[QUESTION] Token refresh on Google service returns 'Bad Request'

[geekarist]

I'm trying to use AuthState.performActionWithFreshTokens() to call a Google web service when my auth token has expired.

It seems that AuthState.performActionWithFreshTokens() uses the scope of the latest auth response and sends it to https://www.googleapis.com/oauth2/v4/token.

So when I do that, I get a Bad Request from v4/token because in the case of a token refresh, it doesn't expect a scope, as the documentation mentions: https://developers.google.com/identity/protocols/OAuth2InstalledApp#offline

I have tried to work around this by clearing the scope that is used by performActionWithFreshTokens() before refreshing my auth token, but the field is private so I can't override AuthState for this. Here is the code of my app: https://github.com/geekarist/who-am-i/blob/cdd5cf9cdfff02de02b6e8a467ea98e36e834a94/app/src/main/java/me/cpele/whoami/ProfileViewModel.kt#L31

Is there any other way?

[geekarist]

Finally I was able to subclass AuthState and override createTokenRefreshRequest() to make it work.

See this code: geekarist/who-am-i@4b7f3b4

I think it should be easier to override this behavior so I'm keeping this issue open.

[iainmcgin]

The OAuth2 spec permits sending a scope string as part of the refresh request, as long as the set of scopes this represents is not disjoint from what was originally requested. @WilliamDenniss should I file a bug for this with Google, or do you think we should omit the inclusion of the scope string in refresh requests?

[iainmcgin]

Upon discussing this with the other maintainers, we believe it would be best to change AppAuth's behavior to not include the scope string in token refresh requests by default. We have no clear recollection as to why we were including this, when not including it should produce the same behavior. It is possible that we were working around some IDP-specific bug in the early days.

[atkit]

Seems like iOS version of appauth does not send scopes on token refresh: github link

Currently we see some inconsistency in that sense between iOS and Android version.
Is it something that planned to do?