Refresh token not issued when multiple scopes are requested

[dstuckey-uoe]

Steps to reproduce

What we need to do to see your problem or bug?

Create a client app that has read and write scopes:
#<OauthApplication:0x0000ffff8c614450 id: 1, name: "client_app_0", uid: "***", secret: "***", redirect_uri: "http://localhost:3001/oauth/callback", scopes: "read write", confidential: true, created_at: Thu, 25 Jul 2024 10:46:30.141147000 UTC +00:00, updated_at: Mon, 26 Aug 2024 15:53:34.834773000 UTC +00:00>

Do the standard doorkeeper.rb configuration, enabling refresh tokens (see below).

Create a client request of this form:
get '/auth' do settings.logger.info "received request for /auth path" redirect settings.client_external.auth_code.authorize_url( redirect_uri: REDIRECT_URI_EXTERNAL, scope: "read write" ) end

The more detailed the issue, the more likely that we will fix it ASAP.

Don't use GitHub issues for questions like "How can I do that?" —
use StackOverflow
instead with the corresponding tag.

Expected behavior

Tell us what should happen

The response to the client should have both an access token and a refresh token.

Actual behavior

Tell us what happens instead

Only an access token is returned.

If my client app request a single scope, i.e. only requests the scope or only requests the write scope, then the access token plus a refresh token is in the response.

But when the client requests both read and write scopes, then the access token is returned in the response, but the refresh token is not.

System configuration

You can help us to understand your problem if you will share some very
useful information about your project environment (don't forget to
remove any confidential data if it exists).

Doorkeeper initializer:

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
  # ...
  orm :active_record

  resource_owner_authenticator do
    if user_signed_in?
      if request.path == "/oauth/authorize/native"
        # the /oauth/authorize/native path is only used for mobile devices
        # and so it is better to deactivate it
        redirect_to root_path, alert: "You are not authorized to perform this action." 
      else 
        current_user
      end
    else
     warden.authenticate!(scope: :user)
    end
  end

  admin_authenticator do |_routes|
    if current_user
      unless current_user.can_super_admin?
        redirect_to root_path, alert: "You are not authorized to perform this action."  
      end
    else
      warden.authenticate!(scope: :user)
    end
  end

  grant_flows %w[authorization_code client_credentials]

  default_scopes :read
  optional_scopes :write

  enforce_configured_scopes

  access_token_expires_in 30.days
  reuse_access_token

  use_refresh_token expiry: 90.days

  force_ssl_in_redirect_uri false
end

Ruby version: ``
3.0.5

Gemfile.lock:

