Skip to content

Offline access

This is a special mode defined in the OpenID Connect spec.

When requesting an RPT token, you can request the optional scope offline_access. If you are authorized to gain that scope (which means either you may, and the client app itself may request it or the client as itself is authorized to request it), you will receive a special kind of refresh_token along with the access_token.

This refresh_token does not expire when the user (or client) is logged out. So the client can persist this refresh_token and use it to acquire a new access_token without needing the user's consent again.

After a day of not using it, it will expire anyway, and you will have to let the user consent to the offline_access scope again.