The offline_access scope defined in the OpenID Connect specification allows a client to request "that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present". However, Keycloak does not honour this scope and returns a Refresh Token in the token response only when the "Use Refresh Tokens" is enabled under the "OpenID Connect Compatibility Modes" client configuration.

It is problematic for our clients to have "Use Refresh Tokens" enabled in all other cases - meaning that Refresh Tokens will always be created! So we propose that when Client requests the offline_access scope, refresh token is always returned in all flows as specification mentioned.

We have maid a PR for this issue. Could you review it?