[Bug] Known Issue with Better Auth SSO Plugin

[arunavo4]

When configuring SSO providers in Gitea Mirror, the offline_access scope causes authentication failures with certain providers that don't support this OpenID Connect standard scope.

Affected Providers

• Google OAuth - Returns error: Error 400: invalid_scope with message:

  Access blocked: authorisation error
  Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile], invalid=[offline_access]}
  

Current Behavior

• The application allows users to select offline_access scope for all providers
• A warning message is displayed when Google is detected as the issuer
• Users must manually deselect offline_access for incompatible providers

Expected Behavior

Users should be aware of which providers support offline_access scope to avoid authentication errors.

Workaround

When configuring Google OAuth or other providers that don't support offline_access:

Supported

Common SSO providers that support the offline_access scope:

1. Microsoft/Azure AD - Supports offline_access for refresh tokens
2. Auth0 - Supports offline_access
3. Okta - Supports offline_access
4. Keycloak - Supports offline_access
5. AWS Cognito - Supports offline_access
6. Ping Identity - Supports offline_access
7. OneLogin - Supports offline_access
8. Salesforce - Supports offline_access (as refresh_token)

Providers that don't support offline_access:

• Google - Uses access_type=offline parameter instead
• GitHub - No offline_access scope
• GitLab - Uses different mechanism for refresh tokens

The offline_access scope is part of the OpenID Connect specification for requesting refresh tokens, allowing applications to obtain new access tokens without user interaction.

Better-Auth Ref Issue: better-auth/better-auth#2360