René's URL Explorer Experiment


Title: Token endpoint scope parameter (avoiding ADSTS28003) · Issue #130 · SecureAuthCorp/oauth2c · GitHub

Open Graph Title: Token endpoint scope parameter (avoiding ADSTS28003) · Issue #130 · SecureAuthCorp/oauth2c

X Title: Token endpoint scope parameter (avoiding ADSTS28003) · Issue #130 · SecureAuthCorp/oauth2c

Description: In a relatively obscure passage in RFC6749 it seems that token endpoint may also accept scope parameter: [3.3](https://www.rfc-editor.org/rfc/rfc6749#section-3.3). Access Token Scope The authorization and token endpoints allow the client...

Open Graph Description: In a relatively obscure passage in RFC6749 it seems that token endpoint may also accept scope parameter: [3.3](https://www.rfc-editor.org/rfc/rfc6749#section-3.3). Access Token Scope The authorizat...

X Description: In a relatively obscure passage in RFC6749 it seems that token endpoint may also accept scope parameter: [3.3](https://www.rfc-editor.org/rfc/rfc6749#section-3.3). Access Token Scope The authorizat...

Opengraph URL: https://github.com/SecureAuthCorp/oauth2c/issues/130

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Token endpoint scope parameter (avoiding ADSTS28003)","articleBody":"In a relatively obscure passage in RFC6749 it seems that token endpoint may also accept `scope` parameter:\n\n    [3.3](https://www.rfc-editor.org/rfc/rfc6749#section-3.3).  Access Token Scope\n\n    The authorization and token endpoints allow the client to specify the\n    scope of the access request using the \"scope\" request parameter.  In\n    turn, the authorization server uses the \"scope\" response parameter to\n    inform the client of the scope of the access token issued.\n\nWhen requesting multiple scopes for multiple audiences, Microsoft Entra refuses the authorization code to access token exchange with the message \n\n    ADSTS28003: Provided value for the input parameter scope cannot be empty\n    when requesting an access token using the provided authorization code\n\nThe application is supposed to re-use the authorization code (or use the refresh token if issued) and call the token endpoint multiple times to obtain multiple access tokens, one per requested scope. \n\nI wonder what should be the usable user interface for this in a tool like oauth2c. MSAL does it in a pretty ugly way (using an extra[extra_scopes_to_consent](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_interactive.params.extra_scopes_to_consent) parameter). \n\nLooks like I can't call the token endpoint two times with the same authorization code:\n\n    AADSTS54005: OAuth2 Authorization code was already redeemed,\n    please retry with a new valid code or use an existing refresh token. \n\nThe following sequence of curl requests seems to work:\n\n# Obtain the authorization code (token endpoint call will fail, but we use the authorization code)\n\n```sh\noauth2c \"$URL\" \\\n  --no-browser \\\n  --client-id \"$CLIENT_ID\" \\\n  --response-types code \\\n  --response-mode query \\\n  --grant-type authorization_code \\\n  --auth-method none \\\n  --scopes scope1,scope2 \\\n  --authorization-endpoint \"${AUTHORIZATION_ENDPOINT}\" \\\n  --token-endpoint \"${TOKEN_ENDPOINT}\" \\\n  --pkce\n```\n\n# Exchange authorization code for scope1 only\n\n```sh\ncurl \"${TOKEN_ENDPOINT}\" \\\n -H \"Origin: http://localhost:9876\" \\\n -d redirect_uri=http://localhost:9876/callback \\\n -d  code=\"$code\" \\\n -d code_verifier=\"$v\" \\\n -d grant_type=authorization_code \\\n -d client_id=$CLIENT_ID \\\n -d scope=scope1 \u003e token1\nREFRESH_TOKEN=\"$(jq -r .refresh_token \u003c token1)\"\n```\n\n# Exchange the refresh token for scope2 only\n\n```sh\ncurl \"${TOKEN_ENDPOINT}\" \\\n -H \"Origin: http://localhost:9876\" \\\n -d refresh_token=\"$REFRESH_TOKEN\" \\\n -d grant_type=refresh_token \\\n -d client_id=$CLIENT_ID \\\n -d scope=scope2 \u003e token2\n```\n\n# Refresh token for scope1\n\n```sh\nR1=$(jq -r .refresh_token token1)\noauth2c \"$URL\" \\\n  --no-browser \\\n  --client-id \"$CLIENT_ID\" \\\n  --grant-type refresh_token \\\n  --token-endpoint \"${TOKEN_ENDPOINT}\"  \\\n  --auth-method none \\\n  --refresh-token \"$R1\"\n```\n\n# Refresh token for scope2\n\n```sh\nR2=$(jq -r .refresh_token token2)\noauth2c \"$URL\" \\\n  --no-browser \\\n  --client-id \"$CLIENT_ID\" \\\n  --grant-type refresh_token \\\n  --token-endpoint \"${TOKEN_ENDPOINT}\"  \\\n  --auth-method none \\\n  --refresh-token \"$R2\"\n```\n\nIt looks like the refresh token \"knows\" which scope it should generate the updated access token for, but it is possible to specify the `scope` parameter anyway:\n\n```sh\nR2=$(jq -r .refresh_token token2)\noauth2c \"$URL\" \\\n  --no-browser \\\n  --client-id \"$CLIENT_ID\" \\\n  --grant-type refresh_token \\\n  --token-endpoint \"${TOKEN_ENDPOINT}\"  \\\n  --auth-method none \\\n  --scope scope1 \\\n  --refresh-token \"$R2\"\n```\n\nThis also works and generates a new access token for `scope1` and so on...\n\nOne implementation idea would be:\n\n1. We could add `--token-scopes` parameter (the actual name of the parameter would be `scope`) which could be added automatically for any calls to the token endpoint. \n\n1. The `--grant_type authorization_code`  could send `--scopes` to the authorization endpoint and `--token-scopes` to the token endpoint (both as the `scope` parameter).\n\n2. The `--grant_type refresh_token` could send `--token-scopes` to the token endpoint.\n\n3. Implicit grant never calls the token endpoint, so the `--token-scopes` could be ignored (or not accepted)\n\n4. Client credentials - I don't know - in that case `--scopes` and `--token-scopes` mean the same.\n\n5. Other flows - no idea yet.","author":{"url":"https://github.com/saper","@type":"Person","name":"saper"},"datePublished":"2025-04-17T19:20:02.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/130/oauth2c/issues/130"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:9bf8da71-514d-fb83-b7b2-85006ee207ae
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idB700:11BE9D:1DB99F1:2B31E73:6A4BCE54
html-safe-nonce07c0ff0fa2873672d52e158156c13224e3d6f5b64b9720bc0618c858a636406a
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCNzAwOjExQkU5RDoxREI5OUYxOjJCMzFFNzM6NkE0QkNFNTQiLCJ2aXNpdG9yX2lkIjoiNjEwOTI0MjQxNzk3NzQ3ODc0MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmacc97fe98bc4520c5a9c0c1c370f62f4dd8e93d81890b32a776d5e62fa6889f67c
hovercard-subject-tagissue:3003268431
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/SecureAuthCorp/oauth2c/130/issue_layout
twitter:imagehttps://opengraph.githubassets.com/77d78a688ec6a88b4ddcd8a3441346beb763995d5cd587dd5fa2f214a3c2d277/SecureAuthCorp/oauth2c/issues/130
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/77d78a688ec6a88b4ddcd8a3441346beb763995d5cd587dd5fa2f214a3c2d277/SecureAuthCorp/oauth2c/issues/130
og:image:altIn a relatively obscure passage in RFC6749 it seems that token endpoint may also accept scope parameter: [3.3](https://www.rfc-editor.org/rfc/rfc6749#section-3.3). Access Token Scope The authorizat...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamesaper
hostnamegithub.com
expected-hostnamegithub.com
None9df996be9551ac02247d09a2f7f64ece66c35ca28885d346e98fdfda9cdaa37b
turbo-cache-controlno-preview
go-importgithub.com/SecureAuthCorp/oauth2c git https://github.com/SecureAuthCorp/oauth2c.git
octolytics-dimension-user_id9470173
octolytics-dimension-user_loginSecureAuthCorp
octolytics-dimension-repository_id507841912
octolytics-dimension-repository_nwoSecureAuthCorp/oauth2c
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id507841912
octolytics-dimension-repository_network_root_nwoSecureAuthCorp/oauth2c
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releaseb71208a1c9ec7ccf364087569d0551f665dda674
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/SecureAuthCorp/oauth2c/issues/130#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FSecureAuthCorp%2Foauth2c%2Fissues%2F130
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FSecureAuthCorp%2Foauth2c%2Fissues%2F130
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=SecureAuthCorp%2Foauth2c
Reloadhttps://github.com/SecureAuthCorp/oauth2c/issues/130
Reloadhttps://github.com/SecureAuthCorp/oauth2c/issues/130
Reloadhttps://github.com/SecureAuthCorp/oauth2c/issues/130
Please reload this pagehttps://github.com/SecureAuthCorp/oauth2c/issues/130
SecureAuthCorp https://github.com/SecureAuthCorp
oauth2chttps://github.com/SecureAuthCorp/oauth2c
Notifications https://github.com/login?return_to=%2FSecureAuthCorp%2Foauth2c
Fork 50 https://github.com/login?return_to=%2FSecureAuthCorp%2Foauth2c
Star 927 https://github.com/login?return_to=%2FSecureAuthCorp%2Foauth2c
Code https://github.com/SecureAuthCorp/oauth2c
Issues 2 https://github.com/SecureAuthCorp/oauth2c/issues
Pull requests 1 https://github.com/SecureAuthCorp/oauth2c/pulls
Actions https://github.com/SecureAuthCorp/oauth2c/actions
Security and quality 0 https://github.com/SecureAuthCorp/oauth2c/security
Insights https://github.com/SecureAuthCorp/oauth2c/pulse
Code https://github.com/SecureAuthCorp/oauth2c
Issues https://github.com/SecureAuthCorp/oauth2c/issues
Pull requests https://github.com/SecureAuthCorp/oauth2c/pulls
Actions https://github.com/SecureAuthCorp/oauth2c/actions
Security and quality https://github.com/SecureAuthCorp/oauth2c/security
Insights https://github.com/SecureAuthCorp/oauth2c/pulse
Token endpoint scope parameter (avoiding ADSTS28003)https://github.com/SecureAuthCorp/oauth2c/issues/130#top
https://github.com/saper
saperhttps://github.com/saper
on Apr 17, 2025https://github.com/SecureAuthCorp/oauth2c/issues/130#issue-3003268431
extra_scopes_to_consenthttps://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_interactive.params.extra_scopes_to_consent
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.