Skip to content

Support refreshing an access token with narrower scope #2590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spwitt opened this issue Dec 18, 2023 · 2 comments
Closed

Support refreshing an access token with narrower scope #2590

spwitt opened this issue Dec 18, 2023 · 2 comments
Assignees
@spwitt
Labels
enhancement New feature or request openid-connect
Milestone
1.50.0

Comments

@spwitt
Copy link

spwitt commented Dec 18, 2023
edited by robotdan
Loading

Support refreshing an access token with narrower scope

Problem

When using a refresh token to request a new access token, FusionAuth responds with an invalid_scope OAuth error if the requested scopes do not exactly match the scope of the refresh token.

According to the OAuth spec, a refresh token can be used to

obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).

Solution

  • Allow refreshing an access token with a narrower scope than the provided refresh token
  • Making the refresh request without providing the scope parameter will return an access token with the same scope as the provided refresh token
  • Making a refresh request with a scope that was not originally granted will result in an invalid_scope OAuth error

Alternatives/workarounds

It is not possible to request a narrower scope on token refresh. The alternatives are:

  • Do not request narrower scopes when refreshing an access token
  • Juggle multiple refresh/access tokens for different use cases

Additional context

The scope on the refresh request only affects the new access token. According to the spec:

If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Related

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
@spwitt spwitt added enhancement New feature or request openid-connect labels Dec 18, 2023
@spwitt spwitt mentioned this issue Dec 18, 2023
Open
@spwitt spwitt mentioned this issue Mar 8, 2024
Closed
@spwitt
Copy link
Author

spwitt commented Apr 18, 2024

Internal

@spwitt spwitt self-assigned this Apr 26, 2024
@spwitt spwitt added this to the 1.50.0 milestone Apr 26, 2024
@spwitt
Copy link
Author

spwitt commented Apr 26, 2024

Delivered in 1.50.0

@spwitt spwitt closed this as completed Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spwitt spwitt

Labels
enhancement New feature or request openid-connect
Projects
FusionAuth Issues
Status: Delivered
Milestone
1.50.0
Development

No branches or pull requests
1 participant
@spwitt