From 12b0cfed59e1614ded72cc619a38d7eebee83415 Mon Sep 17 00:00:00 2001
From: William Denniss <wdenniss@google.com>
Date: Fri, 21 Sep 2018 09:49:23 -0700
Subject: [PATCH] Remove `scope` from the token refresh request as it is
 redundant

Scope is a valid parameter for the Refresh Token request (Sectiom 6 of RFC
6749), however it's optional and when ommitted is treated as equal to the scope
originally granted by the resource owner. Since the indented behavior of this
convenience method is to create a token refresh with the full scope, it's
redundant to include.

Related to b5870c0bc6f65cb4004d697722612cd4a1019ab8 but slightly different
reason.
---
 Source/OIDAuthState.m | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/OIDAuthState.m b/Source/OIDAuthState.m
index 8b141a667..d084ef1fd 100644
--- a/Source/OIDAuthState.m
+++ b/Source/OIDAuthState.m
@@ -414,7 +414,7 @@ - (OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
                 redirectURL:nil
                    clientID:_lastAuthorizationResponse.request.clientID
                clientSecret:_lastAuthorizationResponse.request.clientSecret
-                      scope:_lastAuthorizationResponse.request.scope
+                      scope:nil
                refreshToken:_refreshToken
                codeVerifier:nil
        additionalParameters:additionalParameters];