feat: add alwaysIssueRefreshToken for web apps

packages/console/src/pages/ApplicationDetails/components/AdvancedSettings.tsx

@@ -64,6 +64,14 @@ function AdvancedSettings({ applicationType, oidcConfig }: Props) {
           variant="border"
         />
       </FormField>
+      {[ApplicationType.Traditional, ApplicationType.SPA].includes(applicationType) && (
+        <FormField title="application_details.always_issue_refresh_token">
+          <Switch
+            label={t('application_details.always_issue_refresh_token_label')}
+            {...register('customClientMetadata.alwaysIssueRefreshToken')}
+          />
+        </FormField>
+      )}
       {applicationType === ApplicationType.MachineToMachine && (
         <FormField title="application_details.enable_admin_access">
           <Switch

packages/core/src/oidc/init.ts

@@ -151,6 +151,16 @@ export default function initOidc(
         },
       },
     },
+    issueRefreshToken: (_, client, code) => {
+      if (!client.grantTypeAllowed('refresh_token')) {
+        return false;
+      }
+
+      return (
+        code.scopes.has('offline_access') ||
+        (client.applicationType === 'web' && Boolean(client.metadata().alwaysIssueRefreshToken))
+      );
+    },
     interactions: {
       url: (ctx, { params: { client_id: appId }, prompt }) => {
         const isDemoApp = appId === demoAppApplicationId;
@@ -256,7 +266,7 @@ export default function initOidc(
     },
     pkce: {
       required: (ctx, client) => {
-        return client.tokenEndpointAuthMethod !== 'client_secret_basic';
+        return client.clientAuthMethod !== 'client_secret_basic';
       },
       methods: ['S256'],
     },

packages/phrases/src/locales/de/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Admin-Zugang aktivieren',
   enable_admin_access_label:
     'Zugang zur Management API aktivieren oder deaktivieren. Wenn aktiviert, können Access Tokens verwendet werden, um die Management API im Namen der Anwendung aufzurufen.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Diese Aktion kann nicht rückgängig gemacht werden. Die Anwendung wird permanent gelöscht. Bitte gib den Anwendungsnamen <span>{{name}}</span> zur Bestätigung ein.',
   enter_your_application_name: 'Gib einen Anwendungsnamen ein',

packages/phrases/src/locales/en/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Enable admin access',
   enable_admin_access_label:
     'Enable or disable the access to Management API. Once enabled, you can use access tokens to call Management API on behalf on this application.',
+  always_issue_refresh_token: 'Always issue Refresh Token',
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.',
   delete_description:
     'This action cannot be undone. It will permanently delete the application. Please enter the application name <span>{{name}}</span> to confirm.',
   enter_your_application_name: 'Enter your application name',

packages/phrases/src/locales/es/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const detalles_aplicacion = {
   enable_admin_access: 'Habilitar acceso de administrador',
   enable_admin_access_label:
     'Habilita o deshabilita el acceso a la API de Gestión. Una vez habilitado, puedes utilizar tokens de acceso para llamar a la API de Gestión en nombre de esta aplicación.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Esta acción no se puede deshacer. Eliminará permanentemente la aplicación. Ingresa el nombre de la aplicación <span>{{name}}</span> para confirmar.',
   enter_your_application_name: 'Ingresa el nombre de tu aplicación',

packages/phrases/src/locales/fr/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: "Activer l'accès administrateur",
   enable_admin_access_label:
     "Activer ou désactiver l'accès à l'API de gestion. Une fois activé, vous pouvez utiliser des jetons d'accès pour appeler l'API de gestion au nom de cette application.",
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     "Cette action ne peut être annulée. Elle supprimera définitivement l'application. Veuillez entrer le nom de l'application <span>{{nom}}</span> pour confirmer.",
   enter_your_application_name: 'Entrez le nom de votre application',

