@@ -33,6 +33,7 @@ import (

 	image "github.com/openshift/origin/pkg/image/api"

 	"github.com/openshift/origin/pkg/image/api/docker10"

 	"github.com/openshift/origin/pkg/image/api/dockerpre012"

+	oauthapi "github.com/openshift/origin/pkg/oauth/api"

 	quotaapi "github.com/openshift/origin/pkg/quota/api"

 	quotaapiv1 "github.com/openshift/origin/pkg/quota/api/v1"

 	route "github.com/openshift/origin/pkg/route/api"

@@ -417,6 +418,12 @@ func fuzzInternalObject(t *testing.T, forVersion unversioned.GroupVersion, item

 			j.Spec.Template.Spec.InitContainers = nil

 			j.Status.Template.Spec.InitContainers = nil

 		},

+		func(j *oauthapi.OAuthClientAuthorization, c fuzz.Continue) {

+			c.FuzzNoCustom(j)

+			if len(j.Scopes) == 0 {

+				j.Scopes = append(j.Scopes, "user:full")

+			}

+		},

 		func(j *runtime.Object, c fuzz.Continue) {

 			// runtime.EmbeddedObject causes a panic inside of fuzz because runtime.Object isn't handled.

@@ -26,7 +26,7 @@ func NewAuthorizeAuthenticator(request authenticator.Request, handler Authentica

 // HandleAuthorize implements osinserver.AuthorizeHandler to ensure the AuthorizeRequest is authenticated.

 // If the request is authenticated, UserData and Authorized are set and false is returned.

 // If the request is not authenticated, the auth handler is called and the request is not authorized

-func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 	info, ok, err := h.request.AuthenticateRequest(ar.HttpRequest)

 	if err != nil {

 		glog.V(4).Infof("OAuth authentication error: %v", err)

@@ -5,13 +5,20 @@ import (

 	"fmt"

 	"net/http"

 	"net/url"

+	"strings"

 	"github.com/RangelReale/osin"

 	"k8s.io/kubernetes/pkg/auth/user"

+	utilruntime "k8s.io/kubernetes/pkg/util/runtime"

+	"k8s.io/kubernetes/pkg/util/sets"

 	"github.com/openshift/origin/pkg/auth/api"

+	scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"

 	oauthapi "github.com/openshift/origin/pkg/oauth/api"

+	"github.com/openshift/origin/pkg/oauth/api/validation"

+	"github.com/openshift/origin/pkg/oauth/scope"

+	"github.com/openshift/origin/pkg/oauth/server/osinserver"

 )

 // GrantCheck implements osinserver.AuthorizeHandler to ensure requested scopes have been authorized

@@ -22,7 +29,7 @@ type GrantCheck struct {

 }

 // NewGrantCheck returns a new GrantCheck

-func NewGrantCheck(check GrantChecker, handler GrantHandler, errorHandler GrantErrorHandler) *GrantCheck {

+func NewGrantCheck(check GrantChecker, handler GrantHandler, errorHandler GrantErrorHandler) osinserver.AuthorizeHandler {

 	return &GrantCheck{check, handler, errorHandler}

 }

@@ -32,7 +39,7 @@ func NewGrantCheck(check GrantChecker, handler GrantHandler, errorHandler GrantE

 // If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false.

 // If the response is written, true is returned.

 // If the response is not written, false is returned.

-func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 	// Requests must already be authorized before we will check grants

 	if !ar.Authorized {

@@ -44,7 +51,40 @@ func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseW

 	user, ok := ar.UserData.(user.Info)

 	if !ok || user == nil {

-		return h.errorHandler.GrantError(errors.New("the provided user data is not user.Info"), w, ar.HttpRequest)

+		utilruntime.HandleError(fmt.Errorf("the provided user data is not a user.Info object: %#v", user))

+		resp.SetError("server_error", "")

+		return false, nil

+	}

+

+	client, ok := ar.Client.GetUserData().(*oauthapi.OAuthClient)

+	if !ok || client == nil {

+		utilruntime.HandleError(fmt.Errorf("the provided client is not an *api.OAuthClient object: %#v", client))

+		resp.SetError("server_error", "")

+		return false, nil

+	}

+

+	// Normalize the scope request, and ensure all tokens contain a scope

+	scopes := scope.Split(ar.Scope)

+	if len(scopes) == 0 {

+		scopes = append(scopes, scopeauthorizer.UserFull)

