Invalid Scope in Refresh Token Grant

[pandukakarunasena]

Describe the issue: When the following configuration is applied, the refresh token grant returns an "invalid scope" error, when the requested scopes match those specified in the configuration.

[oauth]
allowed_scopes = ["scope1", "scope2"]

How to reproduce:

1. Add the above configuration with scopes openid
2. Initiate a token request from the below curl.

curl --location --request POST 'https://localhost:9443/oauth2/token' \
--header 'Cookie: commonAuthId=2a6a71ce-75ef-43e8-834a-343c39184b16' \
--header 'Authorization: Basic <>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=<refresh_token>' \
--data-urlencode 'scope=openid'

Expected behavior: Refresh token grant must be executed without any error.

Environment information

• Product Version: IS 6.1.0

Optional Fields

Analysis: When said config is enabled the configured scopes are removed from scopesToBeValidated List[1]. Then this is set as scope in tokReqMsgCtx[2]. At [3] this will be checked against the requested scopes. This fails as the requested scope is configured as a scope that should not be validated. However, a token request should be able to invoke the scopes without any issues.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L502 [2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L503C1-L516C10 [3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java#L149C1-L156C1