[OIDC] `offline_access` invalid scope
Using BA OIDC plugin, from an OIDC RP (Auth.js on Next.js app) I am requesting the
offline_access scope but get GET /api/auth/oauth2/authorize?error=invalid_scope&error_description=The%20following%20scopes%20are%20invalid:%20offline_access 302 in 26ms
BA OIDC plugin docs say that offline_access is in the default scopes array (openid profile email offline_access). Am I missing a BA config option, or is it an issue on the RP side?13 Replies
if offline acess is requsted, you must also set prompt to consent
Setting the
prompt=consent query param (from client) and explicitly going through consent flow results in {"error_description":"Consent not required","error":"invalid_request"}, 401 unauthorized, response when /api/auth/oauth2/consent is POSTed during the consent flow:
Skipping consent flow results in refresh_token: undefined (as expected based on your info above), this also results in refresh_token: undefined. Am I missing a BA config option? I have the consentPage option set in the BA OIDC provider plugin settings. Got this working on same client with keycloak and ory hydra so guessing i am missing something minor!wait you're trying to use better auth oidc plugin as an IDP right?
Correct. BA OIDC plugin as IDP/OIDC OP, the OIDC RP is running on Auth.js/Next Auth
BA as IDP works great for authentication so far! ID tokens, access tokens working fantastic. Just was unable to get refresh tokens coming back yet
do you have the consent page on a differnt domain than your BA server?
Same domain 🙂 ty for your help btw ik youre extremely busy, if you have a donate link or anything happy to support (saw you have github sponsors at least)
Used https://github.com/better-auth/better-auth/tree/main/demo/nextjs as a baseline, still have the consent page on
/oauth/authorizethanks but dw! so check if cookie is being set when you're redirected to the consent page
we should probably provide an option to override requiring a consent page for refresh tokens
but according to the spec, it should be required
Got it, ill play around with it further. Here are my cookies (force-cleared then navigated to consent -> screenshot)
the odic consent prompt is the cookie you're looking for. Btw it gets a bit messy when you try to run both the IDP and the client on localhost.
Would it be worth running RP on custom hostname? Could modify
/etc/hosts
Currently, i have BA (IDP) on https://localhost:8000 and RP on https://localhost:3000yeah I think that'd be a better approach
Dang, same issue with completely separate domains for IDP and client. I got that
oidc_consent_prompt cookie set again no problem, notice the different domain prefix:
{"error_description":"Consent not required","error":"invalid_request"}
URL params on consent page: client_id=...&scope=openid+profile+email+offline_access Maybe an issue here? Other params supposed to carry through to consent page? Noticed in the BA docs/JSDoc that code param should be part of consent page params if im understanding correctly