feat: Introduce a way to provide scopes granted by user (#1189)

* feat: Introduce a way to provide scopes granted by user

* nits

* add rt

* update rt

google/oauth2/credentials.py

@@ -34,6 +34,7 @@
 from datetime import datetime
 import io
 import json
+import logging
 
 import six
 
@@ -43,6 +44,8 @@
 from google.auth import exceptions
 from google.oauth2 import reauth
 
+_LOGGER = logging.getLogger(__name__)
+
 
 # The Google OAuth 2.0 token endpoint. Used for authorized user credentials.
 _GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
@@ -79,6 +82,7 @@ def __init__(
         rapt_token=None,
         refresh_handler=None,
         enable_reauth_refresh=False,
+        granted_scopes=None,
     ):
         """
         Args:
@@ -117,6 +121,9 @@ def __init__(
                 retrieving downscoped tokens from a token broker.
             enable_reauth_refresh (Optional[bool]): Whether reauth refresh flow
                 should be used. This flag is for gcloud to use only.
+            granted_scopes (Optional[Sequence[str]]): The scopes that were consented/granted by the user.
+                This could be different from the requested scopes and it could be empty if granted
+                and requested scopes were same.
         """
         super(Credentials, self).__init__()
         self.token = token
@@ -125,6 +132,7 @@ def __init__(
         self._id_token = id_token
         self._scopes = scopes
         self._default_scopes = default_scopes
+        self._granted_scopes = granted_scopes
         self._token_uri = token_uri
         self._client_id = client_id
         self._client_secret = client_secret
@@ -155,6 +163,7 @@ def __setstate__(self, d):
         self._id_token = d.get("_id_token")
         self._scopes = d.get("_scopes")
         self._default_scopes = d.get("_default_scopes")
+        self._granted_scopes = d.get("_granted_scopes")
         self._token_uri = d.get("_token_uri")
         self._client_id = d.get("_client_id")
         self._client_secret = d.get("_client_secret")
@@ -174,6 +183,11 @@ def scopes(self):
         """Optional[str]: The OAuth 2.0 permission scopes."""
         return self._scopes
 
+    @property
+    def granted_scopes(self):
+        """Optional[Sequence[str]]: The OAuth 2.0 permission scopes that were granted by the user."""
+        return self._granted_scopes
+
     @property
     def token_uri(self):
         """Optional[str]: The OAuth 2.0 authorization server's token endpoint
@@ -249,6 +263,7 @@ def with_quota_project(self, quota_project_id):
             client_secret=self.client_secret,
             scopes=self.scopes,
             default_scopes=self.default_scopes,
+            granted_scopes=self.granted_scopes,
             quota_project_id=quota_project_id,
             rapt_token=self.rapt_token,
             enable_reauth_refresh=self._enable_reauth_refresh,
@@ -266,6 +281,7 @@ def with_token_uri(self, token_uri):
             client_secret=self.client_secret,
             scopes=self.scopes,
             default_scopes=self.default_scopes,
+            granted_scopes=self.granted_scopes,
             quota_project_id=self.quota_project_id,
             rapt_token=self.rapt_token,
             enable_reauth_refresh=self._enable_reauth_refresh,
@@ -335,10 +351,15 @@ def refresh(self, request):
 
         if scopes and "scope" in grant_response:
             requested_scopes = frozenset(scopes)
-            granted_scopes = frozenset(grant_response["scope"].split())
+            self._granted_scopes = grant_response["scope"].split()
+            granted_scopes = frozenset(self._granted_scopes)
             scopes_requested_but_not_granted = requested_scopes - granted_scopes
             if scopes_requested_but_not_granted:
-                raise exceptions.RefreshError(
+                # User might be presented with unbundled scopes at the time of
+                # consent. So it is a valid scenario to not have all the requested
+                # scopes as part of granted scopes but log a warning in case the
+                # developer wants to debug the scenario.
+                _LOGGER.warning(
                     "Not all requested scopes were granted by the "
                     "authorization server, missing scopes {}.".format(
                         ", ".join(scopes_requested_but_not_granted)

tests/oauth2/test_credentials.py

@@ -449,6 +449,7 @@ def test_credentials_with_scopes_requested_refresh_success(
         assert creds.id_token == mock.sentinel.id_token
         assert creds.has_scopes(scopes)
         assert creds.rapt_token == new_rapt_token
+        assert creds.granted_scopes == scopes
 
