Issue: offline_access Scope Included in Tokens by Default

[vrbanecd]

Description

When manually creating an OIDC account using oidc-gen -m <account>, I specify all the desired scopes but intentionally omit offline_access. However, after generating the account, requesting a token with oidc-token <account> still includes the offline_access scope in the token.

If I try to remove offline_access from my client configuration to prevent this, oidc-gen throws an error and doesn't allow me to create the account.

Question

Is there a way to configure an OIDC account to generate tokens without including offline_access by default?

I’m aware that I can manually specify the desired scopes each time I request a token, but this is cumbersome. Ideally, I’d like to configure the account so that tokens exclude offline_access by default.

[zachmann]

In oidc offline_access is used to request a refresh token from the OP (in addition to the access token). This refresh token is stored in the account config and is required for the agent to be able to obtain additional access tokens.

Therefore, the offline_access scope is always required and automatically added.

oidc-gen has a --only-at option where only a (single) access token is obtained; this mode does not use offline_access, however, it also does not create an account configuration.

[vrbanecd]

OK, I understand. But can't oidc-agent request offline-access scope from the client, but not automatically include it in the access-tokens it generates when the user doesn't specifically indicate it in his list of scopes?