Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

The "offline_access" scope is always shown in the discovery document #5316

Closed
alexnovokshanov opened this issue Jul 28, 2021 · 0 comments
Closed

The "offline_access" scope is always shown in the discovery document #5316

alexnovokshanov opened this issue Jul 28, 2021 · 0 comments
Labels
bug report

Comments

@alexnovokshanov
Copy link

The IdentityServer4.ResponseHandling.DiscoveryResponseGenerator does not honor IdentityServer4.Models.Resources.OfflineAccess property value and always adds "offline_access" to the scopes list (https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/src/ResponseHandling/Default/DiscoveryResponseGenerator.cs, line 233). Thus the offline access is always advertised in the discovery document.

The code at line 233 should be:

if (resources.OfflineAccess)
{
scopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess);
}
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leastprivilege @alexnovokshanov