Skip to content

Commit

Permalink
oauth2 flow_refresh: Use granted scope parameters in token refresh
Browse files Browse the repository at this point in the history
Fixing the OAuth2 token refresh handler to:
 - Read and use the optional 'scope' form parameter, if present.
 - Otherwise default to requesting the originally granted scopes.

This endpoint should be completely agnostic of:
 - The originally **requested** scopes
 - The **client scopes** (both current and past client scopes)

Fixes #696
  • Loading branch information
silverspace committed Aug 31, 2022
1 parent 575ae6d commit 0f25684
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions handler/oauth2/flow_refresh.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,20 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
}

request.SetSession(originalRequest.GetSession().Clone())
request.SetRequestedScopes(originalRequest.GetRequestedScopes())
request.SetRequestedAudience(originalRequest.GetRequestedAudience())

for _, scope := range originalRequest.GetGrantedScopes() {
if !c.Config.GetScopeStrategy(ctx)(request.GetClient().GetScopes(), scope) {
if _, ok := request.GetRequestForm()["scope"]; ok {
requestedScopes := fosite.RemoveEmpty(strings.Split(request.GetRequestForm().Get("scope"), " "))
if len(requestedScopes) == 0 {
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope parameter is empty"))
}
request.SetRequestedScopes(requestedScopes)
} else {
request.SetRequestedScopes(originalRequest.GetGrantedScopes())
}

for _, scope := range request.GetRequestedScopes() {
if !c.Config.GetScopeStrategy(ctx)(originalRequest.GetGrantedScopes(), scope) {
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
}
request.GrantScope(scope)
Expand Down

0 comments on commit 0f25684

Please sign in to comment.