-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question on refresh token scopes #1117
Labels
Milestone
Comments
It looks like we should be issuing the refresh token with the same scopes as the original, regardless of what scopes were requested. I think this should probably be changes to better match the spec. Thanks for flagging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At the moment, refresh token scopes are returned base on the access token scopes set.
When a user request for a new access token via the refresh_token grant type and he/she requested lesser scope than what the original access token has. Should the refresh token have the original scopes or should the refresh token has the new scopes requested.
Can someone please enlighten me on this issue?
I have read the RFC docs and there is a point that states
If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
The text was updated successfully, but these errors were encountered: