Remove scope from the token refresh request as it is redundant

Scope is a valid parameter for the Refresh Token request (Sectiom 6 of RFC 6749), however it's optional and when ommitted is treated as equal to the scope originally granted by the resource owner. Since the indented behavior of this convenience method is to create a token refresh with the full scope, it's redundant to include. Related to b5870c0 but slightly different reason.
openid · Sep 21, 2018 · 12b0cfe · 12b0cfe
1 parent fadb76d
commit 12b0cfe
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Source/OIDAuthState.m b/Source/OIDAuthState.m
@@ -414,7 +414,7 @@ - (OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
                 redirectURL:nil
                    clientID:_lastAuthorizationResponse.request.clientID
                clientSecret:_lastAuthorizationResponse.request.clientSecret
-                      scope:_lastAuthorizationResponse.request.scope
+                      scope:nil
                refreshToken:_refreshToken
                codeVerifier:nil
        additionalParameters:additionalParameters];