fix: device_authorization w/ offline_access scope

Author: panva

lib/actions/authorization/check_scope.js

@@ -7,7 +7,7 @@ const instance = require('../../helpers/weak_cache');
  *
  * @throws: invalid_request
  */
-module.exports = provider => async function checkScope(ctx, next) {
+module.exports = (provider, PARAM_LIST) => async function checkScope(ctx, next) {
   const scopes = intersection(ctx.oidc.params.scope.split(' '), instance(provider).configuration('scopes'));
   const responseType = ctx.oidc.params.response_type;
   const { prompts } = ctx.oidc;
@@ -21,7 +21,7 @@ module.exports = provider => async function checkScope(ctx, next) {
    */
 
   if (scopes.includes('offline_access')) {
-    if (!responseType.includes('code') || !prompts.includes('consent')) {
+    if ((PARAM_LIST.has('response_type') && !responseType.includes('code')) || !prompts.includes('consent')) {
       pull(scopes, 'offline_access').join(' ');
     }
   }

lib/actions/authorization/index.js

@@ -86,7 +86,7 @@ module.exports = function authorizationAction(provider, endpoint) {
   use(() => oidcRequired,                               A               );
   use(() => checkPrompt(provider),                      A, DA           );
   use(() => checkResponseType(provider),                A               );
-  use(() => checkScope(provider),                       A, DA           );
+  use(() => checkScope(provider, whitelist),            A, DA           );
   use(() => checkRedirectUri,                           A               );
   use(() => checkWebMessageUri(provider),               A               );
   use(() => checkPixy(provider),                        A, DA           );