jshaffstall-bng
commented
3 years ago Thanks for the report! Filed as TFS 965041.
Open NigelBreslaw opened 3 years ago
jshaffstall-bng
commented
3 years ago Thanks for the report! Filed as TFS 965041.
Sorry for the crap subject but I am not sure how to describe it simply.
I have 2 api accounts. And each app has its own clientID and clientSecret that must be passed in the header when exchanging a refreshToken for an accessToken. While testing I noticed that I can flip the settings of my app and the "https://www.bungie.net/platform/app/oauth/token/" end point takes a refreshToken generated with one clientID/clientSecret and accepts that and generates a new one with another clientID/clientSecret. However this token only has scopes to see public data. You cannot see character inventories or move items around. Just reported incase this isn't expected. I would have thought "https://www.bungie.net/platform/app/oauth/token/" would error on doing this.