Gemfile.lock content

GEM
  remote: https://rubygems.org/
  specs:
    actioncable (6.1.7.3)
      actionpack (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
    actionmailbox (6.1.7.3)
      actionpack (= 6.1.7.3)
      activejob (= 6.1.7.3)
      activerecord (= 6.1.7.3)
      activestorage (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      mail (>= 2.7.1)
    actionmailer (6.1.7.3)
      actionpack (= 6.1.7.3)
      actionview (= 6.1.7.3)
      activejob (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)
    actionpack (6.1.7.3)
      actionview (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
    actiontext (6.1.7.3)
      actionpack (= 6.1.7.3)
      activerecord (= 6.1.7.3)
      activestorage (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      nokogiri (>= 1.8.5)
    actionview (6.1.7.3)
      activesupport (= 6.1.7.3)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
    activejob (6.1.7.3)
      activesupport (= 6.1.7.3)
      globalid (>= 0.3.6)
    activemodel (6.1.7.3)
      activesupport (= 6.1.7.3)
    activerecord (6.1.7.3)
      activemodel (= 6.1.7.3)
      activesupport (= 6.1.7.3)
    activerecord_json_validator (2.1.3)
      activerecord (>= 4.2.0, < 8)
      json_schemer (~> 0.2.18)
    activestorage (6.1.7.3)
      actionpack (= 6.1.7.3)
      activejob (= 6.1.7.3)
      activerecord (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      marcel (~> 1.0)
      mini_mime (>= 1.1.0)
    activesupport (6.1.7.3)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
      zeitwerk (~> 2.3)
    addressable (2.8.4)
      public_suffix (>= 2.0.2, < 6.0)
    annotate (3.2.0)
      activerecord (>= 3.2, < 8.0)
      rake (>= 10.4, < 14.0)
    annotate_gem (0.0.14)
      bundler (>= 1.1)
    api-pagination (5.0.0)
    ast (2.4.2)
    autoprefixer-rails (10.4.13.0)
      execjs (~> 2)
    bcrypt (3.1.18)
    better_errors (2.9.1)
      coderay (>= 1.0.0)
      erubi (>= 1.0.0)
      rack (>= 0.9.0)
    bindex (0.8.1)
    binding_of_caller (1.0.0)
      debug_inspector (>= 0.0.1)
    bootsnap (1.16.0)
      msgpack (~> 1.2)
    brakeman (5.4.1)
    builder (3.2.4)
    bullet (7.0.7)
      activesupport (>= 3.0.0)
      uniform_notifier (~> 1.11)
    bundle-audit (0.1.0)
      bundler-audit
    bundler-audit (0.9.1)
      bundler (>= 1.2.0, < 3)
      thor (~> 1.0)
    byebug (11.1.3)
    capybara (3.39.0)
      addressable
      matrix
      mini_mime (>= 0.1.3)
      nokogiri (~> 1.8)
      rack (>= 1.6.0)
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
    claide (1.1.0)
    claide-plugins (0.9.2)
      cork
      nap
      open4 (~> 1.3)
    coderay (1.1.3)
    colored2 (3.1.2)
    concurrent-ruby (1.2.2)
    contact_us (1.2.0)
      rails (>= 4.2.0)
    cork (0.3.0)
      colored2 (~> 3.1)
    crack (0.4.5)
      rexml
    crass (1.0.6)
    cssbundling-rails (1.1.2)
      railties (>= 6.0.0)
    danger (9.2.0)
      claide (~> 1.0)
      claide-plugins (>= 0.9.2)
      colored2 (~> 3.1)
      cork (~> 0.1)
      faraday (>= 0.9.0, < 3.0)
      faraday-http-cache (~> 2.0)
      git (~> 1.7)
      kramdown (~> 2.3)
      kramdown-parser-gfm (~> 1.0)
      no_proxy_fix
      octokit (~> 5.0)
      terminal-table (>= 1, < 4)
    database_cleaner (2.0.2)
      database_cleaner-active_record (>= 2, < 3)
    database_cleaner-active_record (2.1.0)
      activerecord (>= 5.a)
      database_cleaner-core (~> 2.0.0)
    database_cleaner-core (2.0.1)
    debug_inspector (1.1.0)
    devise (4.9.2)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
      responders
      warden (~> 1.2.3)
    devise_invitable (2.0.7)
      actionmailer (>= 5.0)
      devise (>= 4.6)
    diff-lcs (1.5.0)
    doorkeeper (5.7.1)
      railties (>= 5)
    dotenv (2.8.1)
    dotenv-rails (2.8.1)
      dotenv (= 2.8.1)
      railties (>= 3.2)
    dragonfly (1.4.0)
      addressable (~> 2.3)
      multi_json (~> 1.0)
      rack (>= 1.3)
    dragonfly-s3_data_store (1.3.0)
      dragonfly (~> 1.0)
      fog-aws
    ecma-re-validator (0.4.0)
      regexp_parser (~> 2.2)
    erubi (1.12.0)
    excon (0.99.0)
    execjs (2.8.1)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
