FeiChen-okta
commented
2 years ago Hi @paukb
The line you referenced is the response from the authorization server. This is the correct behavior. From https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner)As scope is expanded the user should re-authenticate
JayNewstrom
Describe the bug?
Older versions of our application, which wasn't using oidc, were refreshing sessions with only the scope
offline_access. We upgraded the app to oidc and have been creating theSyncAuthClientfrom a configuration file with scopes defined asoffline_access, openid, profile.This upgrade path is causing a couple of issues:
syncClient.sessionClient.refreshToken()and the scopes provided via configuration are only being applied to new token requests. Any old token we had with only the scopeoffline_accesscontinues to only have that scope afterrefreshToken()idTokenin order forTokens#isAccessTokenExpiredto be false. As a side effect of the first bullet never changing the scope we are stuck constantly refreshing tokens based onisAccessTokenExpiredis always true.What is expected to happen?
Refresh tokens should receive the configured scope.
What is the actual behavior?
Refreshed tokens maintain their previous scope.
Reproduction Steps?
Additional Information?
This loc appears to be the line in question. Should this pull scopes from
b.mConfig?https://github.com/okta/okta-oidc-android/blob/817770bcef81dc7d06790edbdda31fb96b492970/library/src/main/java/com/okta/oidc/net/request/RefreshTokenRequest.java#L37
SDK Version
Tested with 1.0.20 (our production version) and 1.2.2
Build Information
No response