Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Describe the issue:
When the following configuration is applied, the refresh token grant returns an "invalid scope" error, when the requested scopes match those specified in the configuration.
Expected behavior:
Refresh token grant must be executed without any error.
Environment information
Product Version: IS 6.1.0
Optional Fields
Analysis:
When said config is enabled the configured scopes are removed from scopesToBeValidated List[1]. Then this is set as scope in tokReqMsgCtx[2]. At [3] this will be checked against the requested scopes. This fails as the requested scope is configured as a scope that should not be validated. However, a token request should be able to invoke the scopes without any issues.
Describe the issue: When the following configuration is applied, the refresh token grant returns an "invalid scope" error, when the requested scopes match those specified in the configuration.
How to reproduce:
Expected behavior: Refresh token grant must be executed without any error.
Environment information
Product Version: IS 6.1.0
Optional Fields
Analysis: When said config is enabled the configured scopes are removed from scopesToBeValidated List[1]. Then this is set as scope in tokReqMsgCtx[2]. At [3] this will be checked against the requested scopes. This fails as the requested scope is configured as a scope that should not be validated. However, a token request should be able to invoke the scopes without any issues.
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L502 [2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L503C1-L516C10 [3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.11.21/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java#L149C1-L156C1