Fail to get refresh token with Hydra version 1.5.0-beta.5

[tjk20]

Describe the bug

Don't get refresh token with Hydra version 1.5.0-beta.5 even though client is registered with 'offline' and/or 'offline_access' scope and resource owner granted 'offline' scope in authorization code flow.

Reproducing the bug

Steps to reproduce the behavior:

1. Make sure client is registered with 'offline' and/or 'offline_access' scope.
2. Hydra running with version 1.5.0-beta.5
3. Start authorization code flow with scope 'offline' or 'offline_access'.

for example
GET /oauth2/auth?client_id=localhost_demo_app&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fcallback&response_type=code&scope=offline&state=i6qNJyDPDrIbTEucj4Sc%2Bs52OIVjjxtVZ0Ez7s%2FZJ116%2FIeJibtD1A8iii%2B7ozS%2FqNlL5MTGgIwivs2LQBEjOg%3D%3D&nonce=4c01b5637b3979eeaaab1e282e6ac095497c4e45cb70dbb3fb56af45740b448b (I do it from my client).

4. Resource owner grants 'offline' scope in consent screen (in case consent screen is shown)
5. Client gets back access token, but doesn't get refresh token.

Server logs

no error or debug level log visible in server log regarding refresh token or offline scope.

Expected behavior

Client get back both access and refresh token

Environment

• Version: v1.5.0-beta.5
• Environment: Kubernetes

Additional context

Client used to get both access and refresh token with older version (for example, 1.0.0-rc14)

[aeneasr]

What does hydra client get localhost_demo_app say?

Are you sure that the scope is accepted appropriately? I can not reproduce this with the quickstart demo. It's also important to note that we have a ton of e2e and integration tests that ensure that this flow works correctly, so I'm pretty sure it has to be something else.

[tjk20]

I actually copied the snippet from someone else in the GitHub board. The actual get is this.
/oauth2/auth?client_id=7c752886-326c-4687-9ded-683e0a7fd7e3&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&scope=offline%20reader&response_type=code&state=testing_oauth2_codeflow

[tjk20]

Yes I used to get both access and refresh token from the exact same client before I upgraded the version. I haven't changed codewise anything apart from bumping the Hydra version to 1.5.0-beta.5. Do I have to change anything from client side or consent provider side now?

By the way, when I checked the database table hydra_oauth2_consent_request_handled I see granted scope is offline. Also hydra_oauth2_refresh table is empty.

[aeneasr]

Please follow the instructions I provide (hydra client ...) or I won't be able to help you any further :)

[tjk20]

Sorry I misunderstood your instruction. This is what I got

{"client_id":"7c752886-326c-4687-9ded-683e0a7fd7e3","client_name":"test_client","redirect_uris":["http://localhost:8080/callback"],"grant_types":[],"response_types":[],"scope":"offline reader","audience":[],"owner":"","policy_uri":"","allowed_cors_origins":[],"tos_uri":"","client_uri":"","logo_uri":"","contacts":[],"client_secret_expires_at":0,"subject_type":"public","jwks":{},"token_endpoint_auth_method":"client_secret_post","userinfo_signed_response_alg":"none","created_at":"2020-06-16T08:27:57Z","updated_at":"2020-06-16T08:27:57Z","metadata":{}}

[aeneasr]

grant_types is missing refresh_token, see: https://www.ory.sh/hydra/docs/5min-tutorial/

hydra clients create \
    --endpoint http://127.0.0.1:4445 \
    --id auth-code-client \
    --secret secret \
    --grant-types authorization_code,refresh_token \
    --response-types code,id_token \
    --scope openid,offline \
    --callbacks http://127.0.0.1:5555/callback

[tjk20]

Now it works after updating grant-types! I upgraded Hydra version from 1.0.0-rc14 to 1.5.0-beta.5. It's a big jump. Something must have happened in between and my client I guess got outdated.

Thanks a lot for the help. I guess I should close the issue then?

[aeneasr]

I am glad you were able to resolve the issue! Yes, that is indeed a big jump (I think 2 years?)! In the future, check out our upgrade guide which includes breaking changes and other important info:� https://github.com/ory/hydra/blob/master/UPGRADE.md

Yup, I'll close this one :)