Should DefaultClientConfigurationValidator.ValidateGrantTypesAsync method also respect client offline access property?

[i00lii]

IdentityServer version

7.2.0

.NET version

NET8

Description

This might sound wired, but according to some business requirements we have to implement the following scenario:

• we need to create OIDC client,
• then generate refresh + access token pair for the client
• Revoke all other grant types for that client, except of offline_access.

Current implementation of DefaultClientConfigurationValidator.ValidateGrantTypesAsync is not checking offline_access, since it's not a part of client.AllowedGrantTypes.

Current implementation:

if (context.Client.AllowedGrantTypes?.Any() != true)
{
  context.SetError("no allowed grant type specified");
}

Suggested changes:

if (context.Client.AllowedGrantTypes?.Any() != true && !context.Client.AllowOfflineAccess)
{
  context.SetError("no allowed grant type specified");
}

Reproduction steps

No response

Expected behavior

No response

Logs

No response

Additional context

No response

[bhazen]

I want to be sure I understand what your goal is. You mentioned only allowing the offline_access grant type, but offline_access is a scope defined in the OIDC extension to OAuth 2.0 and not one of the grant types defined in the OAuth 2.0 spec. You will need at least one grant type allowed for your client and which grant type is appropriate will depend on what type of client you have. Is your application an application with users where you'll be obtaining an access token and refresh token for each user? Or is your scenario a server-to-server scenario with no users?