Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support for "scope" parameter in RefreshToken request #8785

New issue
New issue
Closed as not planned
Closed as not planned
Support for "scope" parameter in RefreshToken request#8785
Labels
area/oidcIndicates an issue on OIDC areahelp wantedkind/featureCategorizes a PR related to a new feature
@sshriramwar

Description

@sshriramwar
sshriramwar
opened on Nov 11, 2021

Description

While generating a new access token using refresh token it should have less scopes than the REFRESH token if -d scope parameter is passed with the request which is not considered by RH-SSO 7.4.2 instead it assigns the default scope on the token.

As per RFC 6749

scope OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.

Section 3.3 ...

The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions. If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted.

Discussion

https://issues.redhat.com/browse/KEYCLOAK-15729

Motivation

No response

Details

Original steps to reproduce

  1. Create a client scope name "test" and map it to client with Password Grant enabled (eg. app-profile-vanilla) as default scope under "Client --> --> Client Scopes" So, Default Client Scopes : email, test (assigned) Optional Client Scopes : None

  2. Generate a access token for the above client by passing -d "scope=openid email test" using below command:

curl -k -v -X POST http://localhost:8080/auth/realms/demo/protocol/openid-connect/token -d "grant_type=password" -d "client_id=app-profile-vanilla" -d "username=jboss" -d "password=jboss@123" -d "scope=openid email test" | jq '.'

  1. Get a new access token using the above refresh token (grant_type=refresh_token) keeping only "-d scope=openid" (ignoring other scope parameters)

curl 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token' -d 'grant_type=refresh_token' -d 'client_id=app-profile-vanilla' -d "refresh_token=$RTOKEN" -d 'scope=openid' | jq .

{
"exp": 1600315952,
"iat": 1600315652,
"jti": "5b494b20-9b65-4b0b-aa10-95b34e3617c7",
"iss": "http://localhost:8080/auth/realms/demo",
"sub": "e7e40aa2-ecd9-46f0-bebc-ab53a68c9512",
"typ": "Bearer",
"azp": "app-profile-vanilla",
"session_state": "f0c28f25-3d64-4764-978c-635364dcd8df",
"acr": "1",
"scope": "openid email test", <!---Although -d 'scope=openid' was provided with the command access token includes all the default scopes---------->
"email_verified": false,
"email": "[email protected]"
}

The "-d scope=openid" is ignored with the above request and default scope (email test) are set with bearer token.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/oidcIndicates an issue on OIDC areahelp wantedkind/featureCategorizes a PR related to a new feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions