Rename scopes -> scope

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java

@@ -120,7 +120,7 @@ public class AuthorizationCodeAuthenticationProvider implements AuthenticationPr
 
 		AccessToken accessToken = new AccessToken(tokenResponse.getTokenType(),
 				tokenResponse.getTokenValue(), tokenResponse.getIssuedAt(),
-				tokenResponse.getExpiresAt(), tokenResponse.getScopes());
+				tokenResponse.getExpiresAt(), tokenResponse.getScope());
 
 		IdToken idToken = null;
 		if (tokenResponse.getAdditionalParameters().containsKey(OidcParameter.ID_TOKEN)) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2ClientAuthenticationToken.java

@@ -74,13 +74,13 @@ public class OAuth2ClientAuthenticationToken extends AbstractAuthenticationToken
 		return this.accessToken;
 	}
 
-	public Set<String> getAuthorizedScopes() {
+	public Set<String> getAuthorizedScope() {
 		// As per spec, in section 5.1 Successful Access Token Response
 		// https://tools.ietf.org/html/rfc6749#section-5.1
-		// If AccessToken.scopes is empty, then default to the scopes
+		// If AccessToken.scope is empty, then default to the scope
 		// originally requested by the client in the Authorization Request
-		return (!CollectionUtils.isEmpty(this.getAccessToken().getScopes()) ?
-			this.getAccessToken().getScopes() :
+		return (!CollectionUtils.isEmpty(this.getAccessToken().getScope()) ?
+			this.getAccessToken().getScope() :
 			this.getClientRegistration().getScope());
 	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/nimbus/NimbusAuthorizationCodeTokenExchanger.java

@@ -127,9 +127,9 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 			accessTokenType = AccessToken.TokenType.BEARER;
 		}
 		long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
-		Set<String> scopes = Collections.emptySet();
+		Set<String> scope = Collections.emptySet();
 		if (!CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
-			scopes = new HashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
+			scope = new HashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
 		}
 		Map<String, Object> additionalParameters = accessTokenResponse.getCustomParameters().entrySet().stream()
 				.collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
@@ -137,7 +137,7 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 		return TokenResponseAttributes.withToken(accessToken)
 			.tokenType(accessTokenType)
 			.expiresIn(expiresIn)
-			.scopes(scopes)
+			.scope(scope)
 			.additionalParameters(additionalParameters)
 			.build();
 	}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/user/OidcUserService.java

@@ -103,7 +103,7 @@ public class OidcUserService implements OAuth2UserService {
 			oidcClientAuthentication.getClientRegistration().getAuthorizationGrantType())) {
 
 			// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
-			return oidcClientAuthentication.getAuthorizedScopes().stream().anyMatch(userInfoScopes::contains);
+			return oidcClientAuthentication.getAuthorizedScope().stream().anyMatch(userInfoScopes::contains);
 		}
 
 		return false;

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AccessToken.java

@@ -36,7 +36,7 @@ import java.util.Set;
  */
 public class AccessToken extends SecurityToken {
 	private final TokenType tokenType;
-	private final Set<String> scopes;
+	private final Set<String> scope;
 
 	public static final class TokenType {
 		public static final TokenType BEARER = new TokenType("Bearer");
@@ -73,19 +73,19 @@ public class AccessToken extends SecurityToken {
 		this(tokenType, tokenValue, issuedAt, expiresAt, Collections.emptySet());
 	}
 
-	public AccessToken(TokenType tokenType, String tokenValue, Instant issuedAt, Instant expiresAt, Set<String> scopes) {
+	public AccessToken(TokenType tokenType, String tokenValue, Instant issuedAt, Instant expiresAt, Set<String> scope) {
 		super(tokenValue, issuedAt, expiresAt);
 		Assert.notNull(tokenType, "tokenType cannot be null");
 		this.tokenType = tokenType;
-		this.scopes = Collections.unmodifiableSet(
-			scopes != null ? scopes : Collections.emptySet());
+		this.scope = Collections.unmodifiableSet(
+			scope != null ? scope : Collections.emptySet());
 	}
 
 	public TokenType getTokenType() {
 		return this.tokenType;
 	}
 
-	public Set<String> getScopes() {
-		return this.scopes;
+	public Set<String> getScope() {
+		return this.scope;
 	}
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/TokenResponseAttributes.java