+	}

+	ar.Scope = scope.Join(scopes)

+

+	// Validate the requested scopes

+	if scopeErrors := validation.ValidateScopes(scopes, nil); len(scopeErrors) > 0 {

+		resp.SetError("invalid_scope", scopeErrors.ToAggregate().Error())

+		return false, nil

+	}

+

+	invalidScopes := sets.NewString()

+	for _, scope := range scopes {

+		if err := scopeauthorizer.ValidateScopeRestrictions(client, scope); err != nil {

+			invalidScopes.Insert(scope)

+		}

+	}

+	if len(invalidScopes) > 0 {

+		resp.SetError("access_denied", fmt.Sprintf("scope denied: %s", strings.Join(invalidScopes.List(), " ")))

+		return false, nil

 	}

 	grant := &api.Grant{

@@ -57,7 +97,9 @@ func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseW

 	// Check if the user has already authorized this grant

 	authorized, err := h.check.HasAuthorizedClient(user, grant)

 	if err != nil {

-		return h.errorHandler.GrantError(err, w, ar.HttpRequest)

+		utilruntime.HandleError(err)

+		resp.SetError("server_error", "")

+		return false, nil

 	}

 	if authorized {

 		ar.Authorized = true

@@ -7,6 +7,7 @@ import (

 	"testing"

 	"time"

+	"github.com/RangelReale/osin"

 	"github.com/RangelReale/osincli"

 	kapi "k8s.io/kubernetes/pkg/api"

 	apierrs "k8s.io/kubernetes/pkg/api/errors"

@@ -25,6 +26,8 @@ import (

 )

 type testHandlers struct {

+	AuthorizeHandler osinserver.AuthorizeHandler

+

 	User         user.Info

 	Authenticate bool

 	Err          error

@@ -33,6 +36,11 @@ type testHandlers struct {

 	GrantNeed    bool

 	GrantErr     error

+	HandleAuthorizeReq     *osin.AuthorizeRequest

+	HandleAuthorizeResp    *osin.Response

+	HandleAuthorizeHandled bool

+	HandleAuthorizeErr     error

+

 	AuthNeedHandled bool

 	AuthNeedErr     error

@@ -43,6 +51,13 @@ type testHandlers struct {

 	HandledErr error

 }

+func (h *testHandlers) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (handled bool, err error) {

+	h.HandleAuthorizeReq = ar

+	h.HandleAuthorizeResp = resp

+	h.HandleAuthorizeHandled, h.HandleAuthorizeErr = h.AuthorizeHandler.HandleAuthorize(ar, resp, w)

+	return h.HandleAuthorizeHandled, h.HandleAuthorizeErr

+}

+

 func (h *testHandlers) AuthenticationNeeded(client api.Client, w http.ResponseWriter, req *http.Request) (bool, error) {

 	h.AuthNeed = true

 	return h.AuthNeedHandled, h.AuthNeedErr

@@ -82,9 +97,14 @@ func TestRegistryAndServer(t *testing.T) {

 		Secret:       "secret",

 		RedirectURIs: []string{assertServer.URL + "/assert"},

 	}

-	validClientAuth := &oapi.OAuthClientAuthorization{

-		UserName:   "user",

-		ClientName: "test",

+

+	restrictedClient := &oapi.OAuthClient{

+		ObjectMeta:   kapi.ObjectMeta{Name: "test"},

+		Secret:       "secret",

+		RedirectURIs: []string{assertServer.URL + "/assert"},

+		ScopeRestrictions: []oapi.ScopeRestriction{

+			{ExactValues: []string{"user:info"}},

+		},

 	}

 	testCases := map[string]struct {

@@ -98,7 +118,7 @@ func TestRegistryAndServer(t *testing.T) {

 		"needs auth": {

 			Client: validClient,

 			Check: func(h *testHandlers, _ *http.Request) {

-				if !h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil {

+				if !h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || h.HandleAuthorizeReq.Authorized {

 					t.Errorf("expected request to need authentication: %#v", h)

 				}

 			},

@@ -110,11 +130,37 @@ func TestRegistryAndServer(t *testing.T) {

 				Name: "user",

 			},

 			Check: func(h *testHandlers, _ *http.Request) {

-				if h.AuthNeed || !h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil {

+				if h.AuthNeed || !h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || h.HandleAuthorizeReq.Authorized {

 					t.Errorf("expected request to need to grant access: %#v", h)

