Add a new guard clause to the oauth2 client credentials flow.

CHANGES/pulp-glue/1050.bugfix

@@ -0,0 +1 @@
+Fixed sending no scope instead an empty scope when using the `OAuth2ClientCredentialsAuth` authentication class.

pulp-glue/pulp_glue/common/authentication.py

@@ -15,7 +15,7 @@ def __init__(
         client_id: str,
         client_secret: str,
         token_url: str,
-        scopes: t.List[str],
+        scopes: t.Optional[t.List[str]] = None,
     ):
         self.client_id = client_id
         self.client_secret = client_secret
@@ -78,10 +78,12 @@ def retrieve_token(self) -> None:
         data = {
             "client_id": self.client_id,
             "client_secret": self.client_secret,
-            "scope": " ".join(self.scopes),
             "grant_type": "client_credentials",
         }
 
+        if self.scopes:
+            data["scope"] = " ".join(self.scopes)
+
         response: requests.Response = requests.post(self.token_url, data=data)
 
         response.raise_for_status()

pulp-glue/tests/test_authentication.py

@@ -0,0 +1,29 @@
+import typing as t
+
+import pytest
+
+from pulp_glue.common.authentication import OAuth2ClientCredentialsAuth
+
+pytestmark = pytest.mark.glue
+
+
+def test_sending_no_scope_when_empty(monkeypatch: pytest.MonkeyPatch) -> None:
+
+    class OAuth2MockResponse:
+        def raise_for_status(self):
+            return None
+
+        def json(self):
+            return {"expires_in": 1, "access_token": "aaa"}
+
+    def _requests_post_mocked(url: str, data: t.Dict[str, t.Any]):
+        assert "scope" not in data
+        return OAuth2MockResponse()
+
+    monkeypatch.setattr("requests.post", _requests_post_mocked)
+
+    OAuth2ClientCredentialsAuth(token_url="", client_id="", client_secret="").retrieve_token()
+
+    OAuth2ClientCredentialsAuth(
+        token_url="", client_id="", client_secret="", scopes=[]
+    ).retrieve_token()