Closed paukb closed 2 years ago
Hi @paukb
The line you referenced is the response from the authorization server. This is the correct behavior. From https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner)
As scope is expanded the user should re-authenticate
The Tokens
class exposes a getScope
method that can be used to see the scopes that the current token has.
Please reopen with other questions.
Describe the bug?
Older versions of our application, which wasn't using oidc, were refreshing sessions with only the scope
offline_access
. We upgraded the app to oidc and have been creating theSyncAuthClient
from a configuration file with scopes defined asoffline_access, openid, profile
.This upgrade path is causing a couple of issues:
syncClient.sessionClient.refreshToken()
and the scopes provided via configuration are only being applied to new token requests. Any old token we had with only the scopeoffline_access
continues to only have that scope afterrefreshToken()
idToken
in order forTokens#isAccessTokenExpired
to be false. As a side effect of the first bullet never changing the scope we are stuck constantly refreshing tokens based onisAccessTokenExpired
is always true.What is expected to happen?
Refresh tokens should receive the configured scope.
What is the actual behavior?
Refreshed tokens maintain their previous scope.
Reproduction Steps?
Additional Information?
This loc appears to be the line in question. Should this pull scopes from
b.mConfig
?https://github.com/okta/okta-oidc-android/blob/817770bcef81dc7d06790edbdda31fb96b492970/library/src/main/java/com/okta/oidc/net/request/RefreshTokenRequest.java#L37
SDK Version
Tested with 1.0.20 (our production version) and 1.2.2
Build Information
No response