OIDC scope "offline_access" is missing

[m-mohr]

The default clients don't list "offline_access" as scopes to be requested, which leads to "early logouts" in the clients as no refresh token is issued by default.

Related issues:

• OIDC Refresh Token not obtained openeo-r-client#101
• Refreshing tokens on EGI check-in fails openeo-web-editor#201

[soxofaan]

FYI: the default client of the aggregator has id "openeo-platform-default-client" and has the "offline_access" scope enabled in its EGI setup:

However, the offline_access scope is indeed not listed by the back-end under the scopes field at https://openeocloud.vito.be/openeo/1.0/credentials/oidc

But this is intentional: the back-end has nothing to do with the refresh token, the back-end is only interested in scopes that identify the user. The refresh token is purely a client-side thing and should never be exchanged with the back-end. So the back-end has no business instructing whether the client should request that scope or not.

In the python client, the "offline_access" scope is dynamically added to the list of desired scopes in the access token request, based on whether refresh tokens are desired. In pseudo code:

scopes_to_request = scopes_from_backend_oidc_provider_settings
if user_wants_refresh_tokens and oidc_provider_supports_offline_access_scope:
    scopes_to_request = scopes_to_request + ["offline_access"]

get_oidc_tokens(scopes_to_request, ...)

e.g. see https://github.com/Open-EO/openeo-python-client/blob/d499b377ad706d3d627ce41d46f8a09e680f7bb9/openeo/rest/auth/oidc.py#L270-L282

[m-mohr]

Hmm... I understood the API spec differently, but it somewhat makes sense that the back-end doesn't advertise offline_access although it would be somewhat easier for a client to just mirror what they got. I think we should then improve the API documentation and clearly state in there that offline_access (and other optional scopes) can/should be requested by the clients as needed.

[soxofaan]

my interpretation of the /credentials/oidc API spec is that the back-end specifies which scopes it requires for user identification, the client is still free to request more. The current description even uses the verb "include", so it already allows that interpretation actually:

A list of OpenID Connect scopes that the client MUST include when requesting authorization.

Also note: in my testing, "offline_access" is only necessary with EGI and Microsoft, other providers I played with (Keycloak, Google) did not require an scope necessary to enable refresh tokens as far as I remember.

[m-mohr]

Yes, I've updated the API spec to be a bit more clear (italic = additions):

A list of OpenID Connect scopes that the client MUST at least include when requesting authorization.
Clients MAY add additional scopes such as the offline_access scope to retrieve a refresh token.

The Web Editor and JS client also handle it properly now.