Offline sessions stored although not requested

[MM53]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.37.0

Storage Type

etcd

Installation Type

Official container image

Expected Behavior

When initiating a login without the 'offline_access' scope, no offline sessions should be created in any storage.

Actual Behavior

The 'offline_access' scope is only taken into account when using the password grant or while exchanging the authCode. During the initial login it is currently ignored. Therefore an offline session will be created for every login. In most cases this isn't an issue because the session will only be persisted but never used again.

In our setup we have a scenario where some users are machine accounts which could try to login from multiple hosts at the same time. This results in failing login attempts because our storage (etcd) couldn't finish persisting one offline session before an update of this offline session will be triggered by another instance of dex.

Since there is no reason for creating an offline session if the user didn't request the scope offline_access, I think this is an unintended behavior.

Steps To Reproduce

No response

Additional Information

No response

Configuration

No response

Logs

No response