globus · derek-globus · Jul 12, 2024 · Jul 12, 2024
@@ -0,0 +1,6 @@
+
+Fixed
+~~~~~
+
+- Fixed a bug where specifying dependent tokens in a new GlobusApp would cause the app
+  to infinitely prompt for log in. (:pr:`NUMBER`)
@@ -121,7 +121,7 @@ def store_token_data_by_resource_server(
         )
         for resource_server, token_data in token_data_by_resource_server.items():
             self._validate_token_data_meets_scope_requirements(
-                resource_server, token_data
+                resource_server, token_data, eval_dependent=False
             )
 
         self._token_storage.store_token_data_by_resource_server(
@@ -207,14 +207,17 @@ def _validate_token_data_by_resource_server_meets_identity_requirements(
             )
 
     def _validate_token_data_meets_scope_requirements(
-        self, resource_server: str, token_data: TokenData
+        self, resource_server: str, token_data: TokenData, eval_dependent: bool = True
     ) -> None:
         """
         Given a particular resource server/token data, evaluate whether the token +
             user's consent forest meet the attached scope requirements.
 
         Note: If consent_client was omitted, only root scope requirements are validated.
 
+        :param resource_server: The resource server string to validate against.
+        :param token_data: The token data to validate against.
+        :param eval_dependent: Whether to evaluate dependent scope requirements.
         :raises: :exc:`UnmetScopeRequirements` if token/consent data does not meet the
             attached root or dependent scope requirements for the resource server.
         :returns: None if all scope requirements are met (or indeterminable).
@@ -234,7 +237,9 @@ def _validate_token_data_meets_scope_requirements(
             )
 
         # Short circuit - No dependent scopes; don't validate them.
-        if not any(scope.dependencies for scope in required_scopes):
+        if not eval_dependent or not any(
+            scope.dependencies for scope in required_scopes
+        ):
             return
 
         # 2. Does the consent forest meet all dependent scope requirements?

@@ -74,10 +74,11 @@ def test_validating_token_storage_evaluates_dependent_scope_requirements(
         consent_client=consent_client,
     )
     token_response = make_token_response(scopes={"rs1": "scope"})
+    adapter.store_token_response(token_response)
 
     consent_client.mocked_forest = make_consent_forest("scope[different_subscope]")
     with pytest.raises(UnmetScopeRequirementsError):
-        adapter.store_token_response(token_response)
+        adapter.get_token_data("rs1")
 
     consent_client.mocked_forest = make_consent_forest("scope[subscope]")
     adapter.store_token_response(token_response)