> On 20 Feb 2024, at 06:44, Sachin Mamoru <sachinmam...@gmail.com> wrote:
>
>
> Hi All,
>
> When we request an access token using 3 scopes (scope1, scope2, scope3).
> Then will receive a refresh token (refresh_token1) with the access token.
>
> After that will request another access token with refresh_token1 and provide
> the scope list as scope1 and scope2 (Narrow down scopes).
> Similarly, get another refresh token (refresh_token2) with the access token.
>
> Now if we request another access token with refresh_token2, we cannot request
> scope3, instead, we can either request both scope1 and scope2 or one of them.
>
> But in the specification, didn't able to find anything related to narrow-down
> scopes with refresh token.
>
> From Spec
>
> 1.5. Refresh Token - Refresh tokens are issued to the client by the
> authorization server and are used to obtain a new access token when the
> current access token becomes invalid or expires or to obtain additional
> access tokens with identical or narrower scope (access tokens may have a
> shorter lifetime and fewer permissions than authorized by the resource owner).
>
> 6. Refreshing an Access Token
> The scope of the access request as described by Section 3.3. The requested
> scope MUST NOT include any scope not originally granted by the resource
> owner, and if omitted is treated as equal to the scope originally granted by
> the resource owner.
>
> https://datatracker.ietf.org/doc/html/rfc6749
>
> IMO, from a security aspect, the current behaviour is much more secure
> because it is designed to maintain the principle of least privilege, where it
> updates the refresh token authorised scopes based on the requested ones.
>
> What should be the correct behaviour?
> narrow-down scope refresh token should also be able to request access token
> with original scope list?
Also from section 6:
If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.
— Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