@@ -54,8 +54,8 @@ public final class TokenResponseAttributes {
 		return this.accessToken.getExpiresAt();
 	}
 
-	public Set<String> getScopes() {
-		return this.accessToken.getScopes();
+	public Set<String> getScope() {
+		return this.accessToken.getScope();
 	}
 
 	public Map<String, Object> getAdditionalParameters() {
@@ -70,7 +70,7 @@ public final class TokenResponseAttributes {
 		private String tokenValue;
 		private AccessToken.TokenType tokenType;
 		private long expiresIn;
-		private Set<String> scopes;
+		private Set<String> scope;
 		private Map<String,Object> additionalParameters;
 
 		private Builder(String tokenValue) {
@@ -87,8 +87,8 @@ public final class TokenResponseAttributes {
 			return this;
 		}
 
-		public Builder scopes(Set<String> scopes) {
-			this.scopes = scopes;
+		public Builder scope(Set<String> scope) {
+			this.scope = scope;
 			return this;
 		}
 
@@ -101,7 +101,7 @@ public final class TokenResponseAttributes {
 			Assert.isTrue(this.expiresIn >= 0, "expiresIn must be a positive number");
 			Instant issuedAt = Instant.now();
 			AccessToken accessToken = new AccessToken(this.tokenType, this.tokenValue, issuedAt,
-				issuedAt.plusSeconds(this.expiresIn), this.scopes);
+				issuedAt.plusSeconds(this.expiresIn), this.scope);
 			TokenResponseAttributes tokenResponse = new TokenResponseAttributes();
 			tokenResponse.accessToken = accessToken;
 			tokenResponse.additionalParameters = Collections.unmodifiableMap(

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TokenResponseAttributesTest.java

@@ -36,7 +36,7 @@ public class TokenResponseAttributesTest {
 		TokenResponseAttributes.withToken(null)
 			.expiresIn(EXPIRES_IN)
 			.additionalParameters(Collections.emptyMap())
-			.scopes(Collections.emptySet())
+			.scope(Collections.emptySet())
 			.tokenType(AccessToken.TokenType.BEARER)
 			.build();
 	}
@@ -46,7 +46,7 @@ public class TokenResponseAttributesTest {
 		TokenResponseAttributes.withToken(TOKEN)
 			.expiresIn(INVALID_EXPIRES_IN)
 			.additionalParameters(Collections.emptyMap())
-			.scopes(Collections.emptySet())
+			.scope(Collections.emptySet())
 			.tokenType(AccessToken.TokenType.BEARER)
 			.build();
 	}

samples/boot/oauth2login/README.adoc

@@ -458,11 +458,11 @@ The following specifies the common set of properties available for configuring a
 
 NOTE: The default redirect URI is _"{scheme}://{serverName}:{serverPort}/oauth2/authorize/code/{registrationId}"_, which leverages *URI template variables*.
 
-- *scopes* - a comma-delimited string of scope(s) requested during the _Authorization Request_ flow, for example: _openid, email, profile_
+- *scope* - a comma-delimited string of scope(s) requested during the _Authorization Request_ flow, for example: _openid, email, profile_
 
-NOTE: _OpenID Connect Core 1.0_ defines these http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[standard scopes]: _profile, email, address, phone_
+NOTE: _OpenID Connect Core 1.0_ defines these http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[standard scope]: _profile, email, address, phone_
 
-NOTE: Non-standard scopes may be defined by a standard _OAuth 2.0 Provider_. Please consult the Provider's OAuth API documentation to learn which scopes are supported.
+NOTE: Non-standard scope may be defined by a standard _OAuth 2.0 Provider_. Please consult the Provider's OAuth API documentation to learn which scope are supported.
 
