-
-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to request narrower scopes in OAuth2 Refresh Token Exchange #696
Comments
Your reading of the RFC seems correct to me. I can't speak officially on behalf of ory but generally this is something that provided there is a linked RFC, and you can produce a test that fails before your fix and passes after it will be accepted if you're interested in producing a PR. If not I'm happy to do so and credit you. |
Sure, I'd be happy to throw together a PR with this fix. Thanks! |
Fixing the OAuth2 token refresh handler to: - Read and use the optional 'scope' form parameter, if present. - Otherwise default to requesting the originally granted scopes. This endpoint should be completely agnostic of: - The originally **requested** scopes - The **client scopes** (both current and past client scopes) Fixes ory#696
Fixing the OAuth2 token refresh handler to: - Read and use the optional 'scope' form parameter, if present. - Otherwise default to requesting the originally granted scopes. This endpoint should be completely agnostic of: - The originally **requested** scopes - The **client scopes** (both current and past client scopes) Fixes ory#696
As discussed in the PR, the scope parameter should be respected in the refresh flow as well as the OAuth2 client scope :) |
Just to clarify the above: Fosite does currently have a bug where it does not respect the |
I've managed to wrangle together some actual proof the issue exists. The tests are very primitive but demonstrate the https://gist.github.com/james-d-elliott/1475671e805c9b4e2167c6c1b61f05f2 |
The following patch resolves said issue but breaks Index: handler/oauth2/flow_refresh.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/handler/oauth2/flow_refresh.go b/handler/oauth2/flow_refresh.go
--- a/handler/oauth2/flow_refresh.go (revision 2d32d9ebe7d97181c9193292f7004133ae097f40)
+++ b/handler/oauth2/flow_refresh.go (date 1667363251433)
@@ -96,13 +96,25 @@
}
request.SetSession(originalRequest.GetSession().Clone())
- request.SetRequestedScopes(originalRequest.GetRequestedScopes())
+
+ switch scope := request.GetRequestForm().Get("scope"); scope {
+ case "":
+ request.SetRequestedScopes(originalRequest.GetGrantedScopes())
+ default:
+ request.SetRequestedScopes(fosite.RemoveEmpty(strings.Split(scope, " ")))
+ }
+
request.SetRequestedAudience(originalRequest.GetRequestedAudience())
- for _, scope := range originalRequest.GetGrantedScopes() {
+ for _, scope := range request.GetRequestedScopes() {
+ if !originalRequest.GetGrantedScopes().Has(scope) {
+ return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope '%s' is not allowed as it was not originally granted during the access request.", scope))
+ }
+
if !c.Config.GetScopeStrategy(ctx)(request.GetClient().GetScopes(), scope) {
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
}
+
request.GrantScope(scope)
} |
So I think the original specific issue is solved by the changes. There is one particular point regarding the spec and what the text |
The resource owner is not involved during token refresh and is not granting scopes there. He/she only grants scopes on the consent UI screen. Therefore, this has to imply the original request! |
1 similar comment
The resource owner is not involved during token refresh and is not granting scopes there. He/she only grants scopes on the consent UI screen. Therefore, this has to imply the original request! |
Preflight checklist
Describe the bug
Hello!
I recently discovered that the Refresh Token Grant Handler does not currently honor the (optional) user requested
scope
parameter to request a subset of the originally granted scopes.For reference, here is the code in question:
The issues that I see with the current implementation are:
scope
form param.scope
form param). The result is that the refresh token exchange will fail if the client scopes are themselves narrowed after a refresh token is created.This is the implementation that I would propose, given my understanding of https://www.rfc-editor.org/rfc/rfc6749#section-6
Some pertinent notes from my reading of https://www.rfc-editor.org/rfc/rfc6749#section-6:
scope
parameter should allow the client to request a narrower set of scopes than were originally granted by the resource owner.scope
form param."If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request."
)Reproducing the bug
The current unit tests reproduce this issue. For example:
Relevant log output
No response
Relevant configuration
No response
Version
master
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: