Scope not being passed to refreshToken() in fetch wrapper

[spencerldixon]

I'm not a big js guy so please forgive me if I'm doing a fridge temperature IQ move here but...

I'm using the fetch wrapper to send POST requests from a chrome extension to an app. I can oauth between the two successfully, but when a refreshToken happens from the fetch wrapper, my backend returns a 400 bad request.

Looking into this, I noticed the difference between the two requests is that the refresh requests are missing the scope.

I saw this PR which adds an optional scope param to refreshToken (https://github.com/badgateway/oauth2-client/pull/135/files) but it doesn't look like it's been added to the fetch wrapper https://github.com/badgateway/oauth2-client/blob/main/src/fetch-wrapper.ts#L157

Am i missing something? Is there a way to ensure the scope from the client makes it through to refresh requests in the fetch wrapper?

[evert]

Hey, the fetch wrapper doesn't do anything with this currently. The scope should be inherited from the original access token:

scope
OPTIONAL. The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.

https://datatracker.ietf.org/doc/html/rfc6749#section-6

Are you using a server that doesn't respect this, or are you trying to use the scope parameter to change the scope from what it originally was?

if it's the former I would suggest you try to file a bug report with your vendor. Bug fixes are better than workarounds for sloppy implementations.