feat(ui): Special handling of offline_access scope in OAuth Consent screen

[jfoshee]

Description

This PR introduces special handling for the offline_access OAuth scope on the consent screen.

See discussion.

The offline_access scope is now:

• Excluded from the list of displayed scopes, as it describes access duration rather than specific permissions.
• Indicated by an additional sentence ("You’ll stay signed in until you sign out or revoke access.") appended to the redirect information text when present.

The sandbox environment has been updated to facilitate testing of these changes.

Part of USER-4333

With offline_access:

Without offline_access:

Sandbox demo URL:

http://localhost:4000/oauth-consent?
  scopes=email,profile,offline_access&
  oauth-application-name=My%20App&
  redirect_uri=https://example.com/callback&
  logo-url=https://example.com/logo.png&
  app-url=https://example.com

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

---

 

Summary by CodeRabbit

• New Features

  • OAuth consent screen now shows per-permission descriptions and marks permissions that require explicit consent.
  • "Offline access" is omitted from the main permission list and instead triggers an informational note about staying signed in.

• Chores

  • Release metadata updated for a minor UI release.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[changeset-bot]

🦋 Changeset detected

Latest commit: c7b99fa

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@clerk/ui	Minor
@clerk/chrome-extension	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 21, 2026 3:49pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the OAuth consent flow: each scope now includes description and requires_consent fields (description is set to null for offline_access; requires_consent is true for all scopes). The UI filters offline_access from the displayed scope list, tracks its presence, and conditionally shows an informational note when offline_access is part of the OAuth request.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: special handling for the offline_access scope in the OAuth Consent screen UI component.
Linked Issues check	✅ Passed	The PR successfully addresses USER-4333 by adding offline_access scope handling, excluding it from the displayed scopes list, and appending contextual text about session duration.
Out of Scope Changes check	✅ Passed	All changes are within scope: OAuth scopes mapping updates, OAuthConsent component filtering, changeset documentation, and bundle size threshold adjustments align with the offline_access handling objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jacekradko]

Looks good. We need to add some tests for the OAuthConsent component in the future though

[jfoshee]

We need to add some tests for the OAuthConsent component in the future though

Agree. Thanks @jacekradko

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7627

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7627

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7627

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7627

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7627

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7627

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7627

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7627

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7627

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7627

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7627

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7627

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7627

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7627

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7627

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7627

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7627

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7627

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7627

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7627

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7627

commit: c7b99fa

[jfoshee]

@jacekradko I ran into ui bundlewatch limits. I ran bundlewatch:fix. It bumped by 2KB. Can you review if this is ok?
c7b99fa