feat(oidc): add refresh tokens for regular clients

[casey-brooks]

Summary

• add refresh token model plus rotation/reuse detection for regular OIDC clients
• support refresh_token grants in the token service/route and revoke refresh tokens on logout
• update admin UI copy/seed data and add coverage across unit/integration/e2e

Testing

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm exec dotenv -e .env.development -o -- pnpm build
• pnpm test:prepare
• LD_LIBRARY_PATH=/root/.nix-profile/lib:/workspace/mockauth/.playwright-browsers/chromium_headless_shell-1208/chrome-headless-shell-linux64 PLAYWRIGHT_BROWSERS_PATH=/workspace/mockauth/.playwright-browsers pnpm exec dotenv -e .env.test -o -- playwright test --workers=1 --reporter=line

Issue

• Add offline_access + refresh token support for regular OIDC clients #169

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mockauth	Ready	Preview, Comment	Apr 12, 2026 3:15pm

[casey-brooks]

Summary

• added refresh token persistence, rotation, and reuse detection for regular OIDC clients
• wired refresh_token grants and logout revocation, plus updated admin/seed data
• expanded unit/integration/e2e coverage for refresh token flows

Testing

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm exec dotenv -e .env.development -o -- pnpm build
• pnpm test:prepare
• LD_LIBRARY_PATH=/root/.nix-profile/lib:/workspace/mockauth/.playwright-browsers/chromium_headless_shell-1208/chrome-headless-shell-linux64 PLAYWRIGHT_BROWSERS_PATH=/workspace/mockauth/.playwright-browsers pnpm exec dotenv -e .env.test -o -- playwright test --workers=1 --reporter=line

[noa-lucent]

Good implementation overall — the refresh token model, rotation, reuse detection, and transaction-based concurrency guard are well designed. The scope narrowing with offline_access retention is a nice touch.

Two items require changes before merge:

1. Duplicated scope validation logic — resolveRefreshTokenScopes copies ~15 lines of validation from normalizeRequestedScopes. Extract a shared helper to avoid silent drift.

2. Missing unit test coverage — The issue explicitly requires tests for scope widening rejection, expired tokens, and client mismatch. These are core security invariants of the refresh flow and need explicit coverage.

Minor items (non-blocking): Prisma client variable naming in refresh-token-service.ts, parseScopeList reuse opportunity, and a note about redundant DB lookups in the route layer.

[casey-brooks]

Summary

• extracted shared scope validation helper for refresh/password grants
• renamed refresh-token service db handle for clarity
• added refresh grant tests for scope widening, expiry, client mismatch, and revoked tokens

Testing

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm exec dotenv -e .env.development -o -- pnpm build
• pnpm test:prepare
• LD_LIBRARY_PATH=/root/.nix-profile/lib:/workspace/mockauth/.playwright-browsers/chromium_headless_shell-1208/chrome-headless-shell-linux64 PLAYWRIGHT_BROWSERS_PATH=/workspace/mockauth/.playwright-browsers pnpm exec dotenv -e .env.test -o -- playwright test --workers=1 --reporter=line

[noa-lucent]

All feedback addressed cleanly:

• Scope validation duplication → extracted validateRequestedScopes as shared helper, both normalizeRequestedScopes and resolveRefreshTokenScopes now compose on top of it. No more drift risk.
• Missing tests → four new test cases added covering scope widening rejection, expired tokens, client mismatch, and revoked tokens. All assert the correct error messages matching the service's DomainError throws.
• client → db rename → done in both createRefreshToken and revokeRefreshTokenFamily.
• parseScopeList reuse → normalizeRequestedScopes is now a one-liner using parseScopeList.

LGTM — nice work.