search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
53 stars 27 forks source link

the refresh token response and the scope parameter #109

Closed adeinega closed 1 year ago

adeinega commented 2 years ago

I'm wondering if the refresh token response section should also recommend including the scope parameter when the client uses an RT in order to obtain a new AT with narrowed scope.

Per the "Refresh Token" section.

Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).

For the token response (grant_type = authorization_code), the specification states that

"scope": : RECOMMENDED, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token as described by {{access-token-scope}}.

which as you know, is one of the minor differences between OAuth 2.0 and 2.1 and a bit of a corner case but anyway...

aaronpk commented 2 years ago

This is true in both RFC6749 as well as OAuth 2.1. Both specs actually refer to the main token response section which says the scope property should be returned if it was different than what the client requests. Do you think this needs to be made more explicit?

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.3.2