OAuth refreshing the access token scope bug
Hi guys!
I need some help with OAath AS.
If the refresh token was initially issued for the scopes "A B C" the only scope option to refresh access tokens is nothing but "A B C" exactly.
"scope A", "scope A B", even "scope C B A" options throw exception:
"error": "access_denied"
"error_description": "Given scope is different from the access token's scope"
But according to the RFC 6749 the scopes for refreshed access token must be just less than originally requested scopes.
scope OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.
Is it some sort of a bug or smth? Is it possible to somehow eliminate this restriction?
Thank you, Mikhail