Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

testsuite

Describe the bug

According to the logic in TokenManager, if a scope is requested during token refresh which was not part of the original token, this should result in a successful token response. The requested scope should not be included in the newly issued refresh token.

However, the test expects a 400 Bad Request and an invalid_scope error. This error comes from a different piece of code and
is actually a result of strict scope validation, because ssh_public_key is not recognized as a valid scope in Keycloak.

I think that the correct logic for the test should be the following:

• create the ssh_public_key client scope and assign it to the test client;
• request a set of tokens with a default scope;
• perform token refresh with ssh_public_key scope included;
• expect a 200 OK and assert that the refresh token scope is unchanged.

Version

999.0.0-SNAPSHOT

Regression

• The issue is a regression

Expected behavior

The code should be testing the logic introduced by the original PR and the follow-up PR.

Actual behavior

The code actually tests different functionality (strict scope validation).

How to Reproduce?

• create the ssh_public_key manually and assign it to the test-app client;
• rerun RefreshTokenTest#refreshTokenReuseTokenScopeParameterNotInRefreshToken against the existing server. The test will fail.

Anything else?

No response