Merge branch 'master' into fix_issue_728

JonathanHuot · web-flow · commit 3c1fea9ce21a · 2020-04-22T14:10:42.000+02:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,7 +1,22 @@
 Changelog
 =========
 
-3.1.0 (TBD)
+3.1.1 (TBD)
+------------------
+OAuth2.0 Client - Bugfixes
+
+  * #730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
+    relies on the `scope` provided in the constructor if any, except if overridden temporarily
+    in a method call. Note that in particular providing a non-None `scope` in
+    `prepare_authorization_request` or `prepare_refresh_token` does not override anymore
+    `self.scope` forever, it is just used temporarily.
+  * #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
+    ServiceApplicationClient.prepare_request_body,
+    and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
+    constructor.
+  * #725: LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor
+
+3.1.0 (2019-08-06)
 ------------------
 OAuth2.0 Provider - Features
 
@@ -25,12 +40,8 @@ OAuth2.0 Provider - Bugfixes
 OAuth2.0 Client - Bugfixes
 
   * #290: Fix Authorization Code's errors processing
-  * #603: BackendApplication.Client.prepare_request_body use the `scope` argument as intended.
+  * #603: BackendApplicationClient.prepare_request_body use the `scope` argument as intended.
   * #672: Fix edge case when `expires_in=Null`
-  * #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
-    ServiceApplicationClient.prepare_request_body,
-    and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
-    constructor.
 
 OAuth1.0 Client
 
diff --git a/oauthlib/oauth2/rfc6749/clients/base.py b/oauthlib/oauth2/rfc6749/clients/base.py
@@ -220,7 +220,10 @@ def prepare_authorization_request(self, authorization_url, state=None,
         the provider. If provided then it must also be provided in the
         token request.
 
-        :param scope:
+        :param scope: List of scopes to request. Must be equal to
+        or a subset of the scopes granted when obtaining the refresh
+        token. If none is provided, the ones provided in the constructor are
+        used.
 
         :param kwargs: Additional parameters to included in the request.
 
@@ -231,10 +234,11 @@ def prepare_authorization_request(self, authorization_url, state=None,
 
         self.state = state or self.state_generator()
         self.redirect_url = redirect_url or self.redirect_url
-        self.scope = scope or self.scope
+        # do not assign scope to self automatically anymore
+        scope = self.scope if scope is None else scope
         auth_url = self.prepare_request_uri(
             authorization_url, redirect_uri=self.redirect_url,
-            scope=self.scope, state=self.state, **kwargs)
+            scope=scope, state=self.state, **kwargs)
         return auth_url, FORM_ENC_HEADERS, ''
 
     def prepare_token_request(self, token_url, authorization_response=None,
@@ -295,7 +299,8 @@ def prepare_refresh_token_request(self, token_url, refresh_token=None,
 
         :param scope: List of scopes to request. Must be equal to
         or a subset of the scopes granted when obtaining the refresh
-        token.
+        token. If none is provided, the ones provided in the constructor are
+        used.
 
         :param kwargs: Additional parameters to included in the request.
 
@@ -304,9 +309,10 @@ def prepare_refresh_token_request(self, token_url, refresh_token=None,
         if not is_secure_transport(token_url):
             raise InsecureTransportError()
 
-        self.scope = scope or self.scope
+        # do not assign scope to self automatically anymore
+        scope = self.scope if scope is None else scope
         body = self.prepare_refresh_body(body=body,
-                                         refresh_token=refresh_token, scope=self.scope, **kwargs)
+                                         refresh_token=refresh_token, scope=scope, **kwargs)
         return token_url, FORM_ENC_HEADERS, body
 
     def prepare_token_revocation_request(self, revocation_url, token,
@@ -380,7 +386,8 @@ def parse_request_body_response(self, body, scope=None, **kwargs):
         returns an error response as described in `Section 5.2`_.
 
         :param body: The response body from the token request.
-        :param scope: Scopes originally requested.
+        :param scope: Scopes originally requested. If none is provided, the ones
+        provided in the constructor are used.
         :return: Dictionary of token parameters.
         :raises: Warning if scope has changed. OAuth2Error if response is invalid.
 
@@ -416,6 +423,7 @@ def parse_request_body_response(self, body, scope=None, **kwargs):
         .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2
         .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1
         """
+        scope = self.scope if scope is None else scope
         self.token = parse_token_response(body, scope=scope)
         self.populate_token_attributes(self.token)
         return self.token
@@ -437,9 +445,11 @@ def prepare_refresh_body(self, body='', refresh_token=None, scope=None, **kwargs
                 Section 3.3.  The requested scope MUST NOT include any scope
                 not originally granted by the resource owner, and if omitted is
                 treated as equal to the scope originally granted by the
-                resource owner.
+                resource owner. Note that if none is provided, the ones provided
+                in the constructor are used if any.
         """
         refresh_token = refresh_token or self.refresh_token
+        scope = self.scope if scope is None else scope
         return prepare_token_request(self.refresh_token_key, body=body, scope=scope,
                                      refresh_token=refresh_token, **kwargs)
 
diff --git a/oauthlib/oauth2/rfc6749/clients/legacy_application.py b/oauthlib/oauth2/rfc6749/clients/legacy_application.py
@@ -79,5 +79,6 @@ def prepare_request_body(self, username, password, body='', scope=None,
         """
         kwargs['client_id'] = self.client_id
         kwargs['include_client_id'] = include_client_id
+        scope = self.scope if scope is None else scope
         return prepare_token_request(self.grant_type, body=body, username=username,
                                      password=password, scope=scope, **kwargs)
