Support passing scopes when doing a refresh token flow #624
Description
Is your feature request related to a problem? Please describe.
Refreshing access tokens currently sends only grant_type=refresh_token and refresh_token, with no scope. RFC 6749 allows scope on refresh and says it can be used (and if omitted, it defaults to the originally granted scope). (datatracker.ietf.org (https://datatracker.ietf.org/doc/rfc6749)). In practice, some providers require or expect scopes on refresh. In our case with Azure AD v2 (/oauth2/v2.0/token), the refresh call fails unless scopes are included, even though the initial authorization succeeds. The metadata we advertise includes scopes like api://…/all and offline_access. Microsoft’s docs emphasize scopes in v2 token flows and that offline_access is required to receive refresh tokens. (learn.microsoft.com (https://learn.microsoft.com/EN-US/azure/
active-directory/develop/scopes-oidc?utm_source=openai))
Describe the solution you'd like
Allow passing scopes when requesting a new token via refresh (e.g., reuse the scopes from the stored token response, or accept an explicit scopes parameter for refresh). This aligns with RFC 6749’s refresh grant, which allows the scope parameter on refresh requests. (datatracker.ietf.org (https://datatracker.ietf.org/doc/rfc6749/)). Concretely: when calling exchange_refresh_token, add scopes from the existing credential’s scope set (if present), or allow callers to override.
Describe alternatives you've considered
- Re-authenticate instead of refresh (works but is disruptive).
- Patch/fork to add scopes at the app level.
- Require all servers to only use providers that tolerate scope-less refresh, which is not realistic.
Additional context
RFC 6749 explicitly allows scope on refresh and states that if omitted it is treated as the originally granted scope; this suggests clients may need to carry scopes forward. (datatracker.ietf.org (https://datatracker.ietf.org/doc/
rfc6749/)). OAuth.com’s summary of the refresh flow also notes scope as an optional parameter on refresh. (oauth.com (https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/))