Only change scope if refresh_token grant asked for it.

Section 6 of the OAuth2 RFC says that if scope parameter is omitted it "is treated as equal to the scope originally granted by the resource owner." Previously oauth2app cleared the scope if the scope parameter was omitted. Fixes hiidef#51.
ox-it · Feb 9, 2015 · 8a5a696 · 8a5a696
1 parent 53bfbb3
commit 8a5a696
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/oauth2app/token.py b/oauth2app/token.py
@@ -401,8 +401,8 @@ def _get_refresh_token(self):
         self.access_token.token = KeyGenerator(ACCESS_TOKEN_LENGTH)()
         self.access_token.refresh_token = KeyGenerator(REFRESH_TOKEN_LENGTH)()
         self.access_token.expire = TimestampGenerator(ACCESS_TOKEN_EXPIRATION)()
-        access_ranges = AccessRange.objects.filter(key__in=self.scope) if self.scope else []
-        self.access_token.scope = access_ranges
+        if self.scope is not None:
+            self.access_token.scope = AccessRange.objects.filter(key__in=self.scope)
         self.access_token.save()
         return self.access_token