product-is icon indicating copy to clipboard operation
product-is copied to clipboard

Published 20 hours ago verified publisher icon wso2

Fix the issue with internal scopes during refresh grant

Open Sachin-Mamoru opened this issue 1 year ago • 0 comments

Describe the issue: According to the current behaviour of IS-5.11.0, when we request an access token with scope1, internal-scope, and scope2, we will get the refresh token as well. Using that refresh token if we narrow down the scopes (scope1, scope2), and get an access token, we still get the internal-scope also in the requested access token.

How to reproduce:

  1. Obtain a token with the below scopes
  • internal_mgt_user_update
  • a random scope
  • openid
  1. Use the refresh token and obtain the tokens again providing only the the random scope and openid scope.
  2. You will get the internal scope as well

Expected behavior:

The refresh grant should provide only the requested scope.

Environment information

  • Product Version: IS 5.11.0

Cause Internal scopes are added later [1] in the access token issuer if the scopes are valid.

[1] https://github.com/wso2-support/identity-inbound-auth-oauth/blob/support-6.4.111.x-full/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L314-L315

Sachin-Mamoru avatar Feb 21 '24 10:02 Sachin-Mamoru