WIP: Support reauthorization with a narrower set of scopes

lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -78,7 +78,24 @@ def reauthenticate_resource_owner(owner)
 
  def matching_tokens_for_resource_owner(owner)
  Doorkeeper::AccessToken.authorized_tokens_for(pre_auth.client.id, owner.id).select do |token|
- Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
+ # FIXME: this is just an experiment to verify the behaviour of Doorkeeper::AccessToken.scopes_match?
+ # Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
+
+ token_scopes = token.scopes
+ param_scopes = pre_auth.scopes
+ app_scopes = pre_auth.client.scopes
+
+ return true if token_scopes.empty? && param_scopes.empty?
+
+ Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+ param_scopes.to_s,
+ token_scopes
+ ) &&
+ Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+ param_scopes.to_s,
+ Doorkeeper.configuration.scopes,
+ app_scopes
+ )
  end
  end
  end

spec/controllers/doorkeeper/authorizations_controller_spec.rb

@@ -91,6 +91,18 @@ def expect_successful_callback!
  end
  end
 
+ context 'and a token with narrower scopes' do
+ before do
+ create :access_token, token_attributes
+ end
+
+ it 'redirects to the callback' do
+ authorize! prompt: 'none', scope: 'openid'
+
+ expect_successful_callback!
+ end
+ end
+
  context 'and no matching token' do
  it 'renders a consent_required error when logged in' do
  authorize! prompt: 'none'