exchangeRefreshTokenForAccessToken breaks compatibility with node-client

[ulybu]

So I don't know if the current behavior is good or not, but I know it differs from the node-client and breaks compatibility.

I use to call the following without error with the node-client

await fusionAuthClient.exchangeRefreshTokenForAccessToken(
  refreshToken, clientID, clientSecret
)

Now the same code gives me the following error:

ClientResponse {
  statusCode: 400,
  exception: {
    error: 'invalid_scope',
    error_description: 'The scope provided is different than the scope used to generate the refresh token.'
  }
}

To fix it, I need to modify my code and add the scope parameter:

await fusionAuthClient.exchangeRefreshTokenForAccessToken(
  refreshToken, clientID, clientSecret, 'offline_access'
)

---

I'm raising that as an issue because the readme in node-client implies that there will be compatibility:
https://github.com/FusionAuth/fusionauth-node-client#deprecation-warning

You can just change your dependency and should have no problems using it with node as the package is still javascript but with additional type information. If you run into problems then let us know over there.

[mooreds]

Hiya!

Thanks for letting us know.

What version of the node client were you running previously? What version of the typescript client are you moving to?

[ulybu]

Hi,

"@fusionauth/node-client": "1.16.0" => "@fusionauth/typescript-client": "1.17.0"

@mooreds edited, copy/pasted twice the same lib 🔝

[ulybu]

Hi,

I think it could come from the fact that in the node-client lib the body is explicitly serialized with JSON.stringify queryString.stringify, which will effectively remove any undefined prop, like for instance scope if not provided to exchangeRefreshTokenForAccessToken

https://github.com/FusionAuth/fusionauth-node-client/blob/0a5c326adc097c85e3572244f70f25088e3de061/lib/RESTClient.js#L74

setFormBody: function(body) {
    this.body = queryString.stringify(body);
    this.header('Content-Type', 'application/x-www-form-urlencoded');
    this.header('Content-Length', Buffer.byteLength(this.body));
    return this;
},

Whereas in typescript-client (this repo) the missing JSON serialization means we're going to keep that scope key explicitly set to undefined.

fusionauth-typescript-client/src/DefaultRESTClient.ts

Line 85 in 0c0c36b

this.body = body;

Edit: JSON.stringify => queryString.stringify. Issue is still the same, queryString also removed any undefined props

[mooreds]

That sure looks like a incompatibility to me. I'll take a look. We also welcome pull requests if you want to just patch DefaultRESTClient.ts.

[ulybu]

We also welcome pull requests if you want to just patch DefaultRESTClient.ts

Ugh, that seems too risky to me because I don't know the reason why the dropped the queryString.stringify in the first place. I can't just assume that's an oversight, right? I might very well be breaking something for someone else by adding queryString.stringify

I could submit a PR and let you guys deal with that risk assessment?

[mooreds]

No worries, I ended up submitting a PR (#32), so no effort needed on your part. Thanks again for reporting this.

[mooreds]

Closing this because #32 is merged, as well as the fact that the node client has been deprecated for 3+ years.