packages/phrases/src/locales/it/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: "Abilita l'accesso amministratore",
   enable_admin_access_label:
     "Abilita o disabilita l'accesso all'API di gestione. Una volta abilitato, puoi utilizzare i token di accesso per chiamare l'API di gestione a nome di questa applicazione.",
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     "Questa azione non può essere annullata. Eliminerà definitivamente l'applicazione. Inserisci il nome dell'applicazione <span>{{name}}</span> per confermare.",
   enter_your_application_name: 'Inserisci il nome della tua applicazione',

packages/phrases/src/locales/ja/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: '管理者アクセスを有効にする',
   enable_admin_access_label:
     '管理APIへのアクセスを有効または無効にします。有効にすると、アクセストークンを使用してこのアプリケーションを代表して管理APIを呼び出すことができます。',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'この操作は元に戻すことはできません。アプリケーション名「<span>{{name}}</span>」を入力して確認してください。',
   enter_your_application_name: 'アプリケーション名を入力してください',

packages/phrases/src/locales/ko/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: '관리자 접근 활성화',
   enable_admin_access_label:
     '관리 API에 대한 접근을 활성화, 비활성화할 수 있어요. 활성화한다면, 이 어플리케이션에서 Access 토큰을 통해 관리 API를 사용할 수 있어요.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     '이 행동은 취소될 수 없어요. 어플리케이션을 영원히 삭제할 거에요. 삭제를 진행하기 위해 <span>{{name}}</span> 를 입력해주세요.',
   enter_your_application_name: '어플리케이션 이름을 입력해 주세요.',

packages/phrases/src/locales/pl-pl/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Włącz dostęp administratora',
   enable_admin_access_label:
     'Włącz lub wyłącz dostęp do interfejsu API zarządzania. Po włączeniu możesz używać tokenów dostępu do wywoływania interfejsu API zarządzania w imieniu tej aplikacji.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Ta operacja nie może zostać cofnięta. Skutkuje ona trwałym usunięciem aplikacji. Aby potwierdzić, wpisz nazwę aplikacji <span>{{name}}</span>.',
   enter_your_application_name: 'Wpisz nazwę swojej aplikacji',

packages/phrases/src/locales/pt-br/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Ativar acesso de administrador',
   enable_admin_access_label:
     'Ative ou desative o acesso à API de gerenciamento. Uma vez ativado, você pode usar tokens de acesso para chamar a API de gerenciamento em nome deste aplicativo.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Essa ação não pode ser desfeita. Isso excluirá permanentemente o aplicativo. Insira o nome do aplicativo <span>{{name}}</span> para confirmar.',
   enter_your_application_name: 'Digite o nome do seu aplicativo',

packages/phrases/src/locales/pt-pt/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Ativar o acesso de administrador',
   enable_admin_access_label:
     'Ativar ou desativar o acesso à API de gestão. Uma vez ativado, pode utilizar tokens de acesso para chamar a API de gestão em nome desta aplicação.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Esta ação não pode ser revertida. Esta ação irá eliminar permanentemente a aplicação. Insira o nome da aplicação <span>{{name}}</span> para confirmar.',
   enter_your_application_name: 'Insira o nome da aplicação',

packages/phrases/src/locales/ru/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Включить доступ администратора',
   enable_admin_access_label:
     'Включить или отключить доступ к API управления. После включения вы можете использовать токены доступа для вызова API управления от имени этого приложения.',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Это действие нельзя отменить. Оно навсегда удалит приложение. Введите название приложения <span> {{name}} </span>, чтобы подтвердить.',
   enter_your_application_name: 'Введите название своего приложения',

packages/phrases/src/locales/tr-tr/translation/admin-console/application-details.ts

@@ -41,6 +41,9 @@ const application_details = {
   enable_admin_access: 'Yönetici erişimini etkinleştir',
   enable_admin_access_label:
     "Yönetim API erişimine izin verme veya engelleme. Etkinleştirildikten sonra, bu uygulama adına yönetim API'sini çağırmak için erişim belirteçleri kullanabilirsiniz.",
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     'Bu eylem geri alınamaz. Uygulama kalıcı olarak silinecektir. Lütfen onaylamak için uygulama adı <span>{{name}}</span> girin.',
   enter_your_application_name: 'Uygulama adı giriniz',

packages/phrases/src/locales/zh-cn/translation/admin-console/application-details.ts

@@ -39,6 +39,9 @@ const application_details = {
   enable_admin_access: '启用管理访问',
   enable_admin_access_label:
     '启用或禁用对管理 API 的访问。启用后，你可以使用访问令牌代表该应用程序调用管理 API。',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description: '本操作会永久性地删除该应用，且不可撤销。输入 <span>{{name}}</span> 确认。',
   enter_your_application_name: '输入你的应用名称',
   application_deleted: '应用 {{name}} 成功删除。',

packages/phrases/src/locales/zh-hk/translation/admin-console/application-details.ts

@@ -39,6 +39,9 @@ const application_details = {
   enable_admin_access: '啟用管理訪問',
   enable_admin_access_label:
     '啟用或禁用對管理 API 的訪問。啟用後，你可以使用訪問權杖代表該應用程式調用管理 API。',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description: '本操作會永久性地刪除該應用，且不可撤銷。輸入 <span>{{name}}</span> 確認。',
   enter_your_application_name: '輸入你的應用程式名稱',
   application_deleted: '應用 {{name}} 成功刪除。',

packages/phrases/src/locales/zh-tw/translation/admin-console/application-details.ts

@@ -39,6 +39,9 @@ const application_details = {
   enable_admin_access: '啟用管理訪問',
   enable_admin_access_label:
     '啟用或禁用對管理 API 的訪問。啟用後，你可以使用訪問令牌代表該應用程式調用管理 API。',
+  always_issue_refresh_token: 'Always issue Refresh Token', // UNTRANSLATED
+  always_issue_refresh_token_label:
+    'Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request. However, this practice is discouraged unless necessary, as it is not compatible with OpenID Connect and may potentially cause issues.', // UNTRANSLATED
   delete_description:
     '本操作會永久性地刪除該應用程式，且不可撤銷。輸入 <span>{{name}}</span> 確認。',
   enter_your_application_name: '輸入你的應用程式姓名',

packages/schemas/src/foundations/jsonb-types.ts

@@ -69,6 +69,14 @@ export enum CustomClientMetadataKey {
   IdTokenTtl = 'idTokenTtl',
   RefreshTokenTtl = 'refreshTokenTtl',
   TenantId = 'tenantId',
+  /**
+   * Enabling this configuration will allow Logto to always issue Refresh Tokens, regardless of whether `prompt=consent` is presented in the authentication request.
+   *
+   * It only works for web applications when the client allowed grant types includes `refresh_token`.
+   *
+   * This config is for the third-party integrations that do not strictly follow OpenID Connect standards due to some reasons (e.g. they only know OAuth, but requires a Refresh Token to be returned anyway).
+   */
+  AlwaysIssueRefreshToken = 'alwaysIssueRefreshToken',
 }
 
 export const customClientMetadataGuard = z.object({
@@ -76,8 +84,12 @@ export const customClientMetadataGuard = z.object({
   [CustomClientMetadataKey.IdTokenTtl]: z.number().optional(),
   [CustomClientMetadataKey.RefreshTokenTtl]: z.number().optional(),
   [CustomClientMetadataKey.TenantId]: z.string().optional(),
+  [CustomClientMetadataKey.AlwaysIssueRefreshToken]: z.boolean().optional(),
 });
 
+/**
+ * @see {@link CustomClientMetadataKey} for key descriptions.
+ */
 export type CustomClientMetadata = z.infer<typeof customClientMetadataGuard>;
 
 /* === Users === */