fix(web): always request offline_access for MCP refresh_token grant

[fatmcgav]

Atlassian (and other providers) only honour the refresh_token grant when
offline_access is included in the authorization scope. The client was
already declaring refresh_token in clientMetadata.grant_types but never
injecting offline_access into requestedOAuthScopes, so the /authorize
request was incomplete and Atlassian rejected it.

• PrismaOAuthClientProvider now appends OFFLINE_ACCESS_SCOPE before
  normalization so it appears in both clientMetadata.scope and the
  /authorize request. Injection is unconditional (matching the existing
  behaviour of always declaring refresh_token); a comment explains the
  tradeoff vs checking oauthScopesSupported.
• buildMcpOAuthScopeEntries defaults offline_access to enabled when
  present in available scopes so the admin UI reflects what will be sent.
• New oauthScopeUtils.test.ts covers the default-enabled behaviour and
  general normalization/filtering helpers.
• Updated prismaOAuthClientProvider.test.ts to assert offline_access is
  always present and that it is not duplicated when already supplied.
• Added a note to the connectors doc explaining why offline_access is
  pre-ticked in the OAuth scopes UI.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Summary by CodeRabbit

• Bug Fixes

  • Fixed MCP OAuth connector authorization rejections when offline_access wasn’t enabled.

• New Features

  • OAuth scope selection now pre-selects offline_access (admins may deselect).
  • Shows a warning when offline_access is the only selected scope.
  • Added an info tooltip explaining refresh-token implications.

• Documentation

  • Expanded OAuth scopes guidance and clarified offline_access behavior.

• Tests

  • Added tests covering OAuth scope parsing and selection behavior.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ff082e1-5673-445f-b7dc-8af5269f0759

📥 Commits

Reviewing files that changed from the base of the PR and between 7ae1c35 and f5a574a.

📒 Files selected for processing (1)

• packages/web/src/app/(app)/settings/workspaceAskAgent/workspaceAskAgentPage.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/web/src/app/(app)/settings/workspaceAskAgent/workspaceAskAgentPage.tsx

---

Walkthrough

Pre-selects the offline_access scope when adding MCP OAuth connectors, exports an OFFLINE_ACCESS_SCOPE constant, adds tests for scope utilities, updates the connector settings UI to show a tooltip and warning, and documents the behavior in changelog and docs.

Changes

MCP OAuth Offline Access Scope Pre-Selection

Layer / File(s)	Summary
Scope constant definition and utility tests packages/web/src/ee/features/chat/mcp/oauthScopeUtils.ts, packages/web/src/ee/features/chat/mcp/oauthScopeUtils.test.ts	Exports OFFLINE_ACCESS_SCOPE and adds tests for scope normalization, OAuth scope entry building (verifying offline_access is not implicitly enabled), and enabled-scope extraction.
Connector settings page UI and logic packages/web/src/app/(app)/settings/workspaceAskAgent/workspaceAskAgentPage.tsx	Adds imports for tooltip UI and OFFLINE_ACCESS_SCOPE, derives isOfflineAccessOnly, renders an info tooltip next to offline_access, displays a warning when only offline_access is selected, adds initializeOAuthScopeSelection to pre-select offline_access, and uses it in static and dynamic OAuth initialization paths.
Documentation and changelog CHANGELOG.md, docs/docs/features/ask/connectors.mdx	Adds a changelog entry describing the fix and pre-selection behavior, expands OAuth scopes guidance to note providers grant only requested scopes, and inserts an MDX note explaining offline_access pre-selection and its consequences.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• brendan-kellam

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: ensuring MCP OAuth requests include the offline_access scope for the refresh_token grant, which is the core fix implemented across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@packages/web/src/app/`(app)/settings/workspaceAskAgent/workspaceAskAgentPage.tsx:
- Around line 161-172: The Tooltip trigger's click handler uses
event.preventDefault() which doesn't stop the click from bubbling to the parent
label and toggling the checkbox; update the onClick handler on the
TooltipTrigger/span (the element inside TooltipTrigger near
OFFLINE_ACCESS_SCOPE) to call event.stopPropagation() (optionally keep
event.preventDefault() as well) so the tooltip info icon click does not toggle
the associated checkbox.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7344ab9a-2b03-4b62-9e46-061f5476426f

📥 Commits

Reviewing files that changed from the base of the PR and between 26714e0 and 42123cc.

📒 Files selected for processing (5)

• CHANGELOG.md
• docs/docs/features/ask/connectors.mdx
• packages/web/src/app/(app)/settings/workspaceAskAgent/workspaceAskAgentPage.tsx
• packages/web/src/ee/features/chat/mcp/oauthScopeUtils.test.ts
• packages/web/src/ee/features/chat/mcp/oauthScopeUtils.ts

✅ Files skipped from review due to trivial changes (2)

• CHANGELOG.md
• docs/docs/features/ask/connectors.mdx

[jsourcebot]

UI change