Determine which scope to use.

rohe · rohe · commit 11914df3a64a · 2021-05-30T09:55:20.000+02:00
diff --git a/src/oidcop/session/grant.py b/src/oidcop/session/grant.py
@@ -175,6 +175,18 @@ def get(self) -> object:
             resources=self.resources,
         )
 
+    def find_scope(self, based_on):
+        if based_on.scope:
+            return based_on.scope
+
+        if based_on.based_on:
+            # Don't expect there to be that many tokens based on one grant so a linear search
+            # should be OK.
+            for token in self.issued_token:
+                if token.value == based_on.based_on:
+                    return self.find_scope(token)
+        return []
+
     def payload_arguments(
             self,
             session_id: str,
@@ -260,6 +272,10 @@ def mint_token(
             handler_args = {}
 
         if token_class:
+            if not scope:
+                if based_on:
+                    scope = self.find_scope(based_on)
+
             item = token_class(
                 type=token_type,
                 based_on=_base_on_ref,
diff --git a/tests/test_01_grant.py b/tests/test_01_grant.py
@@ -438,3 +438,73 @@ def test_get_usage_rules(self):
 
         # client specific usage rules
         self.endpoint_context.cdb["client_id"] = {"access_token": {"expires_in": 600}}
+
+    def test_assigned_scope(self):
+        session_id = self._create_session(AREQ)
+        session_info = self.endpoint_context.session_manager.get_session_info(
+            session_id=session_id, grant=True
+        )
+        grant = session_info["grant"]
+        code = grant.mint_token(
+            session_id,
+            endpoint_context=self.endpoint_context,
+            token_type="authorization_code",
+            token_handler=TOKEN_HANDLER["authorization_code"],
+        )
+
+        code.scope = ["openid", "email"]
+
+        access_token = grant.mint_token(
+            session_id,
+            endpoint_context=self.endpoint_context,
+            token_type="access_token",
+            token_handler=TOKEN_HANDLER["access_token"],
+            based_on=code,
+        )
+
+        assert access_token.scope == code.scope
+
+    def test_assigned_scope_2nd(self):
+        session_id = self._create_session(AREQ)
+        session_info = self.endpoint_context.session_manager.get_session_info(
+            session_id=session_id, grant=True
+        )
+        grant = session_info["grant"]
+        code = grant.mint_token(
+            session_id,
+            endpoint_context=self.endpoint_context,
+            token_type="authorization_code",
+            token_handler=TOKEN_HANDLER["authorization_code"],
+        )
+
+        code.scope = ["openid", "email"]
+
+        refresh_token = grant.mint_token(
+            session_id,
+            endpoint_context=self.endpoint_context,
+            token_type="refresh_token",
+            token_handler=TOKEN_HANDLER["refresh_token"],
+            based_on=code,
+        )
+
+        access_token = grant.mint_token(
+            session_id,
+            endpoint_context=self.endpoint_context,
+            token_type="access_token",
+            token_handler=TOKEN_HANDLER["access_token"],
+            based_on=refresh_token,
+        )
+
+        assert access_token.scope == code.scope
+
+        refresh_token.scope = ["openid", "xyz"]
+
+        access_token = grant.mint_token(
+            session_id,
+            endpoint_context=self.endpoint_context,
+            token_type="access_token",
+            token_handler=TOKEN_HANDLER["access_token"],
+            based_on=refresh_token,
+        )
+
+        assert access_token.scope == refresh_token.scope
