oauth2 flow_refresh: Use granted scope parameters in token refresh

Fixing the OAuth2 token refresh handler to: - Read and use the optional 'scope' form parameter, if present. - Otherwise default to requesting the originally granted scopes. This endpoint should be completely agnostic of: - The originally **requested** scopes - The **client scopes** (both current and past client scopes) Fixes ory#696
silverspace · Aug 31, 2022 · 0f25684 · 0f25684
1 parent 575ae6d
commit 0f25684
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/handler/oauth2/flow_refresh.go b/handler/oauth2/flow_refresh.go
@@ -96,11 +96,20 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
 	}
 
 	request.SetSession(originalRequest.GetSession().Clone())
-	request.SetRequestedScopes(originalRequest.GetRequestedScopes())
 	request.SetRequestedAudience(originalRequest.GetRequestedAudience())
 
-	for _, scope := range originalRequest.GetGrantedScopes() {
-		if !c.Config.GetScopeStrategy(ctx)(request.GetClient().GetScopes(), scope) {
+	if _, ok := request.GetRequestForm()["scope"]; ok {
+		requestedScopes := fosite.RemoveEmpty(strings.Split(request.GetRequestForm().Get("scope"), " "))
+		if len(requestedScopes) == 0 {
+			return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope parameter is empty"))
+		}
+		request.SetRequestedScopes(requestedScopes)
+	} else {
+		request.SetRequestedScopes(originalRequest.GetGrantedScopes())
+	}
+
+	for _, scope := range request.GetRequestedScopes() {
+		if !c.Config.GetScopeStrategy(ctx)(originalRequest.GetGrantedScopes(), scope) {
 			return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
 		}
 		request.GrantScope(scope)