feat(socialaccount): Configure scope per app

ChangeLog.rst

@@ -1,6 +1,14 @@
 65.1.0 (unreleased)
 *******************
 
+Note worthy changes
+-------------------
+
+- OAuth2/OIDC: When setting up multiple apps for the same provider, you can now
+  configure a different scope per app by including ``"scope": [...]`` in the app
+  settings.
+
+
 Fixes
 -----
 

allauth/socialaccount/providers/oauth2/provider.py

@@ -43,9 +43,11 @@ def get_auth_params(self):
         redirect URL. Additional -- so no need to pass the standard `client_id`,
         `redirect_uri`, `response_type`.
         """
-        settings = self.get_settings()
-        ret = dict(settings.get("AUTH_PARAMS", {}))
-        return ret
+        ret = self.app.settings.get("auth_params")
+        if ret is None:
+            settings = self.get_settings()
+            ret = settings.get("AUTH_PARAMS", {})
+        return dict(ret)
 
     def get_auth_params_from_request(self, request, action):
         """
@@ -69,9 +71,11 @@ def get_scope(self):
         """
         Returns the scope to use, taking settings `SCOPE` into consideration.
         """
-        settings = self.get_settings()
-        scope = list(settings.get("SCOPE", self.get_default_scope()))
-        return scope
+        scope = self.app.settings.get("scope")
+        if scope is None:
+            settings = self.get_settings()
+            scope = settings.get("SCOPE", self.get_default_scope())
+        return list(scope)
 
     def get_scope_from_request(self, request):
         """

allauth/socialaccount/providers/oauth2/tests/test_views.py

@@ -3,6 +3,8 @@
 import pytest
 from pytest_django.asserts import assertTemplateUsed
 
+from allauth.socialaccount.adapter import get_adapter
+
 
 @pytest.mark.parametrize(
     "samesite_strict,did_already_redirect,expect_redirect",
@@ -34,3 +36,23 @@ def test_samesite_strict(
         )
     else:
         assertTemplateUsed(resp, "socialaccount/authentication_error.html")
+
+
+def test_config_from_app_settings(google_provider_settings, rf, db, settings):
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["APPS"][0]["settings"] = {
+        "scope": ["this", "that"],
+        "auth_params": {"x": "y"},
+    }
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["SCOPE"] = ["not-this"]
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["AUTH_PARAMS"] = {"not": "this"}
+    provider = get_adapter().get_provider(rf.get("/"), "google")
+    assert provider.get_scope() == ["this", "that"]
+    assert provider.get_auth_params() == {"x": "y"}
+
+
+def test_config_from_provider_config(google_provider_settings, rf, db, settings):
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["SCOPE"] = ["some-scope"]
+    settings.SOCIALACCOUNT_PROVIDERS["google"]["AUTH_PARAMS"] = {"auth": "param"}
+    provider = get_adapter().get_provider(rf.get("/"), "google")
+    assert provider.get_scope() == ["some-scope"]
+    assert provider.get_auth_params() == {"auth": "param"}

docs/socialaccount/provider_configuration.rst

@@ -51,10 +51,19 @@ configuration::
                     "client_id": "123",
                     "secret": "456",
                     "key": ""
+                    "settings": {
+                        # You can fine tune these settings per app:
+                        "scope": [
+                            "profile",
+                            "email",
+                        ],
+                        "auth_params": {
+                            "access_type": "online",
+                        },
+                    },
                 },
             ],
-            # These are provider-specific settings that can only be
-            # listed here:
+            # The following provider-specific settings will be used for all apps:
             "SCOPE": [
                 "profile",
                 "email",