What is offline access?
The concept of offline access may vary depending on the context, we will focus on the OAuth 2.0 and OpenID Connect (OIDC) specifications. In this context, offline access allows clients to obtain new access tokens using a refresh token without requiring the user to re-authenticate. This feature is particularly useful for long-lived sessions and better user experience.
It’s worth noting that OAuth 2.0 does not define the term “offline access” explicitly; it only specifies the use of refresh tokens to obtain new access tokens. However, the term “offline access” (along with the offline_access scope) has been widely adopted in the industry to refer to this capability, and it is officially defined in the OpenID Connect (OIDC) specification.
How does offline access work?
For simplicity, we will use the OAuth 2.0 terms Authorization request and Authorization server to illustrate how offline access works. Their alternative terms in OIDC are Authentication request and OpenID Provider (OP) , respectively.
There are two main steps involved in leveraging offline access:
- Requesting offline access: When the Client initiates an authorization request to the authorization server, it includes the
offline_accessscope to request offline access. This scope indicates that the client wants to obtain a refresh token along with the access token.
The support for offline access may vary across authorization servers, and the authorization server may ignore the offline_access scope if it does not support it. Please refer to the authorization server’s documentation to ensure compatibility before using this scope.
- Using the refresh token: Once the OAuth 2.0 grant is complete, the client should receive a Refresh token along with the Access token . The client can store the refresh token securely and use it to send a Token request to the authorization server to obtain a new access token when the current access token expires.
For detailed examples of offline access in action, please refer to the Refresh token article.
Security considerations
The security implications of offline access are similar to those of refresh tokens. Please refer to the refresh token’s Security considerations section for details.