         # Check that the credentials are valid (have a token and are not
         # expired.)
@@ -466,7 +467,7 @@ def test_credentials_with_only_default_scopes_requested(
         token = "token"
         new_rapt_token = "new_rapt_token"
         expiry = _helpers.utcnow() + datetime.timedelta(seconds=500)
-        grant_response = {"id_token": mock.sentinel.id_token}
+        grant_response = {"id_token": mock.sentinel.id_token, "scope": "email profile"}
         refresh_grant.return_value = (
             # Access token
             token,
@@ -513,6 +514,7 @@ def test_credentials_with_only_default_scopes_requested(
         assert creds.id_token == mock.sentinel.id_token
         assert creds.has_scopes(default_scopes)
         assert creds.rapt_token == new_rapt_token
+        assert creds.granted_scopes == default_scopes
 
         # Check that the credentials are valid (have a token and are not
         # expired.)
@@ -530,10 +532,7 @@ def test_credentials_with_scopes_returned_refresh_success(
         token = "token"
         new_rapt_token = "new_rapt_token"
         expiry = _helpers.utcnow() + datetime.timedelta(seconds=500)
-        grant_response = {
-            "id_token": mock.sentinel.id_token,
-            "scopes": " ".join(scopes),
-        }
+        grant_response = {"id_token": mock.sentinel.id_token, "scope": " ".join(scopes)}
         refresh_grant.return_value = (
             # Access token
             token,
@@ -580,6 +579,7 @@ def test_credentials_with_scopes_returned_refresh_success(
         assert creds.id_token == mock.sentinel.id_token
         assert creds.has_scopes(scopes)
         assert creds.rapt_token == new_rapt_token
+        assert creds.granted_scopes == scopes
 
         # Check that the credentials are valid (have a token and are not
         # expired.)
@@ -590,7 +590,72 @@ def test_credentials_with_scopes_returned_refresh_success(
         "google.auth._helpers.utcnow",
         return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
     )
-    def test_credentials_with_scopes_refresh_failure_raises_refresh_error(
+    def test_credentials_with_only_default_scopes_requested_different_granted_scopes(
+        self, unused_utcnow, refresh_grant
+    ):
+        default_scopes = ["email", "profile"]
+        token = "token"
+        new_rapt_token = "new_rapt_token"
+        expiry = _helpers.utcnow() + datetime.timedelta(seconds=500)
+        grant_response = {"id_token": mock.sentinel.id_token, "scope": "email"}
+        refresh_grant.return_value = (
+            # Access token
+            token,
+            # New refresh token
+            None,
+            # Expiry,
+            expiry,
+            # Extra data
+            grant_response,
+            # rapt token
+            new_rapt_token,
+        )
+
+        request = mock.create_autospec(transport.Request)
+        creds = credentials.Credentials(
+            token=None,
+            refresh_token=self.REFRESH_TOKEN,
+            token_uri=self.TOKEN_URI,
+            client_id=self.CLIENT_ID,
+            client_secret=self.CLIENT_SECRET,
+            default_scopes=default_scopes,
+            rapt_token=self.RAPT_TOKEN,
+            enable_reauth_refresh=True,
+        )
+
+        # Refresh credentials
+        creds.refresh(request)
+
+        # Check jwt grant call.
+        refresh_grant.assert_called_with(
+            request,
+            self.TOKEN_URI,
+            self.REFRESH_TOKEN,
+            self.CLIENT_ID,
+            self.CLIENT_SECRET,
+            default_scopes,
+            self.RAPT_TOKEN,
+            True,
+        )
+
+        # Check that the credentials have the token and expiry
+        assert creds.token == token
+        assert creds.expiry == expiry
+        assert creds.id_token == mock.sentinel.id_token
+        assert creds.has_scopes(default_scopes)
+        assert creds.rapt_token == new_rapt_token
+        assert creds.granted_scopes == ["email"]
+
+        # Check that the credentials are valid (have a token and are not
+        # expired.)
+        assert creds.valid
+
+    @mock.patch("google.oauth2.reauth.refresh_grant", autospec=True)
+    @mock.patch(
+        "google.auth._helpers.utcnow",
+        return_value=datetime.datetime.min + _helpers.REFRESH_THRESHOLD,
+    )
+    def test_credentials_with_scopes_refresh_different_granted_scopes(
         self, unused_utcnow, refresh_grant
     ):
         scopes = ["email", "profile"]
@@ -628,10 +693,7 @@ def test_credentials_with_scopes_refresh_failure_raises_refresh_error(
         )
 
         # Refresh credentials
-        with pytest.raises(
-            exceptions.RefreshError, match="Not all requested scopes were granted"
-        ):
-            creds.refresh(request)
+        creds.refresh(request)
 
         # Check jwt grant call.
         refresh_grant.assert_called_with(
@@ -651,6 +713,7 @@ def test_credentials_with_scopes_refresh_failure_raises_refresh_error(
         assert creds.id_token == mock.sentinel.id_token
         assert creds.has_scopes(scopes)
         assert creds.rapt_token == new_rapt_token
+        assert creds.granted_scopes == scopes_returned
 
         # Check that the credentials are valid (have a token and are not
         # expired.)