From 1b3a35cf9984cc2a65167958b54e97a7a2accaef Mon Sep 17 00:00:00 2001
From: Dave Brace <dave.brace@gmail.com>
Date: Sun, 20 Jan 2019 13:56:45 -0600
Subject: [PATCH] Include the received access token's scope in the 'extra' hash

According to [GitHub's
documentation](https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#requested-scopes-and-granted-scopes):

> The scope attribute lists scopes attached to the token that were granted
> by the user. Normally, these scopes will be identical to what you
> requested. However, users can edit their scopes, effectively granting
> your application less access than you originally requested. Also, users
> can edit token scopes after the OAuth flow is completed. You should be
> aware of this possibility and adjust your application's behavior
> accordingly.

Therefore, include the scope returned with the OAuth token in the
'extra' hash generated for the omniauth callback.

According to the OAuth2 gem's code, extra params returned with the
access token response can accessed via indexing on the AccessToken
class:

https://github.com/oauth-xx/oauth2/blob/58471c95c5473d9a494e45534df96f0cf935a2bb/lib/oauth2/access_token.rb#L60-L65
---
 lib/omniauth/strategies/github.rb       | 6 +++++-
 spec/omniauth/strategies/github_spec.rb | 8 +++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/omniauth/strategies/github.rb b/lib/omniauth/strategies/github.rb
index c60b2d1..6e18276 100644
--- a/lib/omniauth/strategies/github.rb
+++ b/lib/omniauth/strategies/github.rb
@@ -39,7 +39,7 @@ def authorize_params
       end
 
       extra do
-        {:raw_info => raw_info, :all_emails => emails}
+        {:raw_info => raw_info, :all_emails => emails, :scope => scope }
       end
 
       def raw_info
@@ -51,6 +51,10 @@ def email
         (email_access_allowed?) ? primary_email : raw_info['email']
       end
 
+      def scope
+        access_token['scope']
+      end
+
       def primary_email
         primary = emails.find{ |i| i['primary'] && i['verified'] }
         primary && primary['email'] || nil
diff --git a/spec/omniauth/strategies/github_spec.rb b/spec/omniauth/strategies/github_spec.rb
index 302ee61..da23ea9 100644
--- a/spec/omniauth/strategies/github_spec.rb
+++ b/spec/omniauth/strategies/github_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe OmniAuth::Strategies::GitHub do
-  let(:access_token) { instance_double('AccessToken', :options => {}) }
+  let(:access_token) { instance_double('AccessToken', :options => {}, :[] => 'user') }
   let(:parsed_response) { instance_double('ParsedResponse') }
   let(:response) { instance_double('Response', :parsed => parsed_response) }
 
@@ -150,6 +150,12 @@
     end
   end
 
+  context '#extra.scope' do
+    it 'returns the scope on the returned access_token' do
+      expect(subject.scope).to eq('user')
+    end
+  end
+
   describe '#callback_url' do
     it 'is a combination of host, script name, and callback path' do
       allow(subject).to receive(:full_host).and_return('https://example.com')