Validator confirm_scopes becomes get_original_scopes. #182, #183

oauthlib/oauth2/rfc6749/grant_types/refresh_token.py

@@ -9,7 +9,7 @@
 from oauthlib.common import log
 
 from .base import GrantTypeBase
-from .. import errors
+from .. import errors, utils
 from ..request_validator import RequestValidator
 
 
@@ -95,4 +95,17 @@ def validate_token_request(self, request):
             log.debug('Invalid refresh token, %s, for client %r.',
                       request.refresh_token, request.client)
             raise errors.InvalidGrantError(request=request)
-        self.validate_scopes(request)
+
+        original_scopes = utils.scope_to_list(
+                self.request_validator.get_original_scopes(
+                    request.refresh_token, request))
+
+        if request.scope:
+            request.scopes = utils.scope_to_list(request.scope)
+            if not all((s in original_scopes for s in request.scopes)):
+                log.debug('Refresh token %s lack requested scopes, %r.',
+                        request.refresh_token, request.scopes)
+                raise errors.InvalidScopeError(
+                        state=request.state, request=request, status_code=401)
+        else:
+            request.scopes = original_scopes

oauthlib/oauth2/rfc6749/request_validator.py

@@ -4,12 +4,8 @@
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 """
 from __future__ import unicode_literals, absolute_import
-import json
 import logging
-from oauthlib import common
-from oauthlib.uri_validate import is_absolute_uri
 
-from . import errors, utils
 
 log = logging.getLogger('oauthlib')
 
@@ -86,19 +82,6 @@ def confirm_redirect_uri(self, client_id, code, redirect_uri, client, *args, **k
         """
         raise NotImplementedError('Subclasses must implement this method.')
 
-    def confirm_scopes(self, refresh_token, scopes, request, *args, **kwargs):
-        """Ensure the refresh token is authorized access to requested scopes.
-
-        :param refresh_token: Unicode refresh token
-        :param scopes: List of scopes (defined by you)
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
-
-        Method is used by:
-            - Refresh token grant
-        """
-        raise NotImplementedError('Subclasses must implement this method.')
-
     def get_default_redirect_uri(self, client_id, request, *args, **kwargs):
         """Get the default redirect URI for the client.
 
@@ -127,6 +110,18 @@ def get_default_scopes(self, client_id, request, *args, **kwargs):
         """
         raise NotImplementedError('Subclasses must implement this method.')
 
+    def get_original_scopes(self, refresh_token, request, *args, **kwargs):
+        """Get the list of scopes associated with the refresh token.
+
+        :param refresh_token: Unicode refresh token
+        :param request: The HTTP Request (oauthlib.common.Request)
+        :rtype: List of scopes.
+
+        Method is used by:
+            - Refresh token grant
+        """
+        raise NotImplementedError('Subclasses must implement this method.')
+
     def invalidate_authorization_code(self, client_id, code, request, *args, **kwargs):
         """Invalidate an authorization code after use.
 

tests/oauth2/rfc6749/test_grant_types.py

@@ -202,19 +202,42 @@ def setUp(self):
         self.request.grant_type = 'refresh_token'
         self.request.refresh_token = 'lsdkfhj230'
         self.request.client = mock_client
-        self.request.scopes = ('mocked', 'scopes')
+        self.request.scope = 'foo'
         self.mock_validator = mock.MagicMock()
         self.auth = RefreshTokenGrant(
                 request_validator=self.mock_validator)
 
     def test_create_token_response(self):
+        self.mock_validator.get_original_scopes.return_value = ['foo', 'bar']
         bearer = BearerToken(self.mock_validator)
         uri, headers, body, status_code = self.auth.create_token_response(
                 self.request, bearer)
         token = json.loads(body)
         self.assertIn('access_token', token)
         self.assertIn('token_type', token)
         self.assertIn('expires_in', token)
+        self.assertEqual(token['scope'], 'foo')
+
+    def test_create_token_inherit_scope(self):
+        self.request.scope = None
+        self.mock_validator.get_original_scopes.return_value = ['foo', 'bar']
+        bearer = BearerToken(self.mock_validator)
+        uri, headers, body, status_code = self.auth.create_token_response(
+                self.request, bearer)
+        token = json.loads(body)
+        self.assertIn('access_token', token)
+        self.assertIn('token_type', token)
+        self.assertIn('expires_in', token)
+        self.assertEqual(token['scope'], 'foo bar')
+
+    def test_invalid_scope(self):
+        self.mock_validator.get_original_scopes.return_value = ['baz']
+        bearer = BearerToken(self.mock_validator)
+        uri, headers, body, status_code = self.auth.create_token_response(
+                self.request, bearer)
+        token = json.loads(body)
+        self.assertEqual(token['error'], 'invalid_scope')
+        self.assertEqual(status_code, 401)
 
     def test_invalid_token(self):
         self.mock_validator.validate_refresh_token.return_value = False