Skip to content

Add offline_access to default OIDC scope#538

Open
nibalizer wants to merge 1 commit into
mainfrom
nibz/add_offline_access_scope
Open

Add offline_access to default OIDC scope#538
nibalizer wants to merge 1 commit into
mainfrom
nibz/add_offline_access_scope

Conversation

@nibalizer

Copy link
Copy Markdown
Contributor

Pull Request Description

This adds 'offline_access' to the requested scopes on the validmind library oauth flow. This enables reauth after a timeout.

What and why?

How to test

What needs special review?

Dependencies, breaking changes, and deployment notes

Release notes

Checklist

  • What and why
  • Screenshots or videos (Frontend)
  • How to test
  • What needs special review
  • Dependencies, breaking changes, and deployment notes
  • Labels applied
  • PR linked to Shortcut
  • Unit tests added (Backend)
  • Tested locally
  • Documentation updated (if required)
  • Environment variable additions/changes documented (if required)

@nibalizer nibalizer requested a review from jamadriz July 14, 2026 16:11
@github-actions

Copy link
Copy Markdown
Contributor

Pull requests must include at least one of the required labels: internal (no release notes required), highlight, enhancement, bug, deprecation, documentation. Except for internal, pull requests must also include a description in the release notes section.

@github-actions

Copy link
Copy Markdown
Contributor

PR Summary

This PR updates the default set of OAuth scopes used for OIDC device flow authentication to include the offline_access scope, in addition to the existing openid profile email scopes. This change ensures that OIDC providers are able to issue refresh tokens, enabling longer-lived sessions. The update is reflected in the documentation, the initialization of the authentication context using the updated scope, and the associated tests. A new unit test is also added to verify that when no custom scope is provided via environment variables, the default scope with offline_access is used. The modifications in the API client and test files guarantee that both the documented behavior and actual implementation are now aligned with the need to request refresh tokens from OIDC providers.

Test Suggestions

  • Run the new unit test to ensure that the default scope includes 'offline_access' when not overridden.
  • Manually test the device flow authentication process with an OIDC provider to confirm that refresh tokens are issued.
  • Verify that overriding the scope through environment variables still works correctly.
  • Check that documentation changes render correctly and match the actual behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants