Expected Behavior

In spring-security-oauth2-client, The scope in refreshtoken is a collection of multiple ClientRegistrations scopes. When the accesstoken expired, a clientRegistion will use this refreshtoken to obtain the accesstoken. RefreshTokenOAuth2AuthorizedClientProvider use scope in OAuth2AuthorizedClient as requestScope.

Current Behavior

When the accesstoken expired, RefreshTokenOAuth2AuthorizedClientProvider use HttpServletRequest.getParameter(OAuth2ParameterNames.SCOPE) as requestScope.

Context

For example, develop have clientRegistration1 and clientRegistration2. The scopes of these two clientRegistions are subsets of the scope of refreshtoken. When these two clientRegistions use refreshtoken to obtain the accesstoken, I cannot get the accesstoken that contains the correct scope.

When using @RegisteredOAuth2AuthorizedClient("blabla"), under what circumstances will scope be setted to HttpServletRequest and why don't use the scope in OAuth2AuthorizedClient as requestScope.

Comment From: jgrandja

@lzc-1997-abel The current behaviour you specified is not correct.

When the accesstoken expired, RefreshTokenOAuth2AuthorizedClientProvider use HttpServletRequest.getParameter(OAuth2ParameterNames.SCOPE) as requestScope.

The scope parameter will only be passed in a refresh_token grant if the scope parameter is available in the initiating request. See this line of code.

If the scope parameter is not available, then the refreshed access token will include the same scopes as the expired access token.

For further reference, see section 6. Refreshing an Access Token:

scope OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.

I'm going to close this issue as the current functionality is implemented as per spec.

Comment From: zhichengliu12581

Hi, @jgrandja , Thank you for your response.

The scope parameter will only be passed in a refresh_token grant if the scope parameter is available in the initiating request. See this line of code.

This is exactly what I want to ask ,when I use @RegisteredOAuth2AuthorizedClient("blabla") to refresh the access token of the specified clientRegistration , How can I make the scope parameter available.

In my scene, if a clientRegistration uses refresh_Token which contains more scopes than it needs.How to specify the obtained scope as the scope under clientregistration instead of the same scopes as the expired access token.

Comment From: jgrandja

@lzc-1997-abel

How can I make the scope parameter available

Please see the reference documentation for DefaultOAuth2AuthorizedClientManager.contextAttributesMapper

Also, this test demonstrates the flow.

FYI, we prefer to use GitHub issues only for bugs and enhancements. In the future, please log questions on Stack Overflow and it will get answered there.