    faker (3.1.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.4)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-http-cache (2.4.1)
      faraday (>= 0.8)
    faraday-net_http (3.0.2)
    ffi (1.15.5)
    flag_shih_tzu (0.3.23)
    fog-aws (3.18.0)
      fog-core (~> 2.1)
      fog-json (~> 1.1)
      fog-xml (~> 0.1)
    fog-core (2.3.0)
      builder
      excon (~> 0.71)
      formatador (>= 0.2, < 2.0)
      mime-types
    fog-json (1.2.0)
      fog-core
      multi_json (~> 1.10)
    fog-xml (0.1.4)
      fog-core
      nokogiri (>= 1.5.11, < 2.0.0)
    formatador (1.1.0)
    forwardable (1.3.3)
    fuubar (2.5.1)
      rspec-core (~> 3.0)
      ruby-progressbar (~> 1.4)
    gettext (3.4.3)
      erubi
      locale (>= 2.0.5)
      prime
      text (>= 1.3.0)
    git (1.18.0)
      addressable (~> 2.8)
      rchardet (~> 1.8)
    globalid (1.1.0)
      activesupport (>= 5.0)
    guard (2.18.0)
      formatador (>= 0.2.4)
      listen (>= 2.7, < 4.0)
      lumberjack (>= 1.0.12, < 2.0)
      nenv (~> 0.1)
      notiffany (~> 0.0)
      pry (>= 0.13.0)
      shellany (~> 0.0)
      thor (>= 0.18.1)
    hana (1.3.7)
    hashdiff (1.0.1)
    hashie (5.0.0)
    highline (2.1.0)
    htmltoword (1.1.1)
      actionpack
      nokogiri
      rubyzip (>= 1.0)
    httparty (0.21.0)
      mini_mime (>= 1.0.0)
      multi_xml (>= 0.5.2)
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    jbuilder (2.11.5)
      actionview (>= 5.0.0)
      activesupport (>= 5.0.0)
    jsbundling-rails (1.1.1)
      railties (>= 6.0.0)
    json (2.6.3)
    json_schemer (0.2.24)
      ecma-re-validator (~> 0.3)
      hana (~> 1.3)
      regexp_parser (~> 2.0)
      uri_template (~> 0.7)
    jwt (2.7.0)
    kaminari (1.2.2)
      activesupport (>= 4.1.0)
      kaminari-actionview (= 1.2.2)
      kaminari-activerecord (= 1.2.2)
      kaminari-core (= 1.2.2)
    kaminari-actionview (1.2.2)
      actionview
      kaminari-core (= 1.2.2)
    kaminari-activerecord (1.2.2)
      activerecord
      kaminari-core (= 1.2.2)
    kaminari-core (1.2.2)
    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
    ledermann-rails-settings (2.5.0)
      activerecord (>= 4.2)
    listen (3.8.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    locale (2.1.3)
    loofah (2.20.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    lumberjack (1.2.8)
    mail (2.7.1)
      mini_mime (>= 0.1.1)
    marcel (1.0.2)
    matrix (0.4.2)
    meta_request (0.8.2)
      rack-contrib (>= 1.1, < 3)
      railties (>= 3.0.0, < 8)
    method_source (1.0.0)
    mime-types (3.4.1)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2023.0218.1)
    mimemagic (0.4.3)
      nokogiri (~> 1)
      rake
    mini_mime (1.1.2)
    minitest (5.18.0)
    mocha (2.0.2)
      ruby2_keywords (>= 0.0.5)
    msgpack (1.7.0)
    multi_json (1.15.0)
    multi_xml (0.6.0)
    mysql2 (0.5.5)
    nap (1.1.0)
    nenv (0.3.0)
    nio4r (2.5.9)
    no_proxy_fix (0.1.2)
    nokogiri (1.14.3-aarch64-linux)
      racc (~> 1.4)
    nokogiri (1.14.3-arm64-darwin)
      racc (~> 1.4)
    nokogiri (1.14.3-x86_64-linux)
      racc (~> 1.4)
    notiffany (0.1.3)
      nenv (~> 0.1)
      shellany (~> 0.0)
    oauth2 (2.0.9)
      faraday (>= 0.17.3, < 3.0)
      jwt (>= 1.0, < 3.0)
      multi_xml (~> 0.5)
      rack (>= 1.2, < 4)
      snaky_hash (~> 2.0)
      version_gem (~> 1.1)
    octokit (5.6.1)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
    omniauth (2.1.1)
      hashie (>= 3.4.6)
      rack (>= 2.2.3)
      rack-protection
    omniauth-oauth2 (1.8.0)
      oauth2 (>= 1.4, < 3)
      omniauth (~> 2.0)
    omniauth-orcid (2.1.1)
      omniauth-oauth2 (~> 1.3)
      ruby_dig (~> 0.0.2)
    omniauth-rails_csrf_protection (1.0.1)
      actionpack (>= 4.2)
      omniauth (~> 2.0)
    omniauth-shibboleth (1.3.0)
      omniauth (>= 1.0.0)
    open4 (1.3.4)
    options (2.3.2)
    orm_adapter (0.5.0)
    parallel (1.22.1)
    parser (3.2.2.0)
      ast (~> 2.4.1)
    pg (1.4.6)
    prime (0.1.2)
      forwardable
      singleton
    progress_bar (1.3.3)
      highline (>= 1.6, < 3)
      options (~> 2.3.0)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    public_suffix (5.0.1)
