-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: OIDC DB Auth
-
None
-
3
-
Iteration Wendiceratops
-
Needed
-
Currently, Compass and mongosh add the openid and offline_access scopes to all OIDC authentication requests, as was suggested in the initiative architecture document:
A customer has pointed out that this prevents interoperability with some identity providers, and product has indicated that they would drop this requirement.
Identity providers publish a list of supported scopes in the scopes_supported supported section of their metadata document (e.g.: Okta, Azure).
We should only add the offline_access scope if:
- no scopes_supported list was provided in the issuer metadata, or
- the scopes_supported list contains offline_access.
- the requestScopes list from the server IdP metadata contains offline_access.