♻️ Separate application scopes from delegated scopes

Author: jemrobinson

apricot/oauth/keycloak_client.py

@@ -33,7 +33,8 @@ def __init__(
 
         super().__init__(
             redirect_uri=redirect_uri,
-            scopes=scopes,
+            scopes_application=scopes,
+            scopes_delegated=scopes,
             token_url=token_url,
             **kwargs,
         )

apricot/oauth/microsoft_entra_client.py

@@ -30,7 +30,8 @@ def __init__(
         self.tenant_id = entra_tenant_id
         super().__init__(
             redirect_uri=redirect_uri,
-            scopes=scopes,
+            scopes_application=scopes,
+            scopes_delegated=scopes,
             token_url=token_url,
             **kwargs,
         )

apricot/oauth/oauth_client.py

@@ -29,7 +29,8 @@ def __init__(
         client_secret: str,
         debug: bool,  # noqa: FBT001
         redirect_uri: str,
-        scopes: list[str],
+        scopes_application: list[str],
+        scopes_delegated: list[str],
         token_url: str,
         uid_cache: UidCache,
     ) -> None:
@@ -61,7 +62,7 @@ def __init__(
             self.session_application = OAuth2Session(
                 client=BackendApplicationClient(
                     client_id=client_id,
-                    scope=scopes,
+                    scope=scopes_application,
                     redirect_uri=redirect_uri,
                 ),
             )
@@ -76,7 +77,7 @@ def __init__(
             self.session_interactive = OAuth2Session(
                 client=LegacyApplicationClient(
                     client_id=client_id,
-                    scope=scopes,
+                    scope=scopes_delegated,
                     redirect_uri=redirect_uri,
                 ),
             )