Via the Authorization Code Grant, create an access/refresh token pair for an API which is using scopes, and where the client application is not trusted
This involves the user granting access to the API on behalf of himself to the client application
Now use the /auth//grants endpoint to revoke access to an API
Refresh the token using the refresh_token grant
Result:
The access token can be successfully refreshed, and it still has the original scopes assigned to it
Expected result:
The refresh token request must be denied; there is no way of creating a refreshed token with a smaller scope while not retaining the original scope of the refresh token, so the only logical consequence must be to not allow refreshing the token
The auth server must respond with 403 and unauthorized_client.
Steps to reproduce:
refresh_token
grantResult:
Expected result:
403
andunauthorized_client
.