Issue #3157501 by FatherShawn: Add Scopes to ClientCredentials Grant Type

README.md

@@ -93,8 +93,10 @@ Fill in the various plugin keys with the relevant data. Keys:
  * collaborators: A mapping of keys = class for use as replacements to the
    default objects composed into the GenericProvider. Each key must map to a
    class that extends a specific class.
-   See Oauth2ClientPluginInterface::getCollaborators for details. Allowed keys
-   are:
+   See Oauth2ClientPluginInterface::getCollaborators for details. For the client
+   credentials grant, if scopes are defined in the plugin, your custom option
+   provider must extend ClientCredentialsOptionProvider or your option provider
+   will be replaced before the token is requested. Allowed keys are:
    * grantFactory
    * requestFactory
    * httpClient

src/Annotation/Oauth2Client.php

@@ -78,9 +78,9 @@ class Oauth2Client extends Plugin {
    *
    * OPTIONAL
    *
-   * @var string|null
+   * @var string
    */
-  public $scope_separator;
+  public $scope_separator = ',';
 
   /**
    * A flag that may be used by Oauth2ClientPluginInterface::storeAccessToken.
@@ -91,7 +91,7 @@ class Oauth2Client extends Plugin {
    *
    * @var bool
    */
-  public $success_message;
+  public $success_message = FALSE;
 
   /**
    * An associative array of classes that are composed into the provider.

src/OAuth2/Client/OptionProvider/ClientCredentialsOptionProvider.php

+<?php
+
+namespace Drupal\oauth2_client\OAuth2\Client\OptionProvider;
+
+use Drupal\oauth2_client\Plugin\Oauth2Client\Oauth2ClientPluginInterface;
+use League\OAuth2\Client\OptionProvider\PostAuthOptionProvider;
+
+class ClientCredentialsOptionProvider extends PostAuthOptionProvider {
+
+  /**
+   * A string of scopes imploded from the Oauth2ClientPlugin.
+   *
+   * @var string
+   */
+  private $scopeOption;
+
+  public function __construct(Oauth2ClientPluginInterface $clientPlugin) {
+    $scopes = $clientPlugin->getScopes();
+    if (!empty($scopes)) {
+      $this->scopeOption = implode($clientPlugin->getScopeSeparator(), $scopes);
+    }
+  }
+
+
+  /**
+   * @inheritDoc
+   */
+  public function getAccessTokenOptions($method, array $params) {
+    if (!empty($this->scopeOption)) {
+      $params['scope'] = $this->scopeOption;
+    }
+    return parent::getAccessTokenOptions($method, $params);
+  }
+
+}

src/Plugin/Oauth2Client/Oauth2ClientPluginInterface.php

@@ -100,7 +100,7 @@ interface Oauth2ClientPluginInterface extends PluginInspectionInterface, Contain
   /**
    * Get the separator used to join the scopes in the OAuth2 query string.
    *
-   * @return string|null
+   * @return string
    *   The scopes separator to join the list of scopes in the query string.
    */
   public function getScopeSeparator();

src/Service/Grant/ClientCredentialsGrantService.php

@@ -2,6 +2,7 @@
 
 namespace Drupal\oauth2_client\Service\Grant;
 
+use Drupal\oauth2_client\OAuth2\Client\OptionProvider\ClientCredentialsOptionProvider;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 
 /**
@@ -14,6 +15,12 @@ class ClientCredentialsGrantService extends Oauth2ClientGrantServiceBase {
    */
   public function getAccessToken($pluginId) {
     $provider = $this->getProvider($pluginId);
+    $optionProvider = $provider->getOptionProvider();
+    // If the provider was just created, our OptionProvder must be set.
+    if (!($optionProvider instanceof ClientCredentialsOptionProvider)) {
+      $client = $this->getClient($pluginId);
+      $provider->setOptionProvider(new ClientCredentialsOptionProvider($client));
+    }
 
     try {
       $accessToken = $provider->getAccessToken('client_credentials');