Merge pull request #224 from wrr/is_within_original_scope

is_within_original_scope method for refresh token grant (Issue #220)
oauthlib · Nov 10, 2013 · f1ba05b · f1ba05b
2 parents 3cf2da9 + 7d4f5ce
commit f1ba05b
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 1 deletion.
diff --git a/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py b/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
@@ -106,7 +106,9 @@ def validate_token_request(self, request):
 
         if request.scope:
             request.scopes = utils.scope_to_list(request.scope)
-            if not all((s in original_scopes for s in request.scopes)):
+            if (not all((s in original_scopes for s in request.scopes))
+                and not self.request_validator.is_within_original_scope(
+                    request.scopes, request.refresh_token, request)):
                 log.debug('Refresh token %s lack requested scopes, %r.',
                         request.refresh_token, request.scopes)
                 raise errors.InvalidScopeError(

diff --git a/oauthlib/oauth2/rfc6749/request_validator.py b/oauthlib/oauth2/rfc6749/request_validator.py
@@ -151,6 +151,27 @@ def get_original_scopes(self, refresh_token, request, *args, **kwargs):
         """
         raise NotImplementedError('Subclasses must implement this method.')
 
+    def is_within_original_scope(self, request_scopes, refresh_token, request, *args, **kwargs):
+        """Check if requested scopes are within a scope of the refresh token.
+
+        When access tokens are refreshed the scope of the new token
+        needs to be within the scope of the original token. This is
+        ensured by checking that all requested scopes strings are on
+        the list returned by the get_original_scopes. If this check
+        fails, is_withing_original_scope is called. The method can be
+        used in situations where returning all valid scopes from the
+        get_original_scopes is not practical.
+
+        :param request_scopes: A list of scopes that were requested by client
+        :param refresh_token: Unicode refresh_token
+        :param request: The HTTP Request (oauthlib.common.Request)
+        :rtype: True or False
+
+        Method is used by:
+            - Refresh token grant
+        """
+        return False
+
     def invalidate_authorization_code(self, client_id, code, request, *args, **kwargs):
         """Invalidate an authorization code after use.
 

diff --git a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
@@ -47,8 +47,21 @@ def test_create_token_inherit_scope(self):
         self.assertIn('expires_in', token)
         self.assertEqual(token['scope'], 'foo bar')
 
+    def test_create_token_within_original_scope(self):
+        self.mock_validator.get_original_scopes.return_value = ['baz']
+        self.mock_validator.is_within_original_scope.return_value = True
+        bearer = BearerToken(self.mock_validator)
+        headers, body, status_code = self.auth.create_token_response(
+                self.request, bearer)
+        token = json.loads(body)
+        self.assertIn('access_token', token)
+        self.assertIn('token_type', token)
+        self.assertIn('expires_in', token)
+        self.assertEqual(token['scope'], 'foo')
+
     def test_invalid_scope(self):
         self.mock_validator.get_original_scopes.return_value = ['baz']
+        self.mock_validator.is_within_original_scope.return_value = False
         bearer = BearerToken(self.mock_validator)
         headers, body, status_code = self.auth.create_token_response(
                 self.request, bearer)
@@ -110,6 +123,7 @@ def test_invalid_refresh_token(self):
 
     def test_invalid_scope_original_scopes_empty(self):
         self.mock_validator.validate_refresh_token.return_value = True
+        self.mock_validator.is_within_original_scope.return_value = False
         self.assertRaises(errors.InvalidScopeError,
                           self.auth.validate_token_request, self.request)
 

diff --git a/tests/oauth2/rfc6749/test_request_validator.py b/tests/oauth2/rfc6749/test_request_validator.py
@@ -19,6 +19,8 @@ def test_method_contracts(self):
                 'client_id', 'request')
         self.assertRaises(NotImplementedError, v.get_original_scopes,
                 'refresh_token', 'request')
+        self.assertFalse(v.is_within_original_scope(
+                ['scope'], 'refresh_token', 'request'))
         self.assertRaises(NotImplementedError, v.invalidate_authorization_code,
                 'client_id', 'code', 'request')
         self.assertRaises(NotImplementedError, v.save_authorization_code,