OAuthScope parity with JS and DotNet (microsoft#2093)

tracyboehrer · Tracy Boehrer · web-flow · commit 48ba78e15e8a · 2024-04-17T09:49:32.000-05:00
* OAuthScope parity with JS and DotNet

* black formatting

---------

Co-authored-by: Tracy Boehrer &lt;trboehre@microsoft.com&gt;
diff --git a/libraries/botframework-connector/botframework/connector/auth/authentication_constants.py b/libraries/botframework-connector/botframework/connector/auth/authentication_constants.py
@@ -22,7 +22,7 @@ class AuthenticationConstants(ABC):
     DEFAULT_CHANNEL_AUTH_TENANT = "botframework.com"
 
     # TO CHANNEL FROM BOT: OAuth scope to request
-    TO_CHANNEL_FROM_BOT_OAUTH_SCOPE = "https://api.botframework.com/.default"
+    TO_CHANNEL_FROM_BOT_OAUTH_SCOPE = "https://api.botframework.com"
 
     # TO BOT FROM CHANNEL: Token issuer
     TO_BOT_FROM_CHANNEL_TOKEN_ISSUER = "https://api.botframework.com"
diff --git a/libraries/botframework-connector/botframework/connector/auth/government_constants.py b/libraries/botframework-connector/botframework/connector/auth/government_constants.py
@@ -31,7 +31,7 @@ class GovernmentConstants(ABC):
     """
     TO CHANNEL FROM BOT: OAuth scope to request
     """
-    TO_CHANNEL_FROM_BOT_OAUTH_SCOPE = "https://api.botframework.us/.default"
+    TO_CHANNEL_FROM_BOT_OAUTH_SCOPE = "https://api.botframework.us"
 
     """
     TO BOT FROM CHANNEL: Token issuer
diff --git a/libraries/botframework-connector/botframework/connector/auth/microsoft_app_credentials.py b/libraries/botframework-connector/botframework/connector/auth/microsoft_app_credentials.py
@@ -30,13 +30,6 @@ def __init__(
         self.microsoft_app_password = password
         self.app = None
 
-        # This check likely needs to be more nuanced than this.  Assuming
-        # "/.default" precludes other valid suffixes
-        scope = self.oauth_scope
-        if oauth_scope and not scope.endswith("/.default"):
-            scope += "/.default"
-        self.scopes = [scope]
-
     @staticmethod
     def empty():
         return MicrosoftAppCredentials("", "")
@@ -47,17 +40,18 @@ def get_access_token(self, force_refresh: bool = False) -> str:
         :return: The access token for the given app id and password.
         """
 
+        scope = self.oauth_scope
+        if not scope.endswith("/.default"):
+            scope += "/.default"
+        scopes = [scope]
+
         # Firstly, looks up a token from cache
         # Since we are looking for token for the current app, NOT for an end user,
         # notice we give account parameter as None.
-        auth_token = self.__get_msal_app().acquire_token_silent(
-            self.scopes, account=None
-        )
+        auth_token = self.__get_msal_app().acquire_token_silent(scopes, account=None)
         if not auth_token:
             # No suitable token exists in cache. Let's get a new one from AAD.
-            auth_token = self.__get_msal_app().acquire_token_for_client(
-                scopes=self.scopes
-            )
+            auth_token = self.__get_msal_app().acquire_token_for_client(scopes=scopes)
         return auth_token["access_token"]
 
     def __get_msal_app(self):
