Forum Discussion

Mikhail_Groshev's avatar
Icon for Nimbostratus rankNimbostratus
Apr 28, 2018

OAuth refreshing the access token scope bug

Hi guys!


I need some help with OAath AS.


If the refresh token was initially issued for the scopes "A B C" the only scope option to refresh access tokens is nothing but "A B C" exactly.


"scope A", "scope A B", even "scope C B A" options throw exception:


"error": "access_denied"


"error_description": "Given scope is different from the access token's scope"


But according to the RFC 6749 the scopes for refreshed access token must be just less than originally requested scopes.


scope OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.


Is it some sort of a bug or smth? Is it possible to somehow eliminate this restriction?


Thank you, Mikhail


2 Replies

  • Hey, did you end up resolving this issue? I'm getting this error as well. Was they anyway to change the order?

    Third party app is using MSAL and it scopes (which can not be change or modifed in the MSAL code) are causing issues.