Hi Neil, Does that mean it should be identical to the narrowed scope request or the original request scope?
On Tue, 20 Feb 2024 at 16:31, Sachin Mamoru <sachinmam...@gmail.com> wrote: > > > On Tue, 20 Feb 2024 at 12:23, Neil Madden <neil.e.mad...@gmail.com> wrote: > >> >> On 20 Feb 2024, at 06:44, Sachin Mamoru <sachinmam...@gmail.com> wrote: >> >> >> Hi All, >> >> When we request an access token using 3 scopes (scope1, scope2, scope3). >> >> Then will receive a refresh token (refresh_token1) with the access token. >> >> After that will request another access token with refresh_token1 and >> provide the scope list as scope1 and scope2 (Narrow down scopes). >> >> Similarly, get another refresh token (refresh_token2) with the access >> token. >> >> Now if we request another access token with refresh_token2, we cannot >> request scope3, instead, we can either request both scope1 and scope2 or >> one of them. >> >> But in the specification, didn't able to find anything related to >> narrow-down scopes with refresh token. >> >> From Spec >> >> 1.5. Refresh Token - Refresh tokens are issued to the client by the >> authorization server and are used to obtain a new access token when the >> current access token becomes invalid or expires or to obtain additional >> access tokens with identical or narrower scope (access tokens may have a >> shorter lifetime and fewer permissions than authorized by the resource >> owner). >> >> 6. Refreshing an Access Token >> >> The scope of the access request as described by Section 3.3. The >> requested scope MUST NOT include any scope not originally granted by the >> resource owner, and if omitted is treated as equal to the scope >> originally granted by the resource owner. >> >> https://datatracker.ietf.org/doc/html/rfc6749 >> >> >> IMO, from a security aspect, the current behaviour is much more secure >> because it is designed to maintain the principle of least privilege, where >> it updates the refresh token authorised scopes based on the requested ones. >> >> >> What should be the correct behaviour? >> narrow-down scope refresh token should also be able to request access >> token with original scope list? >> >> >> Also from section 6: >> >> If a >> new refresh token is issued, the refresh token scope MUST be >> identical to that of the refresh token included by the client in the >> request. >> >> >> >> >> >> — Neil >> >> > > -- > > Sachin Mamoru > Software Engineer, WSO2 > +94771292681 > | sachinmamoru.me <https://sachinmamoru.me> > sachinmam...@gmail.com <sachinmam...@gmail.com> > <https://www.linkedin.com/in/sachin-mamoru/> > <https://twitter.com/MamoruSachin> > > -- Sachin Mamoru Software Engineer, WSO2 +94771292681 | sachinmamoru.me <https://sachinmamoru.me> sachinmam...@gmail.com <sachinmam...@gmail.com> <https://www.linkedin.com/in/sachin-mamoru/> <https://twitter.com/MamoruSachin>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
