Merge pull request 'offline_access 기본 강제 제거 및 refresh_token grant 정책 정리' (#1119) from feature/custom-claim-ui into dev

Reviewed-on: baron/baron-sso#1119
2026-06-12 16:06:36 +09:00
parent e41a2162da 568dc258e7
commit e4680ec49d
8 changed files with 20 additions and 38 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -8430,7 +8430,7 @@ func buildHydraAuthorizationURL(clientID string, scopes []string, redirectURIs [
 	seen := map[string]struct{}{}
 	for _, scope := range append([]string{"openid"}, scopes...) {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
+		if scope == "" || isRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {
--- a/backend/internal/handler/client_tenant_access.go
+++ b/backend/internal/handler/client_tenant_access.go
@@ -464,7 +464,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
 	appendIfPresent := func(scope string) {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
+		if scope == "" || isRefreshTokenScopeAlias(scope) {
 			return
 		}
 		if _, ok := seen[scope]; ok {
@@ -485,7 +485,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
 	for _, scope := range combined {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
+		if scope == "" || isRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {
--- a/backend/internal/handler/client_tenant_access_test.go
+++ b/backend/internal/handler/client_tenant_access_test.go
@@ -154,7 +154,7 @@ func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAlias
 		[]string{"openid", "offline", "profile", "offline_access"},
 	)
-	assert.Equal(t, []string{"openid", "tenant", "profile", "offline_access", "email"}, merged)
+	assert.Equal(t, []string{"openid", "tenant", "profile", "email"}, merged)
 }
 func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T) {
@@ -169,9 +169,9 @@ func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T)
 	scopes := parsed.Query().Get("scope")
 	scopeItems := strings.Fields(scopes)
-	assert.Equal(t, "openid profile offline_access email", scopes)
+	assert.Equal(t, "openid profile email", scopes)
 	assert.NotContains(t, scopeItems, "offline")
-	assert.Contains(t, scopeItems, "offline_access")
+	assert.NotContains(t, scopeItems, "offline_access")
 }
 func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -3828,7 +3828,7 @@ func requestIncludesInlineHeadlessJWKS(req clientUpsertRequest) bool {
 }
 func defaultClientScopes() []string {
-	return []string{"openid", "profile", "email", "offline_access"}
+	return []string{"openid", "profile", "email"}
 }
 func defaultGrantTypes() []string {
@@ -3848,7 +3848,7 @@ func normalizeClientScopes(scopes []string) []string {
 	seen := make(map[string]struct{}, len(scopes))
 	for _, scope := range scopes {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
+		if scope == "" || isRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {
@@ -3860,9 +3860,9 @@ func normalizeClientScopes(scopes []string) []string {
 	return normalized
 }
-func isLegacyRefreshTokenScopeAlias(scope string) bool {
+func isRefreshTokenScopeAlias(scope string) bool {
 	switch strings.ToLower(strings.TrimSpace(scope)) {
-	case "offline":
+	case "offline", "offline_access":
 		return true
 	default:
 		return false
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -2229,9 +2229,9 @@ func TestCreateClient_StripsOfflineScopesAndKeepsRefreshTokenGrant(t *testing.T)
 	resp, _ := app.Test(req, -1)
 	assert.Equal(t, http.StatusCreated, resp.StatusCode)
-	assert.Equal(t, "openid profile offline_access email", captured.Scope)
+	assert.Equal(t, "openid profile email", captured.Scope)
 	assert.NotContains(t, strings.Fields(captured.Scope), "offline")
-	assert.Contains(t, strings.Fields(captured.Scope), "offline_access")
+	assert.NotContains(t, strings.Fields(captured.Scope), "offline_access")
 	assert.Contains(t, captured.GrantTypes, "refresh_token")
 }
@@ -2296,9 +2296,9 @@ func TestUpdateClient_StripsStoredOfflineScopesAndKeepsRefreshTokenGrant(t *test
 	resp, _ := app.Test(req, -1)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
-	assert.Equal(t, "openid profile offline_access email", captured.Scope)
+	assert.Equal(t, "openid profile email", captured.Scope)
 	assert.NotContains(t, strings.Fields(captured.Scope), "offline")
-	assert.Contains(t, strings.Fields(captured.Scope), "offline_access")
+	assert.NotContains(t, strings.Fields(captured.Scope), "offline_access")
 	assert.Contains(t, captured.GrantTypes, "refresh_token")
 }
--- a/devfront/src/features/clients/ClientGeneralPage.claims.test.tsx
+++ b/devfront/src/features/clients/ClientGeneralPage.claims.test.tsx
@@ -409,7 +409,7 @@ describe("ClientGeneralPage RP claims", () => {
    );
  });
-  it("shows supported scopes including offline_access and custom claims from the add scope button", async () => {
+  it("shows supported scopes and custom claims without integrated offline_access from the add scope button", async () => {
    const { container } = await renderPage();
    const addScopeButton = Array.from(
@@ -422,7 +422,7 @@ describe("ClientGeneralPage RP claims", () => {
    });
    await flush();
-    expect(container.textContent).toContain("offline_access");
+    expect(container.textContent).not.toContain("offline_access");
    expect(container.textContent).toContain("old_claim");
    const customClaimButton = Array.from(
--- a/devfront/src/features/clients/ClientGeneralPage.tsx
+++ b/devfront/src/features/clients/ClientGeneralPage.tsx
@@ -659,15 +659,6 @@ function ClientGeneralPage() {
      description: t("msg.dev.clients.scopes.email", "이메일 주소 접근"),
      mandatory: false,
    },
    {
      id: "5",
      name: "offline_access",
      description: t(
        "msg.dev.clients.scopes.offline_access",
        "refresh token 발급 요청",
      ),
      mandatory: false,
    },
  ]);
  const [idTokenClaims, setIdTokenClaims] = useState<IdTokenClaimItem[]>([]);
  const browserTimeZone = useMemo(() => getBrowserTimeZone(), []);
@@ -768,15 +759,6 @@ function ClientGeneralPage() {
        description: tenantScopeDescription,
        source: "standard",
      },
      {
        id: "standard-offline-access",
        name: "offline_access",
        description: t(
          "msg.dev.clients.scopes.offline_access",
          "refresh token 발급 요청",
        ),
        source: "standard",
      },
    ],
    [tenantScopeDescription],
  );
--- a/devfront/tests/devfront-client-claims-cache.spec.ts
+++ b/devfront/tests/devfront-client-claims-cache.spec.ts
@@ -99,7 +99,7 @@ test.describe("DevFront RP claim cache", () => {
    await expect(claimKeyInput).toHaveValue("new_claim");
  });
-  test("adds supported scopes and custom claim keys from the scope picker including offline_access", async ({
+  test("adds supported scopes and custom claim keys from the scope picker without offline_access", async ({
    page,
  }) => {
    const state = {
@@ -142,9 +142,9 @@ test.describe("DevFront RP claim cache", () => {
      .getByRole("button", { name: /스코프 추가|Scope 추가|Add Scope/i })
      .click();
-    await expect(
+    await expect(page.getByText("offline_access", { exact: true })).toHaveCount(
-      page.getByText("offline_access", { exact: true }),
+      0,
-    ).toBeVisible();
+    );
    await expect(
      page.getByRole("button", { name: /employee_code/ }),
    ).toBeVisible();