[英]Auth0 omitting scopes when refreshing access token
I'm using auth0-react
to manage authentication in my SPA, and it's been working fine for many months.我正在使用
auth0-react
来管理我的 SPA 中的身份验证,并且它已经运行了好几个月。 However, recently it stopped supporting the use of refresh tokens.但是,最近它停止支持使用刷新令牌。
I believe my app is using a fairly standard structure, as defined in the documentation for v1.12.1 .我相信我的应用程序使用的是相当标准的结构,如v1.12.1的文档中所定义。 All is fine when I originally log in: the
/authorize
endpoint returns what's expected and triggers an immediate call to /token
with grant_type=authorization_code
in the payload.当我最初登录时一切都很好:
/authorize
端点返回预期的内容并触发对/token
立即调用,有效负载中有grant_type=authorization_code
。 This succeeds: HTTP 200 and a response that includes refresh_token
and scope
, among other fields.这会成功: HTTP 200 以及包含
refresh_token
和scope
以及其他字段的响应。
However, when I make an API call after the access token has expired, a call to /token
is triggered which receives an HTTP 400 with body: {"error":"invalid_scope","error_description":"User is not authorized to the audience for those scopes"}
.但是,当我在访问令牌过期后进行 API 调用时,将触发对
/token
调用,它会收到一个 HTTP 400 和 body {"error":"invalid_scope","error_description":"User is not authorized to the audience for those scopes"}
。 A bit of experimentation shows that the /token
request has only the following four fields in its payload: client_id
, redirect_uri
, refresh_token
and grant_type=refresh_token
.一些实验表明
/token
请求在其负载中只有以下四个字段: client_id
、 redirect_uri
、 refresh_token
和grant_type=refresh_token
。 When I make a manual call with the same details but I add scope
, the request succeeds.当我使用相同的详细信息进行手动调用但添加
scope
时,请求成功。
As such, I believe my question is: is there a way to enforce the getAccessTokenSilently
function to include the scope
parameter in a /token
request with grant_type=refresh_token
?因此,我相信我的问题是:有没有办法强制执行
getAccessTokenSilently
function 以在带有grant_type=refresh_token
的/token
请求中包含scope
参数? Alternatively, can anyone guess what may have changed for this issue to appear unexpectedly a couple of weeks ago?或者,有人能猜出几周前意外出现这个问题可能发生了什么变化吗? (I believe I made no code changes that could be relevant: in fact, I made almost no changes to my Javascript in this time, and the problem persists on reverting to old code.)
(我相信我没有做任何可能相关的代码更改:事实上,这段时间我几乎没有对我的 Javascript 做任何更改,并且问题仍然存在,恢复到旧代码。)
I'm not an expert on authentication flows, so if my question is unclear or you can think of any further things to check, please let me know.我不是身份验证流程方面的专家,所以如果我的问题不清楚或者您能想到任何进一步的检查,请告诉我。
+1, same exact issue +1,同样的问题
I believe this is related我相信这是相关的
https://community.auth0.com/t/auth0-scope-not-returning-all-requested-values/83676 https://community.auth0.com/t/auth0-scope-not-returning-all-requested-values/83676
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.