Cannot reduce scope on refresh token

Question

Cannot reduce scope on refresh token

Syafiqq opened this issue 5 years ago · 4 comments

While I try to refresh token with a reduced scope, the generated token still produced the same scope as the old one.

Step to reproduce

You can review this test
You can compare Lumen-Passport with Laravel-Passport. Just clone it, configure .env, run cmds/recreate-db.sh. and run the test.
Here the example test result using lumen. all test passed when using laravel with passport.

Answer 1 · 2019-08-01T04:24:11.000Z

@Syafiqq I think it's a known "feature" of Laravel Passport. If the same user/subject had access tokens before - the new access token will have the same scopes. Therefore, when changing privileges/scopes for a user, you have to purge old tokens from the database

Answer 2 · 2019-08-01T13:57:02.000Z

Oh, I never thought of that. Thank you for the explanation. 👍

Answer 3 · 2019-08-01T14:06:47.000Z

Just curious, how to do that?

Answer 4 · 2019-08-05T12:47:45.000Z

Oh, I just figure it out that lumen test needs to call $this->refreshApplication(); in order to differentiate between requests. If I don't call that function, the incoming request always holds the previous request parameter.