mod_http_oauth2: Support the "offline_access" for granting refresh tokens Refresh tokens are no longer included unless this scope is requested and granted. BC: This prevents existing implementations that rely on always getting the refresh token from continuing.

author: Kim Alvefur <zash@zash.se>
date: Wed, 02 Jul 2025 15:53:02 +0200
parent: 6240:ab14e7ecb82f
child: 6342:3eb0255b41b3
--- a/mod_http_oauth2/README.md	Tue Jul 01 23:45:02 2025 -0500
+++ b/mod_http_oauth2/README.md	Wed Jul 02 15:53:02 2025 +0200
@@ -292,6 +292,8 @@
 OpenID scopes such as `openid` and `profile` can be used for "Login
 with XMPP" without granting access to more than limited profile details.
 
+The `offline_access` scope must be requested to receive refresh tokens.
+
 ## Compatibility
 
 Requires Prosody trunk (April 2023), **not** compatible with Prosody 0.12 or