Remove AuthorizedClient.getAuthorizedScopes()

Fixes gh-4696

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java

@@ -18,9 +18,6 @@ package org.springframework.security.oauth2.client.authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AccessToken;
 import org.springframework.util.Assert;
-import org.springframework.util.CollectionUtils;
-
-import java.util.Set;
 
 /**
  * A representation of an OAuth 2.0 <i>&quot;Authorized Client&quot;</i>.
@@ -63,14 +60,4 @@ public class AuthorizedClient {
 	public AccessToken getAccessToken() {
 		return this.accessToken;
 	}
-
-	public final Set<String> getAuthorizedScopes() {
-		// As per spec, in section 5.1 Successful Access Token Response
-		// https://tools.ietf.org/html/rfc6749#section-5.1
-		// If AccessToken.scopes is empty, then default to the scopes
-		// originally requested by the client in the Authorization Request
-		return (CollectionUtils.isEmpty(this.getAccessToken().getScopes()) ?
-			this.getClientRegistration().getScopes() :
-			this.getAccessToken().getScopes());
-	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java

@@ -41,7 +41,6 @@ import org.springframework.util.CollectionUtils;
 
 import java.io.IOException;
 import java.net.URI;
-import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
 import java.util.Map;
@@ -122,10 +121,20 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 			accessTokenType = AccessToken.TokenType.BEARER;
 		}
 		long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
-		Set<String> scopes = Collections.emptySet();
-		if (!CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
-			scopes = new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
+
+		// As per spec, in section 5.1 Successful Access Token Response
+		// https://tools.ietf.org/html/rfc6749#section-5.1
+		// If AccessTokenResponse.scope is empty, then default to the scope
+		// originally requested by the client in the Authorization Request
+		Set<String> scopes;
+		if (CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
+			scopes = new LinkedHashSet<>(
+				authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest().getScopes());
+		} else {
+			scopes = new LinkedHashSet<>(
+				accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
 		}
+
 		Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
 
 		return TokenResponse.withToken(accessToken)

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java

@@ -110,7 +110,7 @@ public class OidcUserService implements OAuth2UserService {
 			oidcAuthorizedClient.getClientRegistration().getAuthorizationGrantType())) {
 
 			// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
-			return oidcAuthorizedClient.getAuthorizedScopes().stream().anyMatch(userInfoScopes::contains);
+			return oidcAuthorizedClient.getAccessToken().getScopes().stream().anyMatch(userInfoScopes::contains);
 		}
 
 		return false;