Skip to content

Scopes

Jump to bottom Edit New page
Kenta Ishizaki edited this page Jun 15, 2026 · 1 revision

Scopes

To perform authentication over OpenID Connect, an OAuth client needs to request the openid scope. This scope needs to be enabled using either optional_scopes in the global Doorkeeper configuration in config/initializers/doorkeeper.rb, or by adding it to any OAuth application's scope attribute.

Note that any application defining its own scopes won't inherit the scopes defined in the initializer, so you might have to update existing applications as well.

See Using Scopes in the Doorkeeper wiki for more information.

offline_access

Per OIDC Core §11, the offline_access scope signals that the client wants a refresh token so it can access the user's resources while the user is offline. Doorkeeper's existing use_refresh_token block already covers the basic flow — issue a refresh token only when the client actually asked for offline_access:

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
  optional_scopes :openid, :offline_access

  # Issue a refresh token only when the client requests offline_access
  use_refresh_token do |context|
    context.scopes.exists?("offline_access")
  end
end

Note: This does not automatically enforce OIDC Core §11's strict requirements — for example, the OP MUST ignore offline_access unless prompt=consent is present and response_type returns an Authorization Code. If you need that level of enforcement, filter the scope in your use_refresh_token block or authorization controller override.

Add a custom footer
Add a custom sidebar

Clone this wiki locally