Update docs

site/content/docs/howto/configure-supervisor-with-dex.md

@@ -91,7 +91,7 @@ spec:
     # Request any scopes other than "openid" for claims besides
     # the default claims in your token. The "openid" scope is always
     # included.
-    additionalScopes: [groups, email]
+    additionalScopes: [offline_access, groups, email]
 
     # If you would also like to allow your end users to authenticate using
     # a password grant, then change this to true.

site/content/docs/howto/configure-supervisor-with-gitlab.md

@@ -63,8 +63,10 @@ spec:
     # GitLab is unusual among OIDC providers in that it returns an
     # error if you request the "offline_access" scope during an
     # authorization flow, so ask Pinniped to avoid requesting that
-    # scope when using GitLab.
+    # scope when using GitLab by excluding it from this list.
-    doNotRequestOfflineAccess: true
+    # By specifying only "openid" here then Pinniped will only
+    # request "openid".
+    additionalScopes: [openid]
 
     # If you would also like to allow your end users to authenticate using
     # a password grant, then change this to true.

site/content/docs/howto/configure-supervisor-with-okta.md

@@ -74,7 +74,7 @@ spec:
     #
     # To learn more about how to customize the claims returned, see here:
     # https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/
-    additionalScopes: [groups, email]
+    additionalScopes: [offline_access, groups, email]
 
     # If you would also like to allow your end users to authenticate using
     # a password grant, then change this to true. Password grants only work