Demonstrates the behavior of mismatching scope

rayluo · rayluo · commit d1a9717aab66 · 2025-09-25T03:23:56.000-07:00
diff --git a/tests/test_application.py b/tests/test_application.py
@@ -875,3 +875,52 @@ def test_app_did_not_register_redirect_uri_should_error_out(self):
                 parent_window_handle=app.CONSOLE_WINDOW_HANDLE,
                 )
             self.assertEqual(result.get("error"), "broker_error")
+
+
+class MismatchingScopeTestCase(unittest.TestCase):
+    """Test cache behavior when HTTP response scope differs from requested scope"""
+
+    @classmethod
+    @patch(_OIDC_DISCOVERY, new=_OIDC_DISCOVERY_MOCK)
+    def setUpClass(cls):
+        cls.app = ConfidentialClientApplication(
+            "client_id", client_credential="secret",
+            authority="https://login.microsoftonline.com/common")
+
+    def test_mismatching_scope_should_be_cached_with_response_scope(self):
+        """Based on https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+        authorization server may issue an access token with different scope.
+        For example, eSTS normalizes scopes by adding or removing trailing slash.
+        Calling app is supposed to use the normalized scope for subsequent calls.
+        """
+
+        # Mocked request: ask for "foo" scope but receive "bar" scope in response
+        def mock_post(url, headers=None, *args, **kwargs):
+            return MinimalResponse(status_code=200, text=json.dumps({
+                "access_token": "AT_with_bar_scope",
+                "expires_in": 3600,
+                "scope": "bar",  # Response scope differs from requested scope
+                "token_type": "Bearer"
+            }))
+
+        result1 = self.app.acquire_token_for_client(["foo"], post=mock_post)
+        self.assertEqual(result1[self.app._TOKEN_SOURCE], self.app._TOKEN_SOURCE_IDP)
+        self.assertEqual("AT_with_bar_scope", result1.get("access_token"))
+        self.assertEqual(["bar"], result1.get("scope").split())  # Scope from response
+
+        # Second request: ask for same "foo" scope again
+        # Since cached token has "bar" scope, it shouldn't match the "foo" request
+        # This should go to IDP again and receive the same response
+        result2 = self.app.acquire_token_for_client(["foo"], post=mock_post)
+        # Should get a new token from IDP, not from cache
+        self.assertEqual(result2[self.app._TOKEN_SOURCE], self.app._TOKEN_SOURCE_IDP)
+        self.assertEqual("AT_with_bar_scope", result2.get("access_token"))
+        self.assertEqual(["bar"], result2.get("scope").split())
+
+        # Third request: ask for "bar" scope
+        # Should hit cache for the token that had "bar" scope
+        result3 = self.app.acquire_token_for_client(["bar"])
+        self.assertEqual(result3[self.app._TOKEN_SOURCE], self.app._TOKEN_SOURCE_CACHE)
+        self.assertEqual("AT_with_bar_scope", result3.get("access_token"))
+        # Implementation detail: scope field is not returned when token comes from cache
+        self.assertIsNone(result3.get("scope"))
