OAuth refreshing the access token scope bug

Question

Hi guys! &nbsp;
I need some help with OAath AS. &nbsp;
If the refresh token was initially issued for the scopes "A B C" the only scope option to refresh access tokens is nothing but "A B C" exactly. &nbsp;
"scope A", "scope A B", even "scope C B A" options throw exception: &nbsp;

"error": "access_denied" &nbsp;
"error_description": "Given scope is different from the access token's scope" &nbsp;

But according to the RFC 6749 the scopes for refreshed access token must be just less than originally requested scopes. &nbsp;

scope 
         OPTIONAL.  The scope of the access request as described by 
         Section 3.3.  The requested scope MUST NOT include any scope 
         not originally granted by the resource owner, and if omitted is 
         treated as equal to the scope originally granted by the 
         resource owner. &nbsp;

Is it some sort of a bug or smth? 
Is it possible to somehow eliminate this restriction? &nbsp;
Thank you, 
Mikhail &nbsp;

mikhail_groshev · Answer

/sigh&nbsp;

mebbels · Answer

Hey, did you end up resolving this issue? I'm getting this error as well. Was they anyway to change the order?

Third party app is using MSAL and it scopes (which can not be change or modifed in the MSAL code) are causing issues.

Forum Discussion

OAuth refreshing the access token scope bug

2 Replies

Recent Discussions

Pool Members communication with B-party via F5 VIP

Find GSLB pool membership from vip IP

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Related Content

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

Per Request access policy with OAuth Client Subroutine

Monitoring Failure OAuth request

WAF for APM Oauth Authorization VS

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations