diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py index 51a1ecccb..e236f9064 100644 --- a/oauth2_provider/views/base.py +++ b/oauth2_provider/views/base.py @@ -12,7 +12,7 @@ from ..exceptions import OAuthToolkitError from ..forms import AllowForm from ..http import OAuth2ResponseRedirect -from ..models import get_access_token_model, get_application_model +from ..models import get_access_token_model, get_application_model, get_refresh_token_model from ..scopes import get_scopes_backend from ..settings import oauth2_settings from ..signals import app_authorized @@ -191,6 +191,12 @@ def get(self, request, *args, **kwargs): expires__gt=timezone.now() ).all() + refresh_tokens = get_refresh_token_model().objects.filter( + user=request.user, + application=kwargs["application"] + ).exclude(revoked__lt=timezone.now()).all() + tokens = list(tokens) + [r.access_token for r in refresh_tokens] + # check past authorizations regarded the same scopes as the current one for token in tokens: if token.allow_scopes(scopes): diff --git a/tests/test_authorization_code.py b/tests/test_authorization_code.py index 35a4d47b1..45116dad6 100644 --- a/tests/test_authorization_code.py +++ b/tests/test_authorization_code.py @@ -197,6 +197,16 @@ def test_pre_auth_approval_prompt(self): url = "{url}?{qs}".format(url=reverse("oauth2_provider:authorize"), qs=query_string) response = self.client.get(url) self.assertEqual(response.status_code, 302) + # access token expired but valid refresh token exists + tok.expires = timezone.now() - datetime.timedelta(days=1) + tok.save() + reftok = RefreshToken.objects.create( + user=self.test_user, token="0123456789", + application=self.application, + access_token=tok + ) + response = self.client.get(url) + self.assertEqual(response.status_code, 302) # user already authorized the application, but with different scopes: prompt them. tok.scope = "read" tok.save()