From 22743d9fce0c99e794be0eb3969341987b1936ee Mon Sep 17 00:00:00 2001
From: Milton Ch <86965029+Milton-Ch@users.noreply.github.com>
Date: Thu, 22 Dec 2022 08:22:31 -0400
Subject: [PATCH] fix(jans-auth-server): when obtain new token using refresh
 token, check whether scope is null (#3382)

---
 .../io/jans/as/server/token/ws/rs/TokenExchangeService.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java
index 135716dae02..9af2e141c28 100644
--- a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java
+++ b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java
@@ -66,7 +66,8 @@ public class TokenExchangeService {
     private AttributeService attributeService;
 
     public void rotateDeviceSecretOnRefreshToken(HttpServletRequest httpRequest, AuthorizationGrant refreshGrant, String scope) {
-        if (!scope.contains(ScopeConstants.DEVICE_SSO)) {
+        if (StringUtils.isBlank(scope) || !scope.contains(ScopeConstants.DEVICE_SSO)) {
+            log.debug("Skip rotate device secret on refresh token. No device_sso scope.");
             return;
         }
         if (StringUtils.isBlank(refreshGrant.getSessionDn())) {