#1409 Avoid unhandled argument null exception for refresh_token grant…

… in token validator when scopes missing
DuendeSoftware · Sep 18, 2024 · 7c02c77 · 7c02c77
1 parent 765116a
commit 7c02c77
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/src/IdentityServer/Validation/Default/TokenRequestValidator.cs b/src/IdentityServer/Validation/Default/TokenRequestValidator.cs
@@ -763,6 +763,15 @@ private async Task<TokenRequestValidationResult> ValidateRefreshTokenRequestAsyn
             }
         }
 
+        //////////////////////////////////////////////////////////
+        // validate scopes
+        //////////////////////////////////////////////////////////
+        if (_validatedRequest.RefreshToken.AuthorizedScopes == null)
+        {
+            LogError("Refresh token has no associated scopes");
+            return Invalid(OidcConstants.AuthorizeErrors.InvalidScope, "Invalid scope.");
+        }
+
         //////////////////////////////////////////////////////////
         // resource indicator
         //////////////////////////////////////////////////////////