From 22743d9fce0c99e794be0eb3969341987b1936ee Mon Sep 17 00:00:00 2001 From: Milton Ch <86965029+Milton-Ch@users.noreply.github.com> Date: Thu, 22 Dec 2022 08:22:31 -0400 Subject: [PATCH] fix(jans-auth-server): when obtain new token using refresh token, check whether scope is null (#3382) --- .../io/jans/as/server/token/ws/rs/TokenExchangeService.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java index 135716dae02..9af2e141c28 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java @@ -66,7 +66,8 @@ public class TokenExchangeService { private AttributeService attributeService; public void rotateDeviceSecretOnRefreshToken(HttpServletRequest httpRequest, AuthorizationGrant refreshGrant, String scope) { - if (!scope.contains(ScopeConstants.DEVICE_SSO)) { + if (StringUtils.isBlank(scope) || !scope.contains(ScopeConstants.DEVICE_SSO)) { + log.debug("Skip rotate device secret on refresh token. No device_sso scope."); return; } if (StringUtils.isBlank(refreshGrant.getSessionDn())) {