- edited description
Are scopes required to be returned when exchanging Refresh Tokens for Access Tokens.
Issue #263
closed
Conformance Test Requirement: Return scopes when both Auth Code and Refresh Token are exchange dfor ATs. This clause was added originally to prevent session elevation style attacks to occur where a scope was added to request in the UA. Without retruning the scopes the RP has no idea if what it asked for was tampered with in the UA when the requests are unsigned. This has been mitigated by requiring all paramters to be in the signed request.
First decision: Is this still required given that the scopes can’t be tampered with.
Second decision: If it is, is this required on just auth code or again on every refresh token exchange as well.
Comments (13)
-
reporter
-
It’s this FAPI-R clause (where we don’t have the signed request protection) and which is inherited into FAPI-RW:
shall return the list of granted scopes with the issued access token;
(from https://openid.net/specs/openid-financial-api-part-1-ID2.html )
The FAPI-RW certification tests for refresh tokens are relatively new (added in June), so we don’t have a lot of data about them. The current certification tests & Authlete have interpreted the above clause as applying to all token endpoint responses that return access tokens, which seems to me to be the correct interpretation of the current specification text. I’m not sure about the original intention though.
First decision: Is this still required given that the scopes can’t be tampered with.
It’s definitely still required in FAPI-R; I guess FAPI-RW could explicitly say it doesn’t need it.
Second decision: If it is, is this required on just auth code or again on every refresh token exchange as well.
I’m not sure I see any benefit from requiring it for anything except the authorization code grant. I believe this clause is also inherited into FAPI-CIBA when it’s probably similarly unrequired.
I believe previously someone on the working group (Nat possibly?) expressed an opinion that it was generally better to just always return scopes, as otherwise RP authors do not realise that less scopes than requested may be returned - that logic would apply to FAPI-R+FAPI-RW auth code grant and FAPI-CIBA grant, but wouldn’t appear to apply to the refresh grant.
-
The requested scopes cant be tampered with, but the grant may be made with fewer scopes - and it would be good to be able to reflect this
-
reporter
@Freddi Gyara this is already required by lower specifications. If it’s changed at the AS then it must be returned in the introspection request. The reason this was added because with FAPI R it isn’t possibel to know if it was changed in the UA.
-
I would still like to keep this requirement in for authorization code grants, but don’t think it is necessary for refresh token grants
-
There seems to be some agreement, so I’ve opened a pull request here with a suggested wording:
https://bitbucket.org/openid/fapi/pull-requests/142/fapi-r-returning-scopes-not-necessary-for/diff
-
I’m in agreement with @Dave Tonge above. I don’t feel this is necessary for refresh token grants.
Rob Otto
Office of the CTO - Ping Identity
-
- changed status to open
-
-
assigned issue to
Joseph Heenan
-
assigned issue to
-
- changed status to closed
FAPI-R: returning scopes not necessary for refresh token grant
As discussed on the issue, the refresh token grant cannot change the scopes within the access token (except for reduce them if explicitly requested by the client), so there is no benefit to returning the scopes.
closes
#263→ <<cset cba6b5e3acfc>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
