feat: Introduce granted scopes to credentials (#257)

* feat: Introduce granted scopes to credentials

* adding test

* check for empty granted scope

* Remove 3.6

* Remove 3.6 from requirements.txt

* workaround for 3.6

* exclude unittest file from owlbot

Author: sai-sunder-s

packages/google-auth-oauthlib/.github/workflows/unittest.yml

@@ -5,7 +5,7 @@ on:
 name: unittest
 jobs:
   unit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       matrix:
         python: ['3.6', '3.7', '3.8', '3.9', '3.10', '3.11']

packages/google-auth-oauthlib/google_auth_oauthlib/helpers.py

@@ -145,6 +145,7 @@ def credentials_from_session(session, client_config=None):
             client_id=client_config.get("client_id"),
             client_secret=client_config.get("client_secret"),
             scopes=session.scope,
+            granted_scopes=session.token.get("scope"),
         )
     credentials.expiry = datetime.datetime.utcfromtimestamp(session.token["expires_at"])
     return credentials

packages/google-auth-oauthlib/owlbot.py

@@ -14,7 +14,8 @@
 )
 s.move(templated_files, excludes=[
     "docs/multiprocessing.rst",
-    "README.rst"
+    "README.rst",
+    ".github/workflows/unittest.yml" #remove this exclusion when removing 3.6 from unit test
 ])
 
 # Change black paths

packages/google-auth-oauthlib/setup.py

@@ -20,7 +20,7 @@
 
 TOOL_DEPENDENCIES = "click>=6.0.0"
 
-DEPENDENCIES = ("google-auth>=2.14.0", "requests-oauthlib>=0.7.0")
+DEPENDENCIES = ("google-auth>=2.15.0", "requests-oauthlib>=0.7.0")
 
 
 with io.open("README.rst", "r") as fh:

packages/google-auth-oauthlib/testing/constraints-3.6.txt

@@ -5,6 +5,6 @@
 #
 # e.g., if setup.py has "foo >= 1.14.0, < 2.0.0dev",
 # Then this file should have foo==1.14.0
-google-auth==2.14.0
+google-auth==2.15.0
 requests-oauthlib==0.7.0
 click==6.0.0

packages/google-auth-oauthlib/testing/constraints-3.7.txt

@@ -5,6 +5,6 @@
 #
 # e.g., if setup.py has "foo >= 1.14.0, < 2.0.0dev",
 # Then this file should have foo==1.14.0
-google-auth==2.14.0
+google-auth==2.15.0
 requests-oauthlib==0.7.0
 click==6.0.0

packages/google-auth-oauthlib/tests/unit/test_helpers.py

@@ -96,6 +96,31 @@ def test_credentials_from_session(session):
     assert credentials._client_secret == CLIENT_SECRETS_INFO["web"]["client_secret"]
     assert credentials._token_uri == CLIENT_SECRETS_INFO["web"]["token_uri"]
     assert credentials.scopes == session.scope
+    assert credentials.granted_scopes is None
+
+
+def test_credentials_from_session_granted_scopes(session):
+    granted_scopes = ["scope1", "scope2"]
+    session.token = {
+        "access_token": mock.sentinel.access_token,
+        "refresh_token": mock.sentinel.refresh_token,
+        "id_token": mock.sentinel.id_token,
+        "expires_at": 643969200.0,
+        "scope": granted_scopes,
+    }
+
+    credentials = helpers.credentials_from_session(session, CLIENT_SECRETS_INFO["web"])
+
+    assert isinstance(credentials, google.oauth2.credentials.Credentials)
+    assert credentials.token == mock.sentinel.access_token
+    assert credentials.expiry == datetime.datetime(1990, 5, 29, 8, 20, 0)
+    assert credentials._refresh_token == mock.sentinel.refresh_token
+    assert credentials.id_token == mock.sentinel.id_token
+    assert credentials._client_id == CLIENT_SECRETS_INFO["web"]["client_id"]
+    assert credentials._client_secret == CLIENT_SECRETS_INFO["web"]["client_secret"]
+    assert credentials._token_uri == CLIENT_SECRETS_INFO["web"]["token_uri"]
+    assert credentials.scopes == session.scope
+    assert credentials.granted_scopes == granted_scopes
 
 
 def test_credentials_from_session_3pi(session):