Support refreshing an access token with narrower scope

[spwitt]

Support refreshing an access token with narrower scope

Problem

When using a refresh token to request a new access token, FusionAuth responds with an invalid_scope OAuth error if the requested scopes do not exactly match the scope of the refresh token.

According to the OAuth spec, a refresh token can be used to

obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).

Solution

• Allow refreshing an access token with a narrower scope than the provided refresh token
• Making the refresh request without providing the scope parameter will return an access token with the same scope as the provided refresh token
• Making a refresh request with a scope that was not originally granted will result in an invalid_scope OAuth error

Alternatives/workarounds

It is not possible to request a narrower scope on token refresh. The alternatives are:

• Do not request narrower scopes when refreshing an access token
• Juggle multiple refresh/access tokens for different use cases

Additional context

The scope on the refresh request only affects the new access token. According to the spec:

If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/2324

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.