offline_access 기본 강제 제거 및 refresh_token grant 정책 정리

backend/internal/handler/client_tenant_access_test.go

@@ -154,7 +154,7 @@ func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAlias
 		[]string{"openid", "offline", "profile", "offline_access"},
 	)
 
-	assert.Equal(t, []string{"openid", "tenant", "profile", "offline_access", "email"}, merged)
+	assert.Equal(t, []string{"openid", "tenant", "profile", "email"}, merged)
 }
 
 func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T) {
@@ -169,9 +169,9 @@ func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T)
 	scopes := parsed.Query().Get("scope")
 	scopeItems := strings.Fields(scopes)
 
-	assert.Equal(t, "openid profile offline_access email", scopes)
+	assert.Equal(t, "openid profile email", scopes)
 	assert.NotContains(t, scopeItems, "offline")
-	assert.Contains(t, scopeItems, "offline_access")
+	assert.NotContains(t, scopeItems, "offline_access")
 }
 
 func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {