Use scope asked by the client if any

[pyrech]

RefreshTokens always had a default scope (the config supported_scopes in FosOAuthServerBundle) instead of the scope asked by the client if any.

[Spomky]

Your are right, this part must be updated, but your PR does not solve the problem and it creates a new (security) issue.

According to the RFC, The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.

With your PR, if a refresh token has "scope1 scope2" and the client request "scope4", it will receive an access token and a refresh token with "scope4".
If the client request no scope, the server will issue an access token and a refresh token without any scope, which is wrong too.

The logic should be:

if no scope is requested, then stored scope is used
else,
    if scope is requested, the scope must be within stored scope
    else exception

[pyrech]

Thanks, you're absolutely right. I edited the class and updated the test.

[Spomky]

You should add some new test to verify the following cases:

• no scope requested: the refresh token has the scope defined in the old refresh token
• new scope requested: the exception is thrown

[pyrech]

Done :)

[jaytaph]

Really like to see this PR merged as well.

[Spomky]

It can be merged.
@pyrech could you please rebase and squash your PR please?

[pyrech]

Done

[Spomky]

@pyrech many thanks!
@alanbem looks good to me. Can be merged.

[alanbem]

@alanbem looks to me. Can be merged.

done!