offline_access 스코프 유지 처리 및 refresh_token 발급 경로 수정

backend/internal/handler/auth_handler.go

@@ -8430,7 +8430,7 @@ func buildHydraAuthorizationURL(clientID string, scopes []string, redirectURIs [
 	seen := map[string]struct{}{}
 	for _, scope := range append([]string{"openid"}, scopes...) {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isRefreshTokenScopeAlias(scope) {
+		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {

backend/internal/handler/client_tenant_access.go

@@ -464,7 +464,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
 
 	appendIfPresent := func(scope string) {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isRefreshTokenScopeAlias(scope) {
+		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
 			return
 		}
 		if _, ok := seen[scope]; ok {
@@ -485,7 +485,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
 
 	for _, scope := range combined {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isRefreshTokenScopeAlias(scope) {
+		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {

backend/internal/handler/client_tenant_access_test.go

@@ -154,7 +154,7 @@ func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAlias
 		[]string{"openid", "offline", "profile", "offline_access"},
 	)
 
-	assert.Equal(t, []string{"openid", "tenant", "profile", "email"}, merged)
+	assert.Equal(t, []string{"openid", "tenant", "profile", "offline_access", "email"}, merged)
 }
 
 func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T) {
@@ -169,9 +169,9 @@ func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T)
 	scopes := parsed.Query().Get("scope")
 	scopeItems := strings.Fields(scopes)
 
-	assert.Equal(t, "openid profile email", scopes)
+	assert.Equal(t, "openid profile offline_access email", scopes)
 	assert.NotContains(t, scopeItems, "offline")
-	assert.NotContains(t, scopeItems, "offline_access")
+	assert.Contains(t, scopeItems, "offline_access")
 }
 
 func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {

backend/internal/handler/dev_handler.go

@@ -3848,7 +3848,7 @@ func normalizeClientScopes(scopes []string) []string {
 	seen := make(map[string]struct{}, len(scopes))
 	for _, scope := range scopes {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isRefreshTokenScopeAlias(scope) {
+		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {
@@ -3860,9 +3860,9 @@ func normalizeClientScopes(scopes []string) []string {
 	return normalized
 }
 
-func isRefreshTokenScopeAlias(scope string) bool {
+func isLegacyRefreshTokenScopeAlias(scope string) bool {
 	switch strings.ToLower(strings.TrimSpace(scope)) {
-	case "offline", "offline_access":
+	case "offline":
 		return true
 	default:
 		return false

backend/internal/handler/dev_handler_test.go

@@ -2229,9 +2229,9 @@ func TestCreateClient_StripsOfflineScopesAndKeepsRefreshTokenGrant(t *testing.T)
 
 	resp, _ := app.Test(req, -1)
 	assert.Equal(t, http.StatusCreated, resp.StatusCode)
-	assert.Equal(t, "openid profile email", captured.Scope)
+	assert.Equal(t, "openid profile offline_access email", captured.Scope)
 	assert.NotContains(t, strings.Fields(captured.Scope), "offline")
-	assert.NotContains(t, strings.Fields(captured.Scope), "offline_access")
+	assert.Contains(t, strings.Fields(captured.Scope), "offline_access")
 	assert.Contains(t, captured.GrantTypes, "refresh_token")
 }
 
@@ -2296,9 +2296,9 @@ func TestUpdateClient_StripsStoredOfflineScopesAndKeepsRefreshTokenGrant(t *test
 
 	resp, _ := app.Test(req, -1)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
-	assert.Equal(t, "openid profile email", captured.Scope)
+	assert.Equal(t, "openid profile offline_access email", captured.Scope)
 	assert.NotContains(t, strings.Fields(captured.Scope), "offline")
-	assert.NotContains(t, strings.Fields(captured.Scope), "offline_access")
+	assert.Contains(t, strings.Fields(captured.Scope), "offline_access")
 	assert.Contains(t, captured.GrantTypes, "refresh_token")
 }