[Openid-specs-fapi] Issue #263: Are scopes required to be returned when exchanging Refresh Tokens for Access Tokens. (openid/fapi)
issues-reply at bitbucket.org
Thu Aug 22 13:20:56 UTC 2019
New issue 263: Are scopes required to be returned when exchanging Refresh Tokens for Access Tokens.
Conformance Test Requires: Scopes for both Auth Code and Refresh Token exhcnage for ATs. This clause was added originally to prevent session elevation style attacks to occur where a scope was added to request in the UA. Without retruning the scopes the RP has no idea if what it asked for was tampered with in the UA when the requests are unsigned. This has been mitigated partially by requiring all paramters to be in the signed request.
First decision: Is this still required given that the scopes can’t be tampered with.
Second decision: If it is, is this required on just auth code or again on every refresh token exchange as well.
More information about the Openid-specs-fapi