Revert BC break by only providing scopes in access token when set in options (#1053)

barryvdh · web-flow · commit 0fa819889327 · 2025-02-25T22:13:15.000-06:00
Partially reverts #1030 This will still allow to set a `scope` on the access token as array and format it properly, but it will not add the default scopes by default. Setting the scope in the access token request is optional according to https://www.rfc-editor.org/rfc/rfc6749#section-3.3
diff --git a/src/Provider/AbstractProvider.php b/src/Provider/AbstractProvider.php
@@ -626,11 +626,7 @@ public function getAccessToken($grant, array $options = [])
     {
         $grant = $this->verifyGrant($grant);
 
-        if (empty($options['scope'])) {
-            $options['scope'] = $this->getDefaultScopes();
-        }
-
-        if (is_array($options['scope'])) {
+        if (isset($options['scope']) && is_array($options['scope'])) {
             $separator = $this->getScopeSeparator();
             $options['scope'] = implode($separator, $options['scope']);
         }
diff --git a/test/src/Grant/PasswordTest.php b/test/src/Grant/PasswordTest.php
@@ -20,8 +20,7 @@ protected function getParamExpectation()
             return !empty($body['grant_type'])
                 && $body['grant_type'] === 'password'
                 && !empty($body['username'])
-                && !empty($body['password'])
-                && !empty($body['scope']);
+                && !empty($body['password']);
         };
     }
 
diff --git a/test/src/Provider/AbstractProviderTest.php b/test/src/Provider/AbstractProviderTest.php
@@ -632,7 +632,7 @@ public function testGetAccessToken($method)
             ->once()
             ->with(
                 ['client_id' => 'mock_client_id', 'client_secret' => 'mock_secret', 'redirect_uri' => 'none'],
-                ['code' => 'mock_authorization_code', 'scope' => 'test']
+                ['code' => 'mock_authorization_code']
             )
             ->andReturn([]);
 
@@ -675,6 +675,71 @@ public function testGetAccessToken($method)
             });
     }
 
+    /**
+     * @dataProvider getAccessTokenMethodProvider
+     */
+    #[DataProvider('getAccessTokenMethodProvider')]
+    public function testGetAccessTokenWithScope($method)
+    {
+        $provider = new MockProvider([
+            'clientId' => 'mock_client_id',
+            'clientSecret' => 'mock_secret',
+            'redirectUri' => 'none',
+        ]);
+
+        $provider->setAccessTokenMethod($method);
+
+        $raw_response = ['access_token' => 'okay', 'expires' => time() + 3600, 'resource_owner_id' => 3];
+
+        $grant = Mockery::mock(AbstractGrant::class);
+        $grant
+            ->shouldReceive('prepareRequestParameters')
+            ->once()
+            ->with(
+                ['client_id' => 'mock_client_id', 'client_secret' => 'mock_secret', 'redirect_uri' => 'none'],
+                ['code' => 'mock_authorization_code', 'scope' => 'foo,bar']
+            )
+            ->andReturn([]);
+
+        $stream = Mockery::mock(StreamInterface::class);
+        $stream
+            ->shouldReceive('__toString')
+            ->once()
+            ->andReturn(json_encode($raw_response));
+
+        $response = Mockery::mock(ResponseInterface::class);
+        $response
+            ->shouldReceive('getBody')
+            ->once()
+            ->andReturn($stream);
+        $response
+            ->shouldReceive('getHeader')
+            ->once()
+            ->with('content-type')
+            ->andReturn(['application/json']);
+
+        $client = Mockery::spy(ClientInterface::class, [
+            'send' => $response,
+        ]);
+
+        $provider->setHttpClient($client);
+        $token = $provider->getAccessToken($grant, ['code' => 'mock_authorization_code', 'scope' => ['foo', 'bar']]);
+
+        $this->assertInstanceOf(AccessTokenInterface::class, $token);
+
+        $this->assertSame($raw_response['resource_owner_id'], $token->getResourceOwnerId());
+        $this->assertSame($raw_response['access_token'], $token->getToken());
+        $this->assertSame($raw_response['expires'], $token->getExpires());
+
+        $client
+            ->shouldHaveReceived('send')
+            ->once()
+            ->withArgs(function ($request) use ($provider) {
+                return $request->getMethod() === $provider->getAccessTokenMethod()
+                    && (string) $request->getUri() === $provider->getBaseAccessTokenUrl([]);
+            });
+    }
+
     public function testGetAccessTokenWithNonJsonResponse()
     {
         $provider = $this->getMockProvider();

Original file line number	Diff line number	Diff line change
`@@ -626,11 +626,7 @@ public function getAccessToken($grant, array $options = [])`
`626`	`626`	`{`
`627`	`627`	`$grant = $this->verifyGrant($grant);`
`628`	`628`
`629`		`- if (empty($options['scope'])) {`
`630`		`- $options['scope'] = $this->getDefaultScopes();`
`631`		`- }`
`632`		`-`
`633`		`- if (is_array($options['scope'])) {`
	`629`	`+ if (isset($options['scope']) && is_array($options['scope'])) {`
`634`	`630`	`$separator = $this->getScopeSeparator();`
`635`	`631`	`$options['scope'] = implode($separator, $options['scope']);`
`636`	`632`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,7 @@ protected function getParamExpectation()`
`20`	`20`	`return !empty($body['grant_type'])`
`21`	`21`	`&& $body['grant_type'] === 'password'`
`22`	`22`	`&& !empty($body['username'])`
`23`		`- && !empty($body['password'])`
`24`		`- && !empty($body['scope']);`
	`23`	`+ && !empty($body['password']);`
`25`	`24`	`};`
`26`	`25`	`}`
`27`	`26`