application.
@nverbos-godaddy Please take a look at gh-1432, specifically this commit as it provides 2 tests that demonstrate how you can customize and implement partial support for offline_access
in your application.
Expected Behavior I want to add support for the
offline_access
scope as described in the openid-connect rfc. When theoffline_access
scope is requested, then a refresh token is issued.Current Behavior Currently the spring-authorization-server project issues a refresh token when a
RegisteredClient
containsAuthorizationGrantType.REFRESH_TOKEN
. I would like to change this behavior so that the the client must request theoffline_access
scope in order for a refresh token to be issued.Context What is the best way to add support for this? Initially, I tried copying all of the code from
OAuth2AuthorizationCodeAuthenticationProvider
into my own custom implementation and edited the conditional statement that determines whether or not refresh token should be issued. However, I would like to avoid copying and overriding this for maintainability reasons. Is there a way to customize this for our implementation? Is this a feature that we could add to directly to the spring-authorization-server project?Related gh-501 gh-1430