diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index dfab061a..1a9462da 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -168,14 +168,19 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string) return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI) } + var opts []oauth2.AuthCodeOption if len(c.hostedDomains) > 0 { preferredDomain := c.hostedDomains[0] if len(c.hostedDomains) > 1 { preferredDomain = "*" } - return c.oauth2Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"), oauth2.SetAuthURLParam("hd", preferredDomain)), nil + opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain)) } - return c.oauth2Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent")), nil + + if s.OfflineAccess { + opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent")) + } + return c.oauth2Config.AuthCodeURL(state, opts...), nil } type oauth2Error struct { diff --git a/server/handlers.go b/server/handlers.go index 08bf5d04..a4db71cb 100644 --- a/server/handlers.go +++ b/server/handlers.go @@ -527,7 +527,9 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth } else { // Update existing OfflineSession obj with new RefreshTokenRef. if err := s.storage.UpdateOfflineSessions(session.UserID, session.ConnID, func(old storage.OfflineSessions) (storage.OfflineSessions, error) { - old.ConnectorData = identity.ConnectorData + if len(identity.ConnectorData) > 0 { + old.ConnectorData = identity.ConnectorData + } return old, nil }); err != nil { s.logger.Errorf("failed to update offline session: %v", err)