 - *authorization-uri* - the URI used by the client to redirect the end-user's user-agent to the _Authorization Server_ in order to obtain authorization from the end-user (the _Resource Owner_).
 - *token-uri* - the URI used by the client when exchanging an _Authorization Grant_ (for example, Authorization Code) for an _Access Token_ at the _Authorization Server_.
@@ -500,7 +500,7 @@ security:
         client-authentication-method: basic
         authorized-grant-type: authorization_code
         redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{registrationId}"
-        scopes: openid, email, profile
+        scope: openid, email, profile
         authorization-uri: "https://accounts.google.com/o/oauth2/auth"
         token-uri: "https://accounts.google.com/o/oauth2/token"
         user-info-uri: "https://www.googleapis.com/oauth2/v3/userinfo"
@@ -510,7 +510,7 @@ security:
         client-authentication-method: basic
         authorized-grant-type: authorization_code
         redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{registrationId}"
-        scopes: user
+        scope: user
         authorization-uri: "https://github.com/login/oauth/authorize"
         token-uri: "https://github.com/login/oauth/access_token"
         user-info-uri: "https://api.github.com/user"
@@ -519,7 +519,7 @@ security:
         client-authentication-method: post
         authorized-grant-type: authorization_code
         redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{registrationId}"
-        scopes: public_profile, email
+        scope: public_profile, email
         authorization-uri: "https://www.facebook.com/v2.8/dialog/oauth"
         token-uri: "https://graph.facebook.com/v2.8/oauth/access_token"
         user-info-uri: "https://graph.facebook.com/me"
@@ -528,7 +528,7 @@ security:
         client-authentication-method: basic
         authorized-grant-type: authorization_code
         redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{registrationId}"
-        scopes: openid, email, profile
+        scope: openid, email, profile
         client-name: Okta
 ----
 
@@ -553,7 +553,7 @@ security.oauth2.client.registrations.google.client-secret=${client-secret}
 security.oauth2.client.registrations.google.client-authentication-method=basic
 security.oauth2.client.registrations.google.authorized-grant-type=authorization_code
 security.oauth2.client.registrations.google.redirect-uri=http://localhost:8080/oauth2/authorize/code/google
-security.oauth2.client.registrations.google.scopes=openid,email,profile
+security.oauth2.client.registrations.google.scope=openid,email,profile
 security.oauth2.client.registrations.google.authorization-uri=https://accounts.google.com/o/oauth2/auth
 security.oauth2.client.registrations.google.token-uri=https://accounts.google.com/o/oauth2/token
 security.oauth2.client.registrations.google.user-info-uri=https://www.googleapis.com/oauth2/v3/userinfo
@@ -601,7 +601,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 		AuthorizationGrantType authorizationGrantType = AuthorizationGrantType.valueOf(
 			this.environment.getProperty(clientPropertyKey + "authorized-grant-type").toUpperCase());
 		String redirectUri = this.environment.getProperty(clientPropertyKey + "redirect-uri");
-		String[] scopes = this.environment.getProperty(clientPropertyKey + "scopes").split(",");
+		String[] scope = this.environment.getProperty(clientPropertyKey + "scope").split(",");
 		String authorizationUri = this.environment.getProperty(clientPropertyKey + "authorization-uri");
 		String tokenUri = this.environment.getProperty(clientPropertyKey + "token-uri");
 		String userInfoUri = this.environment.getProperty(clientPropertyKey + "user-info-uri");
@@ -614,7 +614,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 			.clientAuthenticationMethod(clientAuthenticationMethod)
 			.authorizedGrantType(authorizationGrantType)
 			.redirectUri(redirectUri)
-			.scopes(scopes)
+			.scope(scope)
 			.authorizationUri(authorizationUri)
 			.tokenUri(tokenUri)
 			.userInfoUri(userInfoUri)

samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java

@@ -384,7 +384,7 @@ public class OAuth2LoginApplicationTests {
 			TokenResponseAttributes tokenResponse = TokenResponseAttributes.withToken("access-token-1234")
 				.tokenType(AccessToken.TokenType.BEARER)
 				.expiresIn(60 * 1000)
-				.scopes(Collections.singleton("openid"))
+				.scope(Collections.singleton("openid"))
 				.build();
 
 			AuthorizationGrantTokenExchanger mock = mock(AuthorizationGrantTokenExchanger.class);