Allowing any scopes to be used for the client credentials grant

ECOM-4196

Author: Clinton Blackburn

provider/__init__.py

@@ -1 +1 @@
-__version__ = '1.0.2'
+__version__ = '1.0.3'

provider/oauth2/forms.py

@@ -3,7 +3,7 @@
 from django.utils.encoding import smart_unicode
 from django.utils.translation import ugettext as _
 
-from provider import constants, scope
+from provider import scope
 from provider.constants import RESPONSE_TYPE_CHOICES, SCOPES
 from provider.forms import OAuthForm, OAuthValidationError
 from provider.oauth2.models import Client, Grant, RefreshToken
@@ -38,7 +38,7 @@ def clean(self):
         data = self.cleaned_data
         try:
             client = Client.objects.get(client_id=data.get('client_id'),
-                                        client_secret=data.get('client_secret'))
+                client_secret=data.get('client_secret'))
         except Client.DoesNotExist:
             raise forms.ValidationError(_("Client could not be validated with "
                                           "key pair."))
@@ -146,7 +146,7 @@ def clean_response_type(self):
 
         if not response_type:
             raise OAuthValidationError({'error': 'invalid_request',
-                                        'error_description': "No 'response_type' supplied."})
+                'error_description': "No 'response_type' supplied."})
 
         types = response_type.split(" ")
 
@@ -209,7 +209,7 @@ def clean_refresh_token(self):
 
         try:
             token = RefreshToken.objects.get(token=token,
-                                             expired=False, client=self.client)
+                expired=False, client=self.client)
         except RefreshToken.DoesNotExist:
             raise OAuthValidationError({'error': 'invalid_grant'})
 
@@ -302,7 +302,7 @@ def clean(self):
         data = self.cleaned_data
 
         user = authenticate(username=data.get('username'),
-                            password=data.get('password'))
+            password=data.get('password'))
 
         if user is None:
             raise OAuthValidationError({'error': 'invalid_grant'})
@@ -340,10 +340,18 @@ def clean(self):
 
 class ClientCredentialsGrantForm(ScopeMixin, OAuthForm):
     """ Validate a client credentials grant request. """
+    scope = forms.CharField(required=False)
 
-    def clean(self):
-        cleaned_data = super(ClientCredentialsGrantForm, self).clean()
-        # We do not fully support scopes for this grant type; however, a scope is required
-        # in order to create an access token. Default to read-only access.
-        cleaned_data['scope'] = constants.READ
-        return cleaned_data
+    def clean_scope(self):
+        if not self.cleaned_data.get('scope'):
+            # NOTE (CCB): This is a horrible hack, like much of our OAuth work. The scopes are declared in
+            # edx-oauth2-provider. (See edx_oauth2_provider/constants.py.) However, we need to provide a default scope
+            # that (a) gives the token basic read access and (b) allows access to the user info endpoint. This value
+            # represents the following scopes: openid (1), profile (2), email (4), permissions (32). At present, this is
+            # all scopes except course_staff and course_instructor. These scopes are normally associated with actual
+            # users, whereas the client credentials grant will primarily be used by service users.
+            #
+            # In the future, we should limit the allowable scopes either at a global or per-client level.
+            return 39
+
+        return super(ClientCredentialsGrantForm, self).clean_scope()

provider/oauth2/tests.py

@@ -597,7 +597,7 @@ def setUp(self):
         super(ClientCredentialsAccessTokenTests, self).setUp()
         AccessToken.objects.all().delete()
 
-    def request_access_token(self, client_id=None, client_secret=None):
+    def request_access_token(self, client_id=None, client_secret=None, scope=None):
         """ Issues an access token request using the client credentials grant.
 
         Arguments:
@@ -614,6 +614,11 @@ def request_access_token(self, client_id=None, client_secret=None):
             'client_secret': client_secret or client.client_secret,
         }
 
+        if scope:
+            data.update({
+                'scope': scope,
+            })
+
         return self.client.post(self.access_token_url(), data)
 
     def assert_valid_access_token_response(self, access_token, response):
@@ -634,9 +639,10 @@ def assert_valid_access_token_response(self, access_token, response):
     def get_latest_access_token(self):
         return AccessToken.objects.filter(client=self.get_client()).order_by('-id')[0]
 
-    def test_authorize_success(self):
+    @ddt.data(None, 'read')
+    def test_authorize_success(self, scope):
         """ Verify the endpoint successfully issues an access token using the client credentials grant. """
-        response = self.request_access_token()
+        response = self.request_access_token(scope=scope)
         self.assertEqual(200, response.status_code, response.content)
 
         access_token = self.get_latest_access_token()