Demonstrates the behavior of mismatching scope

rayluo · rayluo · commit 3dd54a4203e8 · 2025-09-25T03:48:42.000-07:00
diff --git a/tests/test_application.py b/tests/test_application.py
@@ -875,3 +875,58 @@ def test_app_did_not_register_redirect_uri_should_error_out(self):
                 parent_window_handle=app.CONSOLE_WINDOW_HANDLE,
                 )
             self.assertEqual(result.get("error"), "broker_error")
+
+
+class MismatchingScopeTestCase(unittest.TestCase):
+    """Test cache behavior when HTTP response scope differs from requested scope"""
+
+    def test_token_should_be_cached_with_response_scope(self):
+        """Based on https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+        authorization server may issue an access token with different scope.
+        For example, eSTS normalizes scopes by adding or removing trailing slash.
+        Calling app is supposed to use the normalized scope for subsequent calls.
+        """
+
+        # Create a fresh app instance
+        app = ConfidentialClientApplication(
+            "client_id", client_credential="secret",
+            authority="https://login.microsoftonline.com/common")
+
+        # Mocked request: ask for "foo" scope but receive "bar baz" scope in response
+        def mock_post(url, headers=None, *args, **kwargs):
+            return MinimalResponse(status_code=200, text=json.dumps({
+                "access_token": "AT_with_bar_baz_scopes",
+                "expires_in": 3600,
+                "scope": "bar baz",  # Response scope differs from requested scope
+                "token_type": "Bearer"
+            }))
+
+        result1 = app.acquire_token_for_client(["foo"], post=mock_post)
+        self.assertEqual(result1[app._TOKEN_SOURCE], app._TOKEN_SOURCE_IDP)
+        self.assertEqual("AT_with_bar_baz_scopes", result1.get("access_token"))
+        self.assertEqual(["bar", "baz"], result1.get("scope").split())  # Scope from response
+
+        # Second request: ask for same "foo" scope again
+        # Since cached token has "bar baz" scopes, it shouldn't match the "foo" request
+        # This should go to IDP again and receive the same response
+        result2 = app.acquire_token_for_client(["foo"], post=mock_post)
+        # Should get a new token from IDP, not from cache
+        self.assertEqual(result2[app._TOKEN_SOURCE], app._TOKEN_SOURCE_IDP)
+        self.assertEqual("AT_with_bar_baz_scopes", result2.get("access_token"))
+        self.assertEqual(["bar", "baz"], result2.get("scope").split())
+
+        # Third request: ask for "bar" scope
+        # Should hit cache for the token that has "bar baz" scopes
+        result3 = app.acquire_token_for_client(["bar"])
+        self.assertEqual(result3[app._TOKEN_SOURCE], app._TOKEN_SOURCE_CACHE)
+        self.assertEqual("AT_with_bar_baz_scopes", result3.get("access_token"))
+        # Implementation detail: scope field is not returned when token comes from cache
+        self.assertIsNone(result3.get("scope"))
+
+        # Fourth request: ask for "baz" scope
+        # Should hit cache for the token that has "bar baz" scopes
+        result4 = app.acquire_token_for_client(["baz"])
+        self.assertEqual(result4[app._TOKEN_SOURCE], app._TOKEN_SOURCE_CACHE)
+        self.assertEqual("AT_with_bar_baz_scopes", result4.get("access_token"))
+        # Implementation detail: scope field is not returned when token comes from cache
+        self.assertIsNone(result4.get("scope"))
