Should OAuth2AuthHandlerImpl verify the "offline_access" scope?

[xinchao zhang]

Hi all,

I am using vertx-auth 4.5.13 to integrate with our enterprise OIDC provided by Azure. What I noticed is that if I include the scope "offline_access" in the token request, the authentication fails when vertx handles the callback redirect and throws the error:

"principal scope != handler scopes"

I looked into the code, it is the OAuth2AuthHandlerImpl throwing the exception because it tries to assert that the scopes returned by the IdP (through user.principal().get("scope")) must include all the scopes we have requested for. And "offline_access" is not there despite we have requested for it, and despite the response does have a refresh_token.

Microsoft does not believe "offline_access" should ever be included in the returned scope. 

OAuth2AuthHandlerImpl also does make a few exceptions and skip this validation if the scope requested is one of the OpenID standard defined scopes - openid, email, phone, profile, offline. But "offline" is not an OIDC defined scope, "offline_access" is.

Is that a mistake in implementation, or I have misunderstood something?

Any help would be appreciated!

Xinchao

[Paulo Lopes]

Hi Xinchao,

This is an interesting finding, please open a issue (and a PR if you're interested)

Cheers,

Paulo

---- On Mon, 19 May 2025 19:19:08 +0200 xinchao zhang <xinchao....@gmail.com> wrote ---

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/vertx/8aa385b0-3227-4d1e-a9b1-c431a749cc01n%40googlegroups.com.