Refresh Token for offline access and online access

[sagarshah1983]

From the documentation, I found that refresh token is issued only when offline_scope is requested during authorization.
Is there any scope for supporting online_access as well? That gives same refresh token capability but only as long as user session is active?

Again, this comes from Healthcare FHIR API standards (SMART on FHIR), but I would like to understand, if such a requirement can be supported or implemented using Hydra?
Below is the excerpt from Cerner API website. https://fhir.cerner.com/authorization/#construct-the-authorization-request-url

online_access: Allows an application to obtain tokens via a “refresh” process while the authenticated user has an active session present at the device. offline_access: Allows an application to continue to obtain tokens on behalf of the authenticated via a “refresh” process user until explicitly revoked by the user, an administrator, or your application.

[aeneasr]

That looks like a negligent misuse of OAuth2 concepts and principles of delegation in general.

https://www.ory.sh/hydra/docs/concepts/before-oauth2#access-and-refresh-tokens-are-not-sessions

[sagarshah1983]

Appreciate your suggestions! and I somewhat agree on how it works in Hydra too. But I was referring Keycloak documentation, by default the generated refresh token is associated with user session and that's always returned no matter offline/online scope is requested by client. If client has requested offline_access scope, then it returns the refresh token that is not associated with user session (which is the default refresh token in Hydra). That's what bothered me in understanding the different implementation of OAuth 2 for refresh tokens.

[sagarshah1983]

As a work around to this, I was thinking if there's any way to revoke refresh token, when user session expires when client does not have offline_access scope but only online_access scope. OR
set expiry of refresh token (provided expiry can be set dynamically - I know there's some enhancement being planned there) as same as user session remember_for at the time of Token endpoint call when client only have online_access token?