Forum Discussion
OAuth refreshing the access token scope bug
Hi guys!
I need some help with OAath AS.
If the refresh token was initially issued for the scopes "A B C" the only scope option to refresh access tokens is nothing but "A B C" exactly.
"scope A", "scope A B", even "scope C B A" options throw exception:
"error": "access_denied"
"error_description": "Given scope is different from the access token's scope"
But according to the RFC 6749 the scopes for refreshed access token must be just less than originally requested scopes.
scope OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.
Is it some sort of a bug or smth? Is it possible to somehow eliminate this restriction?
Thank you, Mikhail
- mebbelsNimbostratus
Hey, did you end up resolving this issue? I'm getting this error as well. Was they anyway to change the order?
Third party app is using MSAL and it scopes (which can not be change or modifed in the MSAL code) are causing issues.
- Mikhail_GroshevNimbostratus
/sigh
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com