googleapis · bshaffer · Mar 30, 2023 · Mar 16, 2023 · Mar 21, 2023
@@ -139,4 +139,14 @@ public function getQuotaProject()
     {
         return $this->quotaProject;
     }
+
+    /**
+     * Get the granted scopes (if they exist) for the last fetched token.
+     *
+     * @return string|null
+     */
+    public function getGrantedScope()
+    {
+        return $this->auth->getGrantedScope();
+    }
 }
@@ -215,6 +215,13 @@ class OAuth2 implements FetchAuthTokenInterface
      */
     private $idToken;
 
+    /**
+     * The scopes granted to the current access token
+     *
+     * @var string
+     */
+    private $grantedScope;
+
     /**
      * The lifetime in seconds of the current access token.
      *
@@ -544,6 +551,9 @@ public function fetchAuthToken(callable $httpHandler = null)
         $response = $httpHandler($this->generateCredentialsRequest());
         $credentials = $this->parseTokenResponse($response);
         $this->updateToken($credentials);
+        if (isset($credentials['scope'])) {
+            $this->setGrantedScope($credentials['scope']);
+        }
 
         return $credentials;
     }
@@ -640,6 +650,7 @@ public function updateToken(array $config)
             'expires_in' => null,
             'expires_at' => null,
             'issued_at' => null,
+            'scope' => null,
         ], $config);
 
         $this->setExpiresAt($opts['expires_at']);
@@ -652,6 +663,7 @@ public function updateToken(array $config)
 
         $this->setAccessToken($opts['access_token']);
         $this->setIdToken($opts['id_token']);
+
         // The refresh token should only be updated if a value is explicitly
         // passed in, as some access token responses do not include a refresh
         // token.
@@ -1335,6 +1347,27 @@ public function setIdToken($idToken)
         $this->idToken = $idToken;
     }
 
+    /**
+     * Get the granted scopes (if they exist) for the last fetched token.
+     *
+     * @return string|null
+     */
+    public function getGrantedScope()
+    {
+        return $this->grantedScope;
+    }
+
+    /**
+     * Sets the current ID token.
+     *
+     * @param string $grantedScope
+     * @return void
+     */
+    public function setGrantedScope($grantedScope)
+    {
+        $this->grantedScope = $grantedScope;
+    }
+
     /**
      * Gets the refresh token associated with the current access token.
      *

@@ -253,6 +253,20 @@ public function testCanFetchCredsOK()
         $tokens = $sa->fetchAuthToken($httpHandler);
         $this->assertEquals($testJson, $tokens);
     }
+
+    public function testGetGrantedScope()
+    {
+        $responseJson = json_encode(['scope' => 'scope/1 scope/2']);
+        $httpHandler = getHandler([
+            buildResponse(200, [], Utils::streamFor($responseJson)),
+        ]);
+        $sa = new UserRefreshCredentials(
+            '',
+            createURCTestJson()
+        );
+        $sa->fetchAuthToken($httpHandler);
+        $this->assertEquals('scope/1 scope/2', $sa->getGrantedScope());
+    }
 }
 
 class URCGetQuotaProjectTest extends TestCase

@@ -756,6 +756,7 @@ public function testUpdatesTokenFieldsOnFetch()
             'access_token' => 'an_access_token',
             'id_token' => 'an_id_token',
             'refresh_token' => 'a_refresh_token',
+            'scope' => 'scope1 scope2',
         ];
         $json = json_encode($wanted_updates);
         $httpHandler = getHandler([
@@ -775,6 +776,7 @@ public function testUpdatesTokenFieldsOnFetch()
         $this->assertEquals('an_access_token', $o->getAccessToken());
         $this->assertEquals('an_id_token', $o->getIdToken());
         $this->assertEquals('a_refresh_token', $o->getRefreshToken());
+        $this->assertEquals('scope1 scope2', $o->getGrantedScope());
     }
 
     public function testUpdatesTokenFieldsOnFetchMissingRefreshToken()