oauth-2.0 microservices cloudfoundry-uaa

How to get a new access token with additional scope without re-login?

I am working with Cloudfoundry UAA

I am not sure if it is possible in standard oauth2. The situation is ->

User logs into the app
He receives an access_token and refresh_token
He can keep on acquiring new access_tokens which has original scopes
His access permission changes so new scopes are added for him

Now I need a new access token, without him to log in again. Is it possible that I can use the same refresh_token and ask for access_token with modified scopes?

Thanks in advance!

Solution

In a word no. This would be a violation of the user's Trust. And in case you have not heard, that is a bad thing.

There is an Internet Draft RFC OAuth 2.0 Incremental Authorization (put forth by Google) There is some talk about it here.

What's the point of refresh token?
What is the purpose of a "Refresh Token"?
"no_valid_keys_or_signatures" Error Calling DocuSign API through Java SDK for OAuth 2.0 Authentication
oauth2 proxy with Ingress nginx not passing X-Auth-Request headers during standard auth flow
How to configure OAuth2AuthorizedClientManager with an HTTP proxy?
Spotify API AttributeError: module 'spotipy.util' has no attribute 'oauth2'
3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
Error: Invalid Request: Value passed for the authorization code was invalid
Spring Security OAuth2 - Add parameter to Authorization URL
Gmail Oauth2 - restrict the scope to only emails from a certain domain
In Scala/Akka, how would I go about correctly implementing user permissions in combination with oAuth2?
Use Oauth2+Django to get authorization to access user's Gmail
Ruby & IMAP - Accessing Office 365 with Oauth 2.0
Facebook graph api returns 400 bad request with correct access token
How do I add audience validation using Spring OAuth without needing the issuer?
How to make Depends optional in FastAPI?
Getting refresh token for gmail API with Spring Security
Creating firebase user with authentication information from Salesforce
Where to store the refresh token on the Client?
Swift Discord OAuth2 redirect URi not supported by Client
Apim policy to validat token for b2b and as well as b2c tenant token endpoints
Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
Google APIs Console - missing client secret
Automating access token refreshing via interceptors in axios
Supabase does not append code parameter to the redirect URL after OAuth login
How/why is login page redirect required?
Where can I find a list of scopes for Google's OAuth 2.0 API?
Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
Spring security JWT without OAuth
Add OAuth authentication for HTTP request triggers