    puma (6.2.1)
      nio4r (~> 2.0)
    pundit (2.3.0)
      activesupport (>= 3.0.0)
    pundit-matchers (1.8.4)
      rspec-rails (>= 3.0.0)
    racc (1.6.2)
    rack (2.2.6.4)
    rack-attack (6.6.1)
      rack (>= 1.0, < 3)
    rack-contrib (2.5.0)
      rack (< 4)
    rack-mini-profiler (3.1.0)
      rack (>= 1.2.0)
    rack-protection (3.0.6)
      rack
    rack-test (2.1.0)
      rack (>= 1.3)
    rails (6.1.7.3)
      actioncable (= 6.1.7.3)
      actionmailbox (= 6.1.7.3)
      actionmailer (= 6.1.7.3)
      actionpack (= 6.1.7.3)
      actiontext (= 6.1.7.3)
      actionview (= 6.1.7.3)
      activejob (= 6.1.7.3)
      activemodel (= 6.1.7.3)
      activerecord (= 6.1.7.3)
      activestorage (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      bundler (>= 1.15.0)
      railties (= 6.1.7.3)
      sprockets-rails (>= 2.0.0)
    rails-controller-testing (1.0.5)
      actionpack (>= 5.0.1.rc1)
      actionview (>= 5.0.1.rc1)
      activesupport (>= 5.0.1.rc1)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.5.0)
      loofah (~> 2.19, >= 2.19.1)
    railties (6.1.7.3)
      actionpack (= 6.1.7.3)
      activesupport (= 6.1.7.3)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
    rainbow (3.1.1)
    rake (13.0.6)
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rchardet (1.8.0)
    recaptcha (5.13.0)
      json
    regexp_parser (2.7.0)
    responders (3.1.0)
      actionpack (>= 5.2)
      railties (>= 5.2)
    rexml (3.2.5)
    rspec-collection_matchers (1.2.0)
      rspec-expectations (>= 2.99.0.beta1)
    rspec-core (3.12.1)
      rspec-support (~> 3.12.0)
    rspec-expectations (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-mocks (3.12.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
      rspec-core (~> 3.11)
      rspec-expectations (~> 3.11)
      rspec-mocks (~> 3.11)
      rspec-support (~> 3.11)
    rspec-support (3.12.0)
    rss (0.3.0)
      rexml
    rubocop (1.50.1)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.28.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.28.0)
      parser (>= 3.2.1.0)
    rubocop-i18n (3.0.0)
      rubocop (~> 1.0)
    rubocop-performance (1.17.1)
      rubocop (>= 1.7.0, < 2.0)
      rubocop-ast (>= 0.4.0)
    ruby-progressbar (1.13.0)
    ruby2_keywords (0.0.5)
    ruby_dig (0.0.2)
    rubyzip (2.3.2)
    sawyer (0.9.2)
      addressable (>= 2.3.5)
      faraday (>= 0.17.3, < 3)
    selenium-webdriver (4.8.6)
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 3.0)
      websocket (~> 1.0)
    shellany (0.0.1)
    shoulda (4.0.0)
      shoulda-context (~> 2.0)
      shoulda-matchers (~> 4.0)
    shoulda-context (2.0.0)
    shoulda-matchers (4.5.1)
      activesupport (>= 4.2.0)
    singleton (0.1.1)
    snaky_hash (2.0.1)
      hashie
      version_gem (~> 1.1, >= 1.1.1)
    spring (4.1.1)
    spring-commands-rspec (1.0.4)
      spring (>= 0.9.1)
    spring-watcher-listen (2.1.0)
      listen (>= 2.7, < 4.0)
      spring (>= 4)
    sprockets (4.2.0)
      concurrent-ruby (~> 1.0)
      rack (>= 2.2.4, < 4)
    sprockets-rails (3.4.2)
      actionpack (>= 5.2)
      activesupport (>= 5.2)
      sprockets (>= 3.0.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
    text (1.3.1)
    thor (1.2.1)
    tomparse (0.4.2)
    translation (1.35)
      gettext (~> 3.2, >= 3.2.5, <= 3.4.3)
    turbo-rails (1.4.0)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    unicode-display_width (2.4.2)
    uniform_notifier (1.16.0)
    uri_template (0.7.0)
    version_gem (1.1.2)
    warden (1.2.9)
      rack (>= 2.0.9)
    web-console (4.2.0)
      actionview (>= 6.0.0)
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
    webdrivers (5.2.0)
      nokogiri (~> 1.6)
      rubyzip (>= 1.3.0)
      selenium-webdriver (~> 4.0)
    webmock (3.18.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
    websocket (1.2.9)
    websocket-driver (0.7.5)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    wicked_pdf (2.6.3)
      activesupport
    wkhtmltopdf-binary (0.12.6.6)
    xpath (3.2.0)
      nokogiri (~> 1.8)
    yard (0.9.33)
    yard-tomdoc (0.7.1)
      tomparse (>= 0.4.0)
      yard
    zeitwerk (2.6.7)

