Skip to content

Commit f13c026

Browse files
james-d-elliottjames-d-elliott
committed
feat: filtering mode
1 parent c78df76 commit f13c026

File tree

2 files changed

+271
-150
lines changed

2 files changed

+271
-150
lines changed

handler/oauth2/flow_refresh.go

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,11 @@ type RefreshTokenGrantHandler struct {
2929
fosite.AudienceStrategyProvider
3030
fosite.RefreshTokenScopesProvider
3131
}
32+
33+
// IgnoreRequestedScopeNotInOriginalGrant determines the action to take when the requested scopes in the refresh
34+
// flow were not originally granted. If false which is the default the handler will automatically return an error.
35+
// If true the handler will filter out / ignore the scopes which were not originally granted.
36+
IgnoreRequestedScopeNotInOriginalGrant bool
3237
}
3338

3439
// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-6
@@ -89,12 +94,10 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
8994
9095
See https://www.rfc-editor.org/rfc/rfc6749#section-6
9196
*/
92-
switch scope := request.GetRequestForm().Get("scope"); scope {
93-
case "":
94-
// Addresses point 1 of the text in RFC6749 Section 6.
97+
98+
// Addresses point 1 of the text in RFC6749 Section 6.
99+
if len(request.GetRequestedScopes()) == 0 {
95100
request.SetRequestedScopes(originalRequest.GetGrantedScopes())
96-
default:
97-
request.SetRequestedScopes(fosite.RemoveEmpty(strings.Split(scope, " ")))
98101
}
99102

100103
request.SetRequestedAudience(originalRequest.GetRequestedAudience())
@@ -103,9 +106,15 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
103106
originalScopes := originalRequest.GetGrantedScopes()
104107

105108
for _, scope := range request.GetRequestedScopes() {
106-
// Addresses point 2 of the text in RFC6749 Section 6.
107109
if !strategy(originalScopes, scope) {
108-
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope '%s' was not originally granted by the resource owner.", scope))
110+
if c.IgnoreRequestedScopeNotInOriginalGrant {
111+
// Skips addressing point 2 of the text in RFC6749 Section 6 and instead just prevents the scope
112+
// requested from being granted.
113+
continue
114+
} else {
115+
// Addresses point 2 of the text in RFC6749 Section 6.
116+
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope '%s' was not originally granted by the resource owner.", scope))
117+
}
109118
}
110119

111120
if !strategy(request.GetClient().GetScopes(), scope) {

0 commit comments

Comments
 (0)