Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intrinsic scopes may cause creation of unnecessary new authorizations #494

Open
mike-marcacci opened this issue Apr 13, 2021 · 0 comments
Open

Intrinsic scopes may cause creation of unnecessary new authorizations #494

mike-marcacci opened this issue Apr 13, 2021 · 0 comments
Labels
packages/authx type:bug

Comments

@mike-marcacci
Copy link
Member

The refresh token logic is supposed to work as follows:

  1. validate the request/refresh token
  2. look for an existing active authorization tied to the grant with the same scopes
  3. if none exists, create a new authorization
  4. generate a token from that authorization

It appears that intrinsic scopes may not be factored into the comparison, such that when the requested scopes do not include the intrinsic scope, a new authorization can get created unnecessarily.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
packages/authx type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mike-marcacci