What's the expected scope when asking for a refresh token?

#1

Looking at the example apps, I see that the scope offline is being used when asking for a refresh_token. However, the OIDC spec says that the scope should be offline_access.

I’m a bit confused by this, am I missing something here?

1 Like
#2

Both are supported, and it’s documented: https://www.ory.sh/docs/hydra/oauth2#oauth-20-refresh-tokens

#3

Thanks for your fast reply!
I knew that both were supported, I just wanted to know if it’s ok to support the “offline” scope when as far as I see the spec doesn’t mention it at all.