 				}

 			},

 		},

+		"invalid scope": {

+			Client:      validClient,

+			AuthSuccess: true,

+			AuthUser: &user.DefaultInfo{

+				Name: "user",

+			},

+			Scope: "some-scope",

+			Check: func(h *testHandlers, _ *http.Request) {

+				if h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || h.HandleAuthorizeReq.Authorized || h.HandleAuthorizeResp.ErrorId != "invalid_scope" {

+					t.Errorf("expected invalid_scope error: %#v, %#v, %#v", h, h.HandleAuthorizeReq, h.HandleAuthorizeResp)

+				}

+			},

+		},

+		"disallowed scope": {

+			Client:      restrictedClient,

+			AuthSuccess: true,

+			AuthUser: &user.DefaultInfo{

+				Name: "user",

+			},

+			Scope: "user:full",

+			Check: func(h *testHandlers, _ *http.Request) {

+				if h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || h.HandleAuthorizeReq.Authorized || h.HandleAuthorizeResp.ErrorId != "access_denied" {

+					t.Errorf("expected access_denied error: %#v, %#v, %#v", h, h.HandleAuthorizeReq, h.HandleAuthorizeResp)

+				}

+			},

+		},

 		"has non covered grant": {

 			Client:      validClient,

 			AuthSuccess: true,

@@ -124,11 +170,11 @@ func TestRegistryAndServer(t *testing.T) {

 			ClientAuth: &oapi.OAuthClientAuthorization{

 				UserName:   "user",

 				ClientName: "test",

-				Scopes:     []string{"test"},

+				Scopes:     []string{"user:info"},

 			},

-			Scope: "test other",

+			Scope: "user:info user:check-access",

 			Check: func(h *testHandlers, req *http.Request) {

-				if h.AuthNeed || !h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil {

+				if h.AuthNeed || !h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || h.HandleAuthorizeReq.Authorized {

 					t.Errorf("expected request to need to grant access because of uncovered scopes: %#v", h)

 				}

 			},

@@ -142,12 +188,12 @@ func TestRegistryAndServer(t *testing.T) {

 			ClientAuth: &oapi.OAuthClientAuthorization{

 				UserName:   "user",

 				ClientName: "test",

-				Scopes:     []string{"test", "other"},

+				Scopes:     []string{"user:info", "user:check-access"},

 			},

-			Scope: "test other",

+			Scope: "user:info user:check-access",

 			Check: func(h *testHandlers, req *http.Request) {

-				if h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil {

-					t.Errorf("unexpected flow: %#v", h)

+				if h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || !h.HandleAuthorizeReq.Authorized || h.HandleAuthorizeResp.ErrorId != "" {

+					t.Errorf("unexpected flow: %#v, %#v, %#v", h, h.HandleAuthorizeReq, h.HandleAuthorizeResp)

 				}

 			},

 		},

@@ -157,10 +203,14 @@ func TestRegistryAndServer(t *testing.T) {

 			AuthUser: &user.DefaultInfo{

 				Name: "user",

 			},

-			ClientAuth: validClientAuth,

+			ClientAuth: &oapi.OAuthClientAuthorization{

+				UserName:   "user",

+				ClientName: "test",

+				Scopes:     []string{"user:full"},

+			},

 			Check: func(h *testHandlers, req *http.Request) {

-				if h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil {

-					t.Errorf("unexpected flow: %#v", h)

+				if h.AuthNeed || h.GrantNeed || h.AuthErr != nil || h.GrantErr != nil || !h.HandleAuthorizeReq.Authorized || h.HandleAuthorizeResp.ErrorId != "" {

+					t.Errorf("unexpected flow: %#v, %#v, %#v", h, h.HandleAuthorizeReq, h.HandleAuthorizeResp)

 					return

 				}

 				if req == nil {

@@ -193,21 +243,24 @@ func TestRegistryAndServer(t *testing.T) {

 		}

 		storage := registrystorage.New(access, authorize, client, NewUserConversion())

 		config := osinserver.NewDefaultServerConfig()

