Skip to content

fix: Skip refresh token support and requesting offline_access scope for user login flow#1536

Merged
ramya18101 merged 2 commits into
mainfrom
DXCDT-1854/skip_offline_access
Jun 6, 2026
Merged

fix: Skip refresh token support and requesting offline_access scope for user login flow#1536
ramya18101 merged 2 commits into
mainfrom
DXCDT-1854/skip_offline_access

Conversation

@bkiran6398
Copy link
Copy Markdown
Contributor

@bkiran6398 bkiran6398 commented Jun 5, 2026
edited
Loading

🔧 Changes

Stops requesting the offline_access scope during device-code (user) login and removes the now-unused refresh-token handling.

Refresh tokens are no longer issued or stored for user logins, so the code paths that depended on them have been removed:

  • Drops offline_access from the required login scopes.
  • Removes the RefreshToken field from the auth Result struct and stops parsing refresh_token from the token response.
  • Stops storing refresh tokens in the system keyring on login; removes the StoreRefreshToken and GetRefreshToken keyring helpers.
  • Simplifies RegenerateAccessToken to the client-credentials path only, since device-code logins can no longer be refreshed.
  • Keyring cleanup on logout still deletes any pre-existing refresh tokens so users upgrading don't leave stale secrets behind.

User impact: after an access token expires, device-code users re-authenticate via auth0 login instead of relying on a silent refresh.

📚 References

🔬 Testing

  • Existing auth and keyring unit tests updated to reflect the removal of refresh-token logic (internal/auth, internal/keyring).
  • Manual verification:
    1. Run auth0 login and complete the device-code flow as a user.
    2. Confirm login succeeds and the consent screen no longer requests offline access.
    3. Confirm no refresh token is written to the keyring.
    4. Run a command (e.g. auth0 apps list) to confirm the stored access token works.

📝 Checklist

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

bkiran6398 added 2 commits June 5, 2026 16:11
@bkiran6398
refactor(auth): remove refresh token handling and update authenticati…
b563db6 
…on flow

- Removed the handling of refresh tokens from the authentication process.
- Updated the `Result` struct to exclude the `RefreshToken` field.
- Adjusted the `WaitUntilUserLogsIn` function to no longer return a refresh token.
- Modified the `RunLoginAsUser` function to stop storing refresh tokens in the keyring.
- Refactored the `RegenerateAccessToken` method to streamline access token retrieval.
- Updated related tests and keyring functions to reflect the removal of refresh token logic.
- This change simplifies the authentication flow and aligns with the new design spec for skipping offline access.
@bkiran6398
test(auth): remove refresh token from token response
9911e7f 
- Removed the "refresh_token" field from the token response in the
  TestWaitUntilUserLogsIn function.
- This change aligns with the updated authentication flow that no longer
  requires refresh tokens, simplifying the response structure.
@bkiran6398 bkiran6398 force-pushed the DXCDT-1854/skip_offline_access branch from fc612cf to 9911e7f Compare June 5, 2026 10:42
@bkiran6398 bkiran6398 marked this pull request as ready for review June 5, 2026 11:10
@bkiran6398 bkiran6398 requested a review from a team as a code owner June 5, 2026 11:10
@ramya18101 ramya18101 merged commit 16d6f7b into main Jun 6, 2026
6 checks passed
@ramya18101 ramya18101 deleted the DXCDT-1854/skip_offline_access branch June 6, 2026 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ramya18101 ramya18101 ramya18101 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bkiran6398 @ramya18101