Authorization servers can override the granted scopes for all grant types.

This change adds the ability for authorization servers to override the granted scopes of client credential and resource owner password grant types.

Fixes #225

1 files changed, 61 insertions, 0 deletions

diff --git a/src/DotNetOpenAuth.Test/OAuth2/AuthorizationServerTests.cs b/src/DotNetOpenAuth.Test/OAuth2/AuthorizationServerTests.cs
index 251cd67..3dc3839 100644
--- a/src/DotNetOpenAuth.Test/OAuth2/AuthorizationServerTests.cs
+++ b/src/DotNetOpenAuth.Test/OAuth2/AuthorizationServerTests.cs
@@ -12,6 +12,7 @@ namespace DotNetOpenAuth.Test.OAuth2 {
 	using System.Threading.Tasks;
 	using DotNetOpenAuth.OAuth2;
 	using DotNetOpenAuth.OAuth2.Messages;
+	using Moq;
 	using NUnit.Framework;
 
 	/// <summary>
@@ -73,5 +74,65 @@ namespace DotNetOpenAuth.Test.OAuth2 {
 				});
 			coordinator.Run();
 		}
+
+		[Test]
+		public void ResourceOwnerScopeOverride() {
+			var clientRequestedScopes = new[] { "scope1", "scope2" };
+			var serverOverriddenScopes = new[] { "scope1", "differentScope" };
+			var authServerMock = CreateAuthorizationServerMock();
+			authServerMock
+				.Setup(a => a.CheckAuthorizeResourceOwnerCredentialGrant(ResourceOwnerUsername, ResourceOwnerPassword, It.IsAny<IAccessTokenRequest>()))
+				.Returns<string, string, IAccessTokenRequest>((un, pw, req) => {
+					var response = new AutomatedUserAuthorizationCheckResponse(req, true, ResourceOwnerUsername);
+					response.ApprovedScope.Clear();
+					response.ApprovedScope.UnionWith(serverOverriddenScopes);
+					return response;
+				});
+			var coordinator = new OAuth2Coordinator<WebServerClient>(
+				AuthorizationServerDescription,
+				authServerMock.Object,
+				new WebServerClient(AuthorizationServerDescription),
+				client => {
+					var authState = new AuthorizationState(TestScopes) {
+						Callback = ClientCallback,
+					};
+					var result = client.ExchangeUserCredentialForToken(ResourceOwnerUsername, ResourceOwnerPassword, clientRequestedScopes);
+					Assert.That(result.Scope, Is.EquivalentTo(serverOverriddenScopes));
+				},
+				server => {
+					server.HandleTokenRequest().Respond();
+				});
+			coordinator.Run();
+		}
+
+		[Test]
+		public void ClientCredentialScopeOverride() {
+			var clientRequestedScopes = new[] { "scope1", "scope2" };
+			var serverOverriddenScopes = new[] { "scope1", "differentScope" };
+			var authServerMock = CreateAuthorizationServerMock();
+			authServerMock
+				.Setup(a => a.CheckAuthorizeClientCredentialsGrant(It.IsAny<IAccessTokenRequest>()))
+				.Returns<IAccessTokenRequest>(req => {
+					var response = new AutomatedAuthorizationCheckResponse(req, true);
+					response.ApprovedScope.Clear();
+					response.ApprovedScope.UnionWith(serverOverriddenScopes);
+					return response;
+				});
+			var coordinator = new OAuth2Coordinator<WebServerClient>(
+				AuthorizationServerDescription,
+				authServerMock.Object,
+				new WebServerClient(AuthorizationServerDescription),
+				client => {
+					var authState = new AuthorizationState(TestScopes) {
+						Callback = ClientCallback,
+					};
+					var result = client.GetClientAccessToken(clientRequestedScopes);
+					Assert.That(result.Scope, Is.EquivalentTo(serverOverriddenScopes));
+				},
+				server => {
+					server.HandleTokenRequest().Respond();
+				});
+			coordinator.Run();
+		}
 	}
 }