|
Currently, Compass and mongosh add the openid and offline_access scopes to all OIDC authentication requests, as was suggested in the initiative architecture document:
https://github.com/mongodb-js/oidc-plugin/blob/938ba84e8574cad9892e1d6ee67658d4cc00e0cd/src/plugin.ts#L320
A customer has pointed out that this prevents interoperability with some identity providers, and product has indicated that they would drop this requirement.
Identity providers publish a list of supported scopes in the scopes_supported supported section of their metadata document (e.g.: Okta, Azure).
We should only add the offline_access scope if:
- no scopes_supported list was provided in the issuer metadata, or
- the scopes_supported list contains offline_access.
- the requestScopes list from the server IdP metadata contains offline_access.
|