Error when executing refresh grant, with scope param, without offline_access scope specified #27878
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
core
Describe the bug
When executing an OIDC refresh grant request to the token endpoint, providing a valid offline token, and specifying scope via the scope parameter but without the offline_access scope included, the refresh request fails with error.
Version
24.0.1
Regression
- The issue is a regression
Expected behavior
Refresh request should succeed.
Actual behavior
The following error is produced:
{
"error": "not_allowed",
"error_description": "Offline tokens not allowed for the user or client"
}How to Reproduce?
- Create a client with offline_access scope available:
- standard flow enabled
- full scope allowed should be toggled off
- offline_access scope set as optional
- Execute standard auth flow, with offline_access scope provided.
- Copy refresh (offline) token provided by token endpoint.
- Execute refresh token request providing offline token and scope in the form data. The scope should not specify offline_access.
curl --location 'http://localhost:8080/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token={refresh_token}' \
--data-urlencode 'client_id=std-auth-client' \
--data-urlencode 'scope=openid'Observe error is produced.
Anything else?
Error thrown here:
in isOfflineTokenAllowed, seems the offline_access role may not be available on the client session context here: