chore: add callout to enable offline access. only send scopes if specifed at least 1.

Author: guabu

EXAMPLES.md

@@ -2302,6 +2302,9 @@ The connect endpoint (`/auth/connect` or your custom path) accepts the following
 - `scopes`: (optional) defines the permissions that the client requests from the Identity Provider.. Can be specified as multiple values (e.g., `?scopes=openid&scopes=profile&scopes=email`) or using bracket notation (e.g., `?scopes[]=openid&scopes[]=profile&scopes[]=email`).
 - Any additional parameters will be passed as the `authorizationParams` in the call to `/me/v1/connected-accounts/connect`.
 
+> [!IMPORTANT]  
+> You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts.
+
 ### `onCallback` hook
 
 When a user is redirected back to your application after completing the connected accounts flow, the `onCallback` hook will be called. You can use this hook to run custom logic after the user has connected their account, like so:
@@ -2347,6 +2350,9 @@ export async function GET() {
 }
 ```
 
+> [!IMPORTANT]  
+> You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts.
+
 ## Back-Channel Logout
 
 The SDK can be configured to listen to [Back-Channel Logout](https://auth0.com/docs/authenticate/login/logout/back-channel-logout) events. By default, a route will be mounted `/auth/backchannel-logout` which will verify the logout token and call the `deleteByLogoutToken` method of your session store implementation to allow you to remove the session.

src/server/auth-client.test.ts

@@ -6549,6 +6549,112 @@ ca/T0LLtgmbMmxSv/MmzIg==
       const response = await authClient.handler(request);
       expect(response.status).toEqual(400);
     });
+
+    it("should only forward the scopes if at least one scope is requested", async () => {
+      const currentAccessToken = DEFAULT.accessToken;
+      const newAccessToken = "at_456";
+      const secret = await generateSecret(32);
+      let connectAccountRequestBody: any;
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        routes: getDefaultRoutes(),
+
+        fetch: getMockAuthorizationServer({
+          tokenEndpointResponse: {
+            token_type: "Bearer",
+            access_token: newAccessToken,
+            scope: "openid profile email offline_access",
+            expires_in: 86400 // expires in 10 days
+          } as oauth.TokenEndpointResponse,
+          onConnectAccountRequest: async (req) => {
+            connectAccountRequestBody = await req.json();
+            expect(connectAccountRequestBody.scopes).toBeUndefined();
+          }
+        }),
+
+        enableConnectAccountEndpoint: true
+      });
+
+      const expiresAt = Math.floor(Date.now() / 1000) + 10 * 24 * 60 * 60; // expires in 10 days
+      const session: SessionData = {
+        user: {
+          sub: DEFAULT.sub,
+          name: "John Doe",
+          email: "john@example.com",
+          picture: "https://example.com/john.jpg"
+        },
+        tokenSet: {
+          accessToken: currentAccessToken,
+          scope: "openid profile email",
+          refreshToken: DEFAULT.refreshToken,
+          expiresAt
+        },
+        internal: {
+          sid: DEFAULT.sid,
+          createdAt: Math.floor(Date.now() / 1000)
+        }
+      };
+      const maxAge = 60 * 60; // 1 hour
+      const expiration = Math.floor(Date.now() / 1000 + maxAge);
+      const sessionCookie = await encrypt(session, secret, expiration);
+      const headers = new Headers();
+      headers.append("cookie", `__session=${sessionCookie}`);
+      const url = new URL("/auth/connect", DEFAULT.appBaseUrl);
+      url.searchParams.append("connection", DEFAULT.connectAccount.connection);
+      url.searchParams.append("returnTo", "/some-url");
+      url.searchParams.append("audience", "urn:some-audience");
+
+      const request = new NextRequest(url, {
+        method: "GET",
+        headers
+      });
+
+      const response = await authClient.handler(request);
+      expect(response.status).toEqual(307);
+      const connectUrl = new URL(response.headers.get("location")!);
+      expect(connectUrl.origin).toEqual(`https://${DEFAULT.domain}`);
+      expect(connectUrl.pathname).toEqual("/connect");
+      expect(connectUrl.searchParams.get("ticket")).toEqual(
+        DEFAULT.connectAccount.ticket
+      );
+
+      // transaction state
+      const transactionCookie = response.cookies.get(
+        `__txn_${connectAccountRequestBody.state}`
+      );
+      expect(transactionCookie).toBeDefined();
+      expect(
+        (
+          (await decrypt(
+            transactionCookie!.value,
+            secret
+          )) as jose.JWTDecryptResult
+        ).payload
+      ).toEqual(
+        expect.objectContaining({
+          responseType: RESPONSE_TYPES.CONNECT_CODE,
+          state: connectAccountRequestBody?.state,
+          returnTo: "/some-url",
+          codeVerifier: expect.any(String),
+          authSession: DEFAULT.connectAccount.authSession
+        })
+      );
+    });
   });
 
   describe("getTokenSet", async () => {

src/server/auth-client.ts

@@ -1054,14 +1054,18 @@ export class AuthClient {
     }
 
     const { tokenSet } = getTokenSetResponse;
+    const connectAccountParams: ConnectAccountOptions = {
+      connection,
+      authorizationParams,
+      returnTo
+    };
+
+    if (scopes.length > 0) {
+      connectAccountParams.scopes = scopes;
+    }
+
     const [connectAccountError, connectAccountResponse] =
-      await this.connectAccount({
-        tokenSet: tokenSet,
-        connection,
-        scopes,
-        authorizationParams,
-        returnTo
-      });
+      await this.connectAccount({ tokenSet, ...connectAccountParams });
 
     if (connectAccountError) {
       return new NextResponse(connectAccountError.message, {

src/server/client.ts

@@ -1007,6 +1007,8 @@ export class Auth0Client {
    * for the My Account API to create a connected account for the user.
    *
    * The user will then be redirected to authorize the connection with the third-party provider.
+   *
+   * You must enable `Offline Access` from the Connection Permissions settings to be able to use the connection with Connected Accounts.
    */
   async connectAccount(options: ConnectAccountOptions): Promise<NextResponse> {
     const session = await this.getSession();