Is it possible to add the “profile” scope during a refresh_token request?

DuendeSoftware / Support

Support for Duende Software products

20 stars 0 forks source link

Is it possible to add the “profile” scope during a refresh_token request? #1279

Closed hoofmen closed 3 weeks ago

hoofmen commented 1 month ago

Which version of Duende IdentityServer are you using? 6.1.2 Which version of .NET are you using? 6.0.9

I need to include the “profile” scope as an implicit scope in all requests coming from clients. The “profile” scope needs to be included in when users refresh their token even if their initial sign-in did not include the “profile” scope.

Thank you!

RolandGuijt commented 1 month ago

That's not possible unfortunately. The access token you'll get back will contain the same scopes as the original access token. If possible, you could get the access token with the required scope through the authorize endpoint again. When there's still a valid session you can instruct IdentityServer not do display any UI by using the prompt=none parameter. Please see the authorize endpoint documentation here for details.

RolandGuijt commented 4 weeks ago

@hoofmen Did my answer clear things up for you? If not, would you like to add to this issue?

RolandGuijt commented 3 weeks ago

Closing this. Feel free to reopen if you have something more around this issue.