We have a rule configured that grants users custom scopes when they request an access token or renew a token. The rule basically reads the scopes in the request and then adds a list of our custom scopes based on the user metadata.
As an example, we do something like this:
const customScopes = ['foo:bar'];
const req = context.request;
// Retrieve scopes either from the parameters or body
const requestedScopeString = (req.query && req.query.scope) || (req.body && req.body.scope);
const grantedScopes = requestedScopeString ? requestedScopeString.split(' ') : [];
grantedScopes.push(...customScopes);
This method works perfectly fine for the initial request for a token: the user is granted their requested scopes as well as our custom scopes. However, this is not working correctly for renewing tokens. When there is a token renewal, we should be able to return the scopes granted in the initial request. But, the original scopes do not appear anywhere in the context or user objects. So what we end up doing is adding just our custom scopes, and the initially granted scopes are lost.
Is it possible to get the originally granted scopes when processing a token renewal? And if so, how do we get these scopes?
Rules will run for the Refresh Token Exchange. To execute special logic, you can look at the context.protocol property in your rule. If the value is oauth2-refresh-token, then this is the indication that the rule is running during the Refresh Token Exchange.
Can you try checking if the there is anything related to that variable that is not getting run because it is a refresh exchange?
If you have a lot of permissions it may be worth looking into RBAC, but it is hard to say without knowing your exact use-case.
Hi Dan. We have no special logic based on the context.protocol property. I’ve logged the full context and user objects to look for the initially granted scopes and there is nothing there.