Support Azure AD access token refresh

This adds a new optional property, `includeScopeInTokenRefresh`, which
includes the configured `scope` in token refresh requests, as required
by Azure AD.

Fixes DuendeArchive#1264

Author: slieschke

src/UserManager.js

@@ -165,6 +165,9 @@ export class UserManager extends OidcClient {
         return this._loadUser().then(user => {
             if (user && user.refresh_token) {
                 args.refresh_token = user.refresh_token;
+                if (this.settings.includeScopeInTokenRefresh) {
+                    args.scope = this.settings.scope;
+                }
                 return this._useRefreshToken(args);
             }
             else {

src/UserManagerSettings.js

@@ -24,6 +24,7 @@ export class UserManagerSettings extends OidcClientSettings {
         automaticSilentRenew = false,
         validateSubOnSilentRenew = false,
         includeIdTokenInSilentRenew = true,
+        includeScopeInTokenRefresh = false,
         monitorSession = true,
         monitorAnonymousSession = false,
         checkSessionInterval = DefaultCheckSessionInterval,
@@ -48,6 +49,7 @@ export class UserManagerSettings extends OidcClientSettings {
         this._automaticSilentRenew = automaticSilentRenew;
         this._validateSubOnSilentRenew = validateSubOnSilentRenew;
         this._includeIdTokenInSilentRenew = includeIdTokenInSilentRenew;
+        this._includeScopeInTokenRefresh = includeScopeInTokenRefresh;
         this._accessTokenExpiringNotificationTime = accessTokenExpiringNotificationTime;
 
         this._monitorSession = monitorSession;
@@ -100,6 +102,9 @@ export class UserManagerSettings extends OidcClientSettings {
     get includeIdTokenInSilentRenew() {
         return this._includeIdTokenInSilentRenew;
     }
+    get includeScopeInTokenRefresh() {
+        return this._includeScopeInTokenRefresh;
+    }
     get accessTokenExpiringNotificationTime() {
         return this._accessTokenExpiringNotificationTime;
     }

test/unit/UserManager.spec.js

@@ -152,6 +152,22 @@ describe("UserManager", function () {
                 return Promise.resolve()
             }
             subject.signinSilent({prompt:"foo"});
+        });
+
+        it("should pass scope from settings when refreshing token if configured", function(done) {
+
+            stubUserStore.item = new User({refresh_token:"refresh_token"}).toStorageString();
+
+            settings.includeScopeInTokenRefresh = true;
+            settings.scope = "scope";
+            subject = new UserManager(settings);
+
+            subject._useRefreshToken = function(args){
+                args.scope.should.equal("scope");
+                done();
+                return Promise.resolve()
+            }
+            subject.signinSilent();
         })
     });
 

test/unit/UserManagerSettings.spec.js

@@ -129,6 +129,28 @@ describe("UserManagerSettings", function () {
         });
     });
 
+    describe("includeScopeInTokenRefresh", function () {
+        it("should return true value from initial settings", function () {
+            let subject = new UserManagerSettings({
+                includeScopeInTokenRefresh: true,
+            });
+            subject.includeScopeInTokenRefresh.should.be.true;
+        });
+
+        it("should return false value from initial settings", function () {
+            let subject = new UserManagerSettings({
+                includeScopeInTokenRefresh: false,
+            });
+            subject.includeScopeInTokenRefresh.should.be.false;
+        });
+
+        it("should use default value", function () {
+            let subject = new UserManagerSettings({
+            });
+            subject.includeScopeInTokenRefresh.should.be.false;
+        });
+    });
+
     describe("accessTokenExpiringNotificationTime", function () {
 
         it("should return value from initial settings", function () {