oauth-2.0 microservices cloudfoundry-uaa

How to get a new access token with additional scope without re-login?

I am working with Cloudfoundry UAA

I am not sure if it is possible in standard oauth2. The situation is ->

User logs into the app
He receives an access_token and refresh_token
He can keep on acquiring new access_tokens which has original scopes
His access permission changes so new scopes are added for him

Now I need a new access token, without him to log in again. Is it possible that I can use the same refresh_token and ask for access_token with modified scopes?

Thanks in advance!

Solution

In a word no. This would be a violation of the user's Trust. And in case you have not heard, that is a bad thing.

There is an Internet Draft RFC OAuth 2.0 Incremental Authorization (put forth by Google) There is some talk about it here.

What If Session Expires While User Is Still On The Website
Remix run: Authentication succeeds on validation failures
Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
What is the purpose of the 'state' parameter in OAuth authorization request
OAuth 2.0 Single Client Configuration for Web and Mobile Applications
OAuth 2 access_token vs OpenId Connect id_token
Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
MSAL Node service & The Partner Center API
How to change the app name for Firebase authentication (what the user sees)
Generate token fails for Azure app which is both client and API (client credentials workflow)
Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
What is the purpose of a "Refresh Token"?
Pagination with oauth azure data factory
How to use supabase google auth provider in react naive expo app
How to bypass keycloak login page and provide client suggested idp with spring security
Issue with Discord OAuth2 redirect_uri component
npm install error - invalid package.json
Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
Can I get the company name/logo with the LinkedIn API?
PayPal REST API credentials of another business or party
Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
Problems logging into coinbase api with oauth2
Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
Microsoft OAuth authorization code flow CORS
How to authorize a request to the FCM v1 API with an access token
Error creating bean with name 'corsConfigurationSource'
MailKit OAuth2 SMTP Office365 Send Mail