Merge branch 'FGI-1573_connected-account-support' of github.com:auth0/auth0-server-python into FGI-1573_connected-account-support

sam-muncke · sam-muncke · commit bbbc824f9ef3 · 2025-11-07T11:02:30.000Z
diff --git a/src/auth0_server_python/auth_server/server_client.py b/src/auth0_server_python/auth_server/server_client.py
@@ -615,13 +615,17 @@ async def get_access_token(
                 if ts.get("audience") == audience and (not scope or ts.get("scope") == scope):
                     token_set = ts
                     break
-                elif ts.get("audience") != audience and not self._use_mrrt:
-                    # We have a token but for a different audience but since MRRT is disabled,
-                    # we cannot use the RT to get a new AT for this audience
-                    raise AccessTokenError(
-                        AccessTokenErrorCode.INCORRECT_AUDIENCE,
-                        "The access token for the requested audience is not available and Multi-Resource Refresh Tokens are disabled."
-                    )
+                if ts.get("audience") == audience and (not scope or ts.get("scope") == scope):
+                    token_set = ts
+                    break
+        
+        # After loop: if no matching token found and MRRT disabled, check if we need to error
+        if not token_set and not self._use_mrrt and state_data_dict.get("token_sets"):
+            # We have tokens but none match, and we can't use RT to get a new one
+            raise AccessTokenError(
+                AccessTokenErrorCode.INCORRECT_AUDIENCE,
+                "The access token for the requested audience is not available and Multi-Resource Refresh Tokens are disabled."
+            )
 
         # If token is valid, return it
         if token_set and token_set.get("expires_at", 0) > time.time():
