On Tue, 20 Feb 2024 at 12:23, Neil Madden <neil.e.mad...@gmail.com> wrote:
> > On 20 Feb 2024, at 06:44, Sachin Mamoru <sachinmam...@gmail.com> wrote: > > > Hi All, > > When we request an access token using 3 scopes (scope1, scope2, scope3). > > Then will receive a refresh token (refresh_token1) with the access token. > > After that will request another access token with refresh_token1 and > provide the scope list as scope1 and scope2 (Narrow down scopes). > > Similarly, get another refresh token (refresh_token2) with the access > token. > > Now if we request another access token with refresh_token2, we cannot > request scope3, instead, we can either request both scope1 and scope2 or > one of them. > > But in the specification, didn't able to find anything related to > narrow-down scopes with refresh token. > > From Spec > > 1.5. Refresh Token - Refresh tokens are issued to the client by the > authorization server and are used to obtain a new access token when the > current access token becomes invalid or expires or to obtain additional > access tokens with identical or narrower scope (access tokens may have a > shorter lifetime and fewer permissions than authorized by the resource > owner). > > 6. Refreshing an Access Token > > The scope of the access request as described by Section 3.3. The > requested scope MUST NOT include any scope not originally granted by the > resource owner, and if omitted is treated as equal to the scope > originally granted by the resource owner. > > https://datatracker.ietf.org/doc/html/rfc6749 > > > IMO, from a security aspect, the current behaviour is much more secure > because it is designed to maintain the principle of least privilege, where > it updates the refresh token authorised scopes based on the requested ones. > > > What should be the correct behaviour? > narrow-down scope refresh token should also be able to request access > token with original scope list? > > > Also from section 6: > > If a > new refresh token is issued, the refresh token scope MUST be > identical to that of the refresh token included by the client in the > request. > > > > > > — Neil > > -- Sachin Mamoru Software Engineer, WSO2 +94771292681 | sachinmamoru.me <https://sachinmamoru.me> sachinmam...@gmail.com <sachinmam...@gmail.com> <https://www.linkedin.com/in/sachin-mamoru/> <https://twitter.com/MamoruSachin>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
