Skip to content

Add offline_access to default OIDC scope#538

Merged
nibalizer merged 1 commit into
mainfrom
nibz/add_offline_access_scope
Jul 16, 2026
Merged

Add offline_access to default OIDC scope#538
nibalizer merged 1 commit into
mainfrom
nibz/add_offline_access_scope

Conversation

@nibalizer

@nibalizer nibalizer commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Pull Request Description

This adds 'offline_access' to the requested scopes on the validmind library oauth flow. This enables reauth after a timeout.

What and why?

How to test

What needs special review?

Dependencies, breaking changes, and deployment notes

Release notes

offline_flags added to requested oauth scopes when library authenticates via oauth

Checklist

  • What and why
  • Screenshots or videos (Frontend)
  • How to test
  • What needs special review
  • Dependencies, breaking changes, and deployment notes
  • Labels applied
  • PR linked to Shortcut
  • Unit tests added (Backend)
  • Tested locally
  • Documentation updated (if required)
  • Environment variable additions/changes documented (if required)

@nibalizer
nibalizer requested a review from jamadriz July 14, 2026 16:11
@github-actions

Copy link
Copy Markdown
Contributor

Pull requests must include at least one of the required labels: internal (no release notes required), highlight, enhancement, bug, deprecation, documentation. Except for internal, pull requests must also include a description in the release notes section.

@github-actions

Copy link
Copy Markdown
Contributor

PR Summary

This PR updates the default set of OAuth scopes used for OIDC device flow authentication to include the offline_access scope, in addition to the existing openid profile email scopes. This change ensures that OIDC providers are able to issue refresh tokens, enabling longer-lived sessions. The update is reflected in the documentation, the initialization of the authentication context using the updated scope, and the associated tests. A new unit test is also added to verify that when no custom scope is provided via environment variables, the default scope with offline_access is used. The modifications in the API client and test files guarantee that both the documented behavior and actual implementation are now aligned with the need to request refresh tokens from OIDC providers.

Test Suggestions

  • Run the new unit test to ensure that the default scope includes 'offline_access' when not overridden.
  • Manually test the device flow authentication process with an OIDC provider to confirm that refresh tokens are issued.
  • Verify that overriding the scope through environment variables still works correctly.
  • Check that documentation changes render correctly and match the actual behavior.

@nibalizer nibalizer added internal Not to be externalized in the release notes enhancement New feature or request and removed internal Not to be externalized in the release notes labels Jul 16, 2026
@nibalizer
nibalizer merged commit 06c6810 into main Jul 16, 2026
24 of 25 checks passed
@nibalizer
nibalizer deleted the nibz/add_offline_access_scope branch July 16, 2026 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants