Overview#

Offline_access is defined in OpenID Connect as an OAuth Scope value to request offline access:

Offline_access - OPTIONAL This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's userinfo_endpoint even when the End-User is not present (not logged in).

When Offline_access is requested, a prompt parameter value of consent MUST be used unless other conditions for processing the request permitting offline access to the requested resources are in place. The OpenID Connect Provider MUST always obtain consent to returning a Refresh Token that enables Offline_access to the requested resources. A previously saved user consent is not always sufficient to grant Offline_access.

Upon receipt of a scope parameter containing the Offline_access value, the Authorization Server:

• MUST ensure that the Prompt Parameter contains consent unless other conditions for processing the request permitting offline access to the requested resources are in place; unless one or both of these conditions are fulfilled, then it MUST ignore the Offline_access request,
• MUST ignore the Offline_access request unless the Client is using a response_type value that would result in an Authorization Code being returned,
• MUST explicitly receive or have consent for all Clients when the registered application_type is web,
• SHOULD explicitly receive or have consent for all Clients when the registered application_type is Native application.

The use of Refresh Tokens is not exclusive to the Offline_access use case. The Authorization Server MAY grant Refresh Tokens in other contexts that are beyond the scope of OpenID.Core.

More Information#

There might be more information for this subject on one of the following:

• OpenID Connect Back-Channel Logout
• OpenID Connect Scopes
• Refresh Token