Merge pull request #278 from rest-sh/refresh-scopes

fix: send scopes on refresh token requests

Author: danielgtaylor

oauth/authcode.go

@@ -373,6 +373,7 @@ func (h *AuthorizationCodeHandler) OnRequest(request *http.Request, key string,
 		refreshSource := RefreshTokenSource{
 			ClientID:       params["client_id"],
 			TokenURL:       params["token_url"],
+			Scopes:         strings.Split(params["scopes"], ","),
 			EndpointParams: &endpointParams,
 			RefreshToken:   cli.Cache.GetString(refreshKey),
 			TokenSource:    source,

oauth/refresh.go

@@ -1,8 +1,8 @@
 package oauth
 
 import (
-	"fmt"
 	"net/url"
+	"strings"
 
 	"github.com/danielgtaylor/restish/cli"
 	"golang.org/x/oauth2"
@@ -17,6 +17,9 @@ type RefreshTokenSource struct {
 	// TokenURL is used to fetch new tokens
 	TokenURL string
 
+	// Scopes to request when refreshing the token
+	Scopes []string
+
 	// EndpointParams are extra URL query parameters to include in the request
 	EndpointParams *url.Values
 
@@ -35,14 +38,21 @@ type RefreshTokenSource struct {
 func (ts *RefreshTokenSource) Token() (*oauth2.Token, error) {
 	if ts.RefreshToken != "" {
 		cli.LogDebug("Trying refresh token to get a new access token")
-		payload := fmt.Sprintf("grant_type=refresh_token&client_id=%s&refresh_token=%s", ts.ClientID, ts.RefreshToken)
+		refreshParams := url.Values{
+			"grant_type":    []string{"refresh_token"},
+			"client_id":     []string{ts.ClientID},
+			"refresh_token": []string{ts.RefreshToken},
+			"scope":         []string{strings.Join(ts.Scopes, " ")},
+		}
 
-		params := ts.EndpointParams.Encode()
-		if len(params) > 0 {
-			payload += "&" + params
+		// Copy any endpoint-specific parameters.
+		if ts.EndpointParams != nil {
+			for k, v := range *ts.EndpointParams {
+				refreshParams[k] = v
+			}
 		}
 
-		token, err := requestToken(ts.TokenURL, payload)
+		token, err := requestToken(ts.TokenURL, refreshParams.Encode())
 		if err == nil {
 			return token, err
 		}