fix: refresh token manually doesn't support scope

[monsignore7]

Description

Currently, when using the manager method "refreshToken" it adds automatically the scope to the request body, but in Salesforce token endpoint the scope param is not supported :/

**EDIT
I saw that manager performs the refresh token by itself and since the methods are the same, the request fails too

Steps To Reproduce

1. Authenticate successfully with the loginAuthorizationCodeFlow method in Salesforce
2. Invalidate access token returned from the login
3. Manual refresh the token with the refreshToken method

Expected Behavior

It should be possible to decide whether or not to include the scope param in request when refreshing token

[stonymahony]

@monsignore7 I experience the same problem using zitadel, so thanks for your PR!

[stonymahony]

@monsignore7 Until the fix is merged at some point, I am using the following workaround; not exactly straightforward or elegant, but it works; thanks to gpt ❤ (code not optimised yet).

Custom HTTP client that removes the scope parameter from the request when it comes to token refresh

import "dart:async";
import "dart:convert";
import "package:http/http.dart" as http;

class OidcHttpClient extends http.BaseClient {
  final http.Client _inner;

  OidcHttpClient(this._inner);

  @override
  Future<http.StreamedResponse> send(http.BaseRequest request) async {
    final uri = request.url;

    // Check GET or others with query params
    if (uri.queryParameters["grant_type"] == "refresh_token") {
      final newQueryParams = Map<String, String>.from(uri.queryParameters);
      newQueryParams.remove("scope");

      final newUri = uri.replace(queryParameters: newQueryParams);
      final newRequest = _copyRequestWithNewUrl(request, newUri);

      return _inner.send(newRequest);
    }

    // Handle POST with form-urlencoded body
    else if (request.method == "POST" &&
        request.headers["content-type"] != null &&
        request.headers["content-type"]!.contains("application/x-www-form-urlencoded")) {
      // Read the body bytes once
      final bytes = await request.finalize().toBytes();
      final bodyString = utf8.decode(bytes);
      final bodyParams = Uri.splitQueryString(bodyString);

      if (bodyParams["grant_type"] == "refresh_token") {
        final newBodyParams = Map<String, String>.from(bodyParams);
        newBodyParams.remove("scope");
        final newBodyString = Uri(queryParameters: newBodyParams).query;

        final newRequest = http.Request(request.method, request.url)
          ..headers.addAll(request.headers)
          ..body = newBodyString;

        return _inner.send(newRequest);
      } else {
        // grant_type != refresh_token, so send original request body again
        final newRequest = http.Request(request.method, request.url)
          ..headers.addAll(request.headers)
          ..bodyBytes = bytes;

        return _inner.send(newRequest);
      }
    }

    // For all other cases, send original request (non-POST or non-form)
    return _inner.send(request);
  }

  // Helper method to clone request with new Uri
  http.BaseRequest _copyRequestWithNewUrl(http.BaseRequest request, Uri newUri) {
    if (request is http.Request) {
      final newRequest = http.Request(request.method, newUri);
      newRequest.headers.addAll(request.headers);
      newRequest.bodyBytes = (request).bodyBytes;
      return newRequest;
    } else if (request is http.MultipartRequest) {
      final newRequest = http.MultipartRequest(request.method, newUri);
      newRequest.headers.addAll(request.headers);
      newRequest.fields.addAll(request.fields);
      newRequest.files.addAll(request.files);
      return newRequest;
    } else {
      // fallback for other BaseRequest types
      final newRequest = http.Request(request.method, newUri);
      newRequest.headers.addAll(request.headers);
      return newRequest;
    }
  }
}

Use of the custom HTTP client in UserManager

import "package:http/http.dart" as http;
import "package:app/util/oidc_http_client.dart";

final userManager = OidcUserManager.lazy(
  httpClient: OidcHttpClient(http.Client()),
  ...
);

[otmi100]

Nice idea!

We have a saying in German that literally translates to "from behind through the chest into the eye" 😉

I've the feeling that it's not going to be merged sadly. As my PR also doesn't get any attention, I guess I need to be looking for a different lib..

[ahmednfwela]

Hi everyone, sorry for the delay, would this PR be sufficient to handle your usecase ? #228