From 0f1a3cd879c6960e41ddb309d6502c0fd2619bd2 Mon Sep 17 00:00:00 2001
From: Poovamraj T T <poovamraj@gmail.com>
Date: Tue, 2 May 2023 17:16:01 +0530
Subject: [PATCH] Add required scopes to token and renewAuth requests

---
 .../android/authentication/AuthenticationAPIClient.kt    | 4 ++--
 .../com/auth0/android/authentication/ParameterBuilder.kt | 6 ++++++
 .../java/com/auth0/android/request/internal/OidcUtils.kt | 4 +++-
 .../authentication/AuthenticationAPIClientTest.kt        | 9 ++++++---
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt b/auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt
index eeb144a1..5a14a892 100755
--- a/auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt
+++ b/auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt
@@ -555,7 +555,7 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
      * @return a request to start
      */
     public fun renewAuth(refreshToken: String): Request<Credentials, AuthenticationException> {
-        val parameters = ParameterBuilder.newBuilder()
+        val parameters = ParameterBuilder.newBuilderWithRequiredScope()
             .setClientId(clientId)
             .setRefreshToken(refreshToken)
             .setGrantType(ParameterBuilder.GRANT_TYPE_REFRESH_TOKEN)
@@ -690,7 +690,7 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
         codeVerifier: String,
         redirectUri: String
     ): Request<Credentials, AuthenticationException> {
-        val parameters = ParameterBuilder.newBuilder()
+        val parameters = ParameterBuilder.newBuilderWithRequiredScope()
             .setClientId(clientId)
             .setGrantType(ParameterBuilder.GRANT_TYPE_AUTHORIZATION_CODE)
             .set(OAUTH_CODE_KEY, authorizationCode)
diff --git a/auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.kt b/auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.kt
index 3364e111..91a82a23 100755
--- a/auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.kt
+++ b/auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.kt
@@ -181,6 +181,12 @@ public class ParameterBuilder private constructor(parameters: Map<String, String
                 .setScope(OidcUtils.DEFAULT_SCOPE)
         }
 
+        @JvmStatic
+        public fun newBuilderWithRequiredScope(): ParameterBuilder {
+            return newBuilder()
+                .setScope(OidcUtils.REQUIRED_SCOPE)
+        }
+
         /**
          * Creates a new instance of the builder.
          *
diff --git a/auth0/src/main/java/com/auth0/android/request/internal/OidcUtils.kt b/auth0/src/main/java/com/auth0/android/request/internal/OidcUtils.kt
index bcb22f67..5482fcdf 100644
--- a/auth0/src/main/java/com/auth0/android/request/internal/OidcUtils.kt
+++ b/auth0/src/main/java/com/auth0/android/request/internal/OidcUtils.kt
@@ -1,5 +1,6 @@
 package com.auth0.android.request.internal
 
+import androidx.annotation.VisibleForTesting
 import java.util.*
 
 /**
@@ -8,7 +9,8 @@ import java.util.*
 internal object OidcUtils {
     internal const val KEY_SCOPE = "scope"
     internal const val DEFAULT_SCOPE = "openid profile email"
-    private const val REQUIRED_SCOPE = "openid"
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    internal const val REQUIRED_SCOPE = "openid"
 
     /**
      * Given a string, it will check if it contains the scope of "openid".
diff --git a/auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt b/auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt
index a2c3af43..914afd80 100755
--- a/auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt
+++ b/auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt
@@ -9,6 +9,7 @@ import com.auth0.android.request.HttpMethod
 import com.auth0.android.request.NetworkingClient
 import com.auth0.android.request.RequestOptions
 import com.auth0.android.request.ServerResponse
+import com.auth0.android.request.internal.OidcUtils
 import com.auth0.android.request.internal.RequestFactory
 import com.auth0.android.request.internal.ThreadSwitcherShadow
 import com.auth0.android.result.*
@@ -2200,7 +2201,7 @@ public class AuthenticationAPIClientTest {
         )
         assertThat(request.path, Matchers.equalTo("/oauth/token"))
         val body = bodyFromRequest<String>(request)
-        assertThat(body, Matchers.not(Matchers.hasKey("scope")))
+        assertThat(body, Matchers.hasEntry("scope", OidcUtils.REQUIRED_SCOPE))
         assertThat(body, Matchers.hasEntry("client_id", CLIENT_ID))
         assertThat(body, Matchers.hasEntry("refresh_token", "refreshToken"))
         assertThat(body, Matchers.hasEntry("grant_type", "refresh_token"))
@@ -2229,7 +2230,7 @@ public class AuthenticationAPIClientTest {
         assertThat(body, Matchers.hasEntry("client_id", CLIENT_ID))
         assertThat(body, Matchers.hasEntry("refresh_token", "refreshToken"))
         assertThat(body, Matchers.hasEntry("grant_type", "refresh_token"))
-        assertThat(body, Matchers.not(Matchers.hasKey("scope")))
+        assertThat(body, Matchers.hasEntry("scope", OidcUtils.REQUIRED_SCOPE))
         assertThat(credentials, Matchers.`is`(Matchers.notNullValue()))
     }
 
@@ -2252,7 +2253,7 @@ public class AuthenticationAPIClientTest {
         assertThat(body, Matchers.hasEntry("client_id", CLIENT_ID))
         assertThat(body, Matchers.hasEntry("refresh_token", "refreshToken"))
         assertThat(body, Matchers.hasEntry("grant_type", "refresh_token"))
-        assertThat(body, Matchers.not(Matchers.hasKey("scope")))
+        assertThat(body, Matchers.hasEntry("scope", OidcUtils.REQUIRED_SCOPE))
         assertThat(credentials, Matchers.`is`(Matchers.notNullValue()))
     }
 
@@ -2363,6 +2364,7 @@ public class AuthenticationAPIClientTest {
         assertThat(body, Matchers.hasEntry("code", "code"))
         assertThat(body, Matchers.hasEntry("code_verifier", "codeVerifier"))
         assertThat(body, Matchers.hasEntry("redirect_uri", "http://redirect.uri"))
+        assertThat(body, Matchers.hasEntry("scope", OidcUtils.REQUIRED_SCOPE))
         assertThat(
             callback, AuthenticationCallbackMatcher.hasPayloadOfType(
                 Credentials::class.java
@@ -2388,6 +2390,7 @@ public class AuthenticationAPIClientTest {
         assertThat(body, Matchers.hasEntry("code", "code"))
         assertThat(body, Matchers.hasEntry("code_verifier", "codeVerifier"))
         assertThat(body, Matchers.hasEntry("redirect_uri", "http://redirect.uri"))
+        assertThat(body, Matchers.hasEntry("scope", OidcUtils.REQUIRED_SCOPE))
         assertThat(
             callback, AuthenticationCallbackMatcher.hasError(
                 Credentials::class.java