fix: remove offline_access from default OAuth2 scope

Rohan29-De · Rohan29-De · commit 8bbcf1e30df7 · 2025-08-03T20:03:07.000+05:30
- Remove offline_access from default OAuth2 client scope configuration - offline_access should only be used for long-running processes, not regular web apps - This prevents creation of unnecessary offline sessions in Keycloak - Regular refresh tokens work fine without offline_access for web applications Fixes #30206
diff --git a/generators/spring-boot/templates/src/main/resources/config/application.yml.ejs b/generators/spring-boot/templates/src/main/resources/config/application.yml.ejs
@@ -373,7 +373,7 @@ spring:
             client-id: web_app
             client-secret: web_app
     <%_ } _%>
-            scope: openid, profile, email, offline_access # last one for refresh tokens
+            scope: openid, profile, email # refresh tokens work without offline_access for regular web apps
   <%_ } _%>
   <%_ if (authenticationTypeJwt) { _%>
     oauth2:
