scope in refresh token request should be a subset of those authorized by the resource owner.

oauth2-framework-impl/oauth2-client/src/main/java/com/baeldung/oauth2/client/CallbackServlet.java

@@ -4,10 +4,8 @@ import org.eclipse.microprofile.config.Config;
 
 import javax.inject.Inject;
 import javax.json.JsonObject;
-import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.client.Client;
@@ -18,10 +16,9 @@ import javax.ws.rs.core.Form;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import java.io.IOException;
-import java.util.Base64;
 
 @WebServlet(urlPatterns = "/callback")
-public class CallbackServlet extends HttpServlet {
+public class CallbackServlet extends AbstractServlet {
 
     @Inject
     private Config config;
@@ -56,24 +53,15 @@ public class CallbackServlet extends HttpServlet {
         form.param("code", code);
         form.param("redirect_uri", config.getValue("client.redirectUri", String.class));
 
-        JsonObject tokenResponse = target.request(MediaType.APPLICATION_JSON_TYPE)
-                .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeaderValue())
-                .post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE), JsonObject.class);
-
-        request.getSession().setAttribute("tokenResponse", tokenResponse);
+        try {
+            JsonObject tokenResponse = target.request(MediaType.APPLICATION_JSON_TYPE)
+                    .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeaderValue(clientId, clientSecret))
+                    .post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE), JsonObject.class);
+            request.getSession().setAttribute("tokenResponse", tokenResponse);
+        } catch (Exception ex) {
+            System.out.println(ex.getMessage());
+            request.setAttribute("error", ex.getMessage());
+        }
         dispatch("/", request, response);
     }
-
-    private void dispatch(String location, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-        RequestDispatcher requestDispatcher = request.getRequestDispatcher(location);
-        requestDispatcher.forward(request, response);
-    }
-
-    private String getAuthorizationHeaderValue() {
-        String clientId = config.getValue("client.clientId", String.class);
-        String clientSecret = config.getValue("client.clientSecret", String.class);
-        String token = clientId + ":" + clientSecret;
-        String encodedString = Base64.getEncoder().encodeToString(token.getBytes());
-        return "Basic " + encodedString;
-    }
 }

oauth2-framework-impl/oauth2-client/src/main/java/com/baeldung/oauth2/client/RefreshTokenServlet.java

@@ -46,7 +46,12 @@ public class RefreshTokenServlet extends AbstractServlet {
                 .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeaderValue(clientId, clientSecret))
                 .post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE), JsonObject.class);
 
-        request.getSession().setAttribute("tokenResponse", tokenResponse);
+        String error = tokenResponse.getString("error");
+        if (error != null) {
+            request.setAttribute("error", error);
+        } else {
+            request.getSession().setAttribute("tokenResponse", tokenResponse);
+        }
         dispatch("/", request, response);
     }
 }