From 0f256844f4209d53b961e8cfe30b260626530569 Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Wed, 31 Aug 2022 14:24:27 -0700 Subject: [PATCH] oauth2 flow_refresh: Use granted scope parameters in token refresh Fixing the OAuth2 token refresh handler to: - Read and use the optional 'scope' form parameter, if present. - Otherwise default to requesting the originally granted scopes. This endpoint should be completely agnostic of: - The originally **requested** scopes - The **client scopes** (both current and past client scopes) Fixes https://github.com/ory/fosite/issues/696 --- handler/oauth2/flow_refresh.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/handler/oauth2/flow_refresh.go b/handler/oauth2/flow_refresh.go index 0e3be4dba..32e007e65 100644 --- a/handler/oauth2/flow_refresh.go +++ b/handler/oauth2/flow_refresh.go @@ -96,11 +96,20 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex } request.SetSession(originalRequest.GetSession().Clone()) - request.SetRequestedScopes(originalRequest.GetRequestedScopes()) request.SetRequestedAudience(originalRequest.GetRequestedAudience()) - for _, scope := range originalRequest.GetGrantedScopes() { - if !c.Config.GetScopeStrategy(ctx)(request.GetClient().GetScopes(), scope) { + if _, ok := request.GetRequestForm()["scope"]; ok { + requestedScopes := fosite.RemoveEmpty(strings.Split(request.GetRequestForm().Get("scope"), " ")) + if len(requestedScopes) == 0 { + return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope parameter is empty")) + } + request.SetRequestedScopes(requestedScopes) + } else { + request.SetRequestedScopes(originalRequest.GetGrantedScopes()) + } + + for _, scope := range request.GetRequestedScopes() { + if !c.Config.GetScopeStrategy(ctx)(originalRequest.GetGrantedScopes(), scope) { return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope)) } request.GrantScope(scope)