PLATFORMS
  aarch64-linux
  arm64-darwin-21
  x86_64-linux

DEPENDENCIES
  activerecord_json_validator
  annotate
  annotate_gem
  api-pagination
  autoprefixer-rails
  better_errors
  binding_of_caller
  bootsnap
  brakeman
  bullet
  bundle-audit
  byebug
  capybara
  contact_us
  cssbundling-rails
  danger
  database_cleaner
  devise
  devise_invitable
  doorkeeper
  dotenv-rails
  dragonfly
  dragonfly-s3_data_store
  factory_bot_rails
  faker
  flag_shih_tzu
  fuubar
  guard
  htmltoword
  httparty
  jbuilder
  jsbundling-rails
  jwt
  kaminari
  ledermann-rails-settings
  listen
  mail (= 2.7.1)
  meta_request
  mimemagic
  mocha
  mysql2
  omniauth
  omniauth-orcid
  omniauth-rails_csrf_protection
  omniauth-shibboleth
  parallel
  pg
  progress_bar
  puma
  pundit
  pundit-matchers
  rack-attack (~> 6.6, >= 6.6.1)
  rack-mini-profiler
  rails (~> 6.1)
  rails-controller-testing
  rake (~> 13.0.6)
  recaptcha
  rspec-collection_matchers
  rspec-rails
  rss
  rubocop
  rubocop-i18n
  rubocop-performance
  shoulda
  spring
  spring-commands-rspec
  spring-watcher-listen
  text
  translation
  turbo-rails
  web-console
  webdrivers
  webmock
  wicked_pdf
  wkhtmltopdf-binary
  yard
  yard-tomdoc

RUBY VERSION
   ruby 3.0.4p208

BUNDLED WITH
   2.5.16