From b189d07d53d602c8f966559254c8c0035215ee86 Mon Sep 17 00:00:00 2001
From: jimmythedog <jimmythedog@users.noreply.github.com>
Date: Thu, 2 May 2019 16:55:04 +0100
Subject: [PATCH] dexidp#1440 Add offline_access scope, if required

Without this scope, a refresh token will not be returned from Microsoft
---
 connector/microsoft/microsoft.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/connector/microsoft/microsoft.go b/connector/microsoft/microsoft.go
index 730c77e3..3eb83837 100644
--- a/connector/microsoft/microsoft.go
+++ b/connector/microsoft/microsoft.go
@@ -25,6 +25,9 @@ const (
 	// Microsoft requires this scope to list groups the user is a member of
 	// and resolve their UUIDs to groups names.
 	scopeGroups = "directory.read.all"
+	// Microsoft requires this scope to return a refresh token
+	// see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access
+	scopeOfflineAccess = "offline_access"
 )
 
 // Config holds configuration options for microsoft logins.
@@ -92,6 +95,10 @@ func (c *microsoftConnector) oauth2Config(scopes connector.Scopes) *oauth2.Confi
 		microsoftScopes = append(microsoftScopes, scopeGroups)
 	}
 
+	if scopes.OfflineAccess {
+		microsoftScopes = append(microsoftScopes, scopeOfflineAccess)
+	}
+
 	return &oauth2.Config{
 		ClientID:     c.clientID,
 		ClientSecret: c.clientSecret,