@@ -767,3 +767,50 @@ def test_device_is_expired_method_sets_status_to_expired_if_deadline_passed(self
767767
768768 assert is_expired
769769 assert device .status == device .EXPIRED
770+
771+ @mock .patch (
772+ "oauthlib.oauth2.rfc8628.endpoints.device_authorization.generate_token" ,
773+ lambda : "def" ,
774+ )
775+ def test_device_flow_uses_requested_scope_not_default (self ):
776+ """
777+ Test that requested scope in device authorization is used in the token,
778+ not DEFAULT_SCOPES.
779+ """
780+ self .oauth2_settings .OAUTH_DEVICE_VERIFICATION_URI = "example.com/device"
781+ self .oauth2_settings .OAUTH_DEVICE_USER_CODE_GENERATOR = lambda : "XYZ"
782+ self .oauth2_settings .OAUTH_PRE_TOKEN_VALIDATION = [
783+ set_oauthlib_user_to_device_request_user
784+ ]
785+
786+ device_authorization_response = self .client .post (
787+ reverse ("oauth2_provider:device-authorization" ),
788+ data = urlencode ({"client_id" : self .application .client_id , "scope" : "read" }),
789+ content_type = "application/x-www-form-urlencoded" ,
790+ )
791+ assert device_authorization_response .status_code == 200
792+
793+ self .client .login (username = "test_user" , password = "123456" )
794+ self .client .post (reverse ("oauth2_provider:device" ), data = {"user_code" : "XYZ" })
795+ self .client .post (
796+ reverse (
797+ "oauth2_provider:device-confirm" ,
798+ kwargs = {"user_code" : "XYZ" , "client_id" : self .application .client_id },
799+ ),
800+ data = {"action" : "accept" },
801+ )
802+
803+ token_response = self .client .post (
804+ "/o/token/" ,
805+ data = urlencode (
806+ {
807+ "device_code" : "def" ,
808+ "client_id" : self .application .client_id ,
809+ "grant_type" : "urn:ietf:params:oauth:grant-type:device_code" ,
810+ }
811+ ),
812+ content_type = "application/x-www-form-urlencoded" ,
813+ )
814+
815+ assert token_response .status_code == 200
816+ assert token_response .json ()["scope" ] == "read"
0 commit comments