From dff5eb69c829030b9dfa84b0a57398fee5690bff Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 27 Dec 2020 14:48:44 +0100
Subject: [PATCH] providers/oauth2: fix token endpoint creating invalid token
 when no scopes are passed

---
 authentik/providers/oauth2/views/token.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
index 4dc54109c..bb723865b 100644
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -93,7 +93,10 @@ class TokenParams:
                 self.refresh_token = RefreshToken.objects.get(
                     refresh_token=raw_token, provider=self.provider
                 )
-
+                # https://tools.ietf.org/html/rfc6749#section-6
+                # Fallback to original token's scopes when none are given
+                if self.scope == []:
+                    self.scope = self.refresh_token.scope
             except RefreshToken.DoesNotExist:
                 LOGGER.warning(
                     "Refresh token does not exist",