diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index dfab061a71146ed5c24ce0d968c357ed4d5a54a5..1a9462daa963a3c2adfd1c243d385b0194b59642 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -168,14 +168,19 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
 		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
 	}
 
+	var opts []oauth2.AuthCodeOption
 	if len(c.hostedDomains) > 0 {
 		preferredDomain := c.hostedDomains[0]
 		if len(c.hostedDomains) > 1 {
 			preferredDomain = "*"
 		}
-		return c.oauth2Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"), oauth2.SetAuthURLParam("hd", preferredDomain)), nil
+		opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
 	}
-	return c.oauth2Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent")), nil
+
+	if s.OfflineAccess {
+		opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))
+	}
+	return c.oauth2Config.AuthCodeURL(state, opts...), nil
 }
 
 type oauth2Error struct {
diff --git a/server/handlers.go b/server/handlers.go
index 08bf5d04f9cef21a3bb347856490cbf930f9c421..a4db71cb30bd5f3d3f613d777f6f5b91d3b891ec 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -527,7 +527,9 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
 		} else {
 			// Update existing OfflineSession obj with new RefreshTokenRef.
 			if err := s.storage.UpdateOfflineSessions(session.UserID, session.ConnID, func(old storage.OfflineSessions) (storage.OfflineSessions, error) {
-				old.ConnectorData = identity.ConnectorData
+				if len(identity.ConnectorData) > 0 {
+					old.ConnectorData = identity.ConnectorData
+				}
 				return old, nil
 			}); err != nil {
 				s.logger.Errorf("failed to update offline session: %v", err)