Skip to content

Refresh token allowed for offline session even the related scope is removed #43734

New issue
New issue
Closed
bug
#43745
Closed
Refresh token allowed for offline session even the related scope is removed#43734
bug
#43745
Assignees
rmartinc
Labels
kind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.11release/26.4.4release/26.5.0team/core-clients
@rmartinc

Description

@rmartinc
rmartinc
opened on Oct 27, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

An offline session continues to be valid when the offline_access scope is removed from the client. The idea is that the refresh operation should return an error if the scope is not assigned to the client anymore. This can confuse administrators, that think removing the scope is enough and they do not remove the sessions associated. Better if we avod this and return an error, saying invalid scope or similar.

Version

26.4.2

Regression

  • The issue is a regression

Expected behavior

The refresh token fails because of the scope issue.

Actual behavior

The refresh token is valid and a new token is obtained.

How to Reproduce?

  1. Initiate an offline session with a code to token login using a client.
  2. In the related client remove the offline_access scope.
  3. Refresh to token to obtain a new access token.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.11release/26.4.4release/26.5.0team/core-clients

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions