From 4eff42ae2561a351baf4824f3d332af28206f499 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 2 Jan 2024 00:07:59 +0100
Subject: [PATCH] don't use offline_access scope for implicit since it doesn't
 generate an authorization code

---
 pkg/implicit.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/implicit.go b/pkg/implicit.go
index a17ee93..c0e4837 100644
--- a/pkg/implicit.go
+++ b/pkg/implicit.go
@@ -34,7 +34,15 @@ func (c *OIDCClient) implicit(w http.ResponseWriter, r *http.Request) {
 		ClientID:     c.config.ClientID,
 		DiscoveryURL: c.providerURL,
 		RootURL:      c.rootURL,
-		Scopes:       strings.Join(getScopes(), " "),
+		Scopes: strings.TrimSpace(
+			strings.ReplaceAll(
+				strings.Join(
+					getScopes(), " ",
+				),
+				"offline_access",
+				"",
+			),
+		),
 	}
 	err := tmpl.Execute(w, context)
 	if err != nil {