+

+		h.AuthorizeHandler = osinserver.AuthorizeHandlers{

+			handlers.NewAuthorizeAuthenticator(

+				h,

+				h,

+				h,

+			),

+			handlers.NewGrantCheck(

+				NewClientAuthorizationGrantChecker(grant),

+				h,

+				h,

+			),

+		}

+

 		server := osinserver.New(

 			config,

 			storage,

-			osinserver.AuthorizeHandlers{

-				handlers.NewAuthorizeAuthenticator(

-					h,

-					h,

-					h,

-				),

-				handlers.NewGrantCheck(

-					NewClientAuthorizationGrantChecker(grant),

-					h,

-					h,

-				),

-			},

+			h,

 			osinserver.AccessHandlers{

 				handlers.NewDenyAccessAuthenticator(),

 			},

@@ -72,6 +72,18 @@ func TestAuthorize(t *testing.T) {

 			attributes:     defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", NonResourceURL: true, URL: "/api"},

 			expectedCalled: true,

 		},

+		{

+			name:           "user:full covers any resource",

+			user:           &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:full"}}},

+			attributes:     defaultauthorizer.DefaultAuthorizationAttributes{Verb: "update", Resource: "users", ResourceName: "harold"},

+			expectedCalled: true,

+		},

+		{

+			name:           "user:full covers any non-resource",

+			user:           &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:full"}}},

+			attributes:     defaultauthorizer.DefaultAuthorizationAttributes{Verb: "post", NonResourceURL: true, URL: "/foo/bar/baz"},

+			expectedCalled: true,

+		},

 	}

 	for _, tc := range testCases {

@@ -79,12 +79,15 @@ var ScopeEvaluators = []ScopeEvaluator{

 // namespace:<namespace name>:<comma-delimited verbs>:<comma-delimited resources>

 const (

-	UserInfo        = "info"

-	UserAccessCheck = "check-access"

+	UserInfo        = UserIndicator + "info"

+	UserAccessCheck = UserIndicator + "check-access"

 	// UserListProject gives explicit permission to see the projects a user can see.  This is often used to prime secondary ACL systems

 	// unrelated to openshift and to display projects for selection in a secondary UI.

-	UserListProject = "list-projects"

+	UserListProject = UserIndicator + "list-projects"

+

+	// UserFull includes all permissions of the user

+	UserFull = UserIndicator + "full"

 )

 // user:<scope name>

@@ -96,9 +99,7 @@ func (userEvaluator) Handles(scope string) bool {

 func (userEvaluator) Validate(scope string) error {

 	switch scope {

-	case UserIndicator + UserInfo,

-		UserIndicator + UserAccessCheck,

-		UserIndicator + UserListProject:

+	case UserFull, UserInfo, UserAccessCheck, UserListProject:

 		return nil

 	}

@@ -107,12 +108,14 @@ func (userEvaluator) Validate(scope string) error {

 func (userEvaluator) Describe(scope string) string {

 	switch scope {

-	case UserIndicator + UserInfo:

-		return "Information about you, including: username, identity names, and group membership."

-	case UserIndicator + UserAccessCheck:

+	case UserInfo:

+		return "Information about you, including username, identity names, and group membership."

+	case UserAccessCheck:

 		return `Information about user privileges, e.g. "Can I create builds?"`

-	case UserIndicator + UserListProject:

+	case UserListProject:

 		return `See projects you're aware of and the metadata (display name, description, etc) about those projects.`

+	case UserFull:

+		return `Full access to the server with all of your permissions.`

 	default:

 		return fmt.Sprintf("unrecognized scope: %v", scope)

 	}

@@ -120,19 +123,24 @@ func (userEvaluator) Describe(scope string) string {

 func (userEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error) {

 	switch scope {

-	case UserIndicator + UserInfo:

+	case UserInfo:

 		return []authorizationapi.PolicyRule{

 			{Verbs: sets.NewString("get"), APIGroups: []string{userapi.GroupName}, Resources: sets.NewString("users"), ResourceNames: sets.NewString("~")},

 		}, nil

-	case UserIndicator + UserAccessCheck:

+	case UserAccessCheck:

 		return []authorizationapi.PolicyRule{

 			{Verbs: sets.NewString("create"), APIGroups: []string{authorizationapi.GroupName}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},

 			authorizationapi.NewRule("create").Groups(authorizationapi.GroupName).Resources("selfsubjectrulesreviews").RuleOrDie(),

 		}, nil

-	case UserIndicator + UserListProject:

+	case UserListProject:

 		return []authorizationapi.PolicyRule{

 			{Verbs: sets.NewString("list"), APIGroups: []string{projectapi.GroupName}, Resources: sets.NewString("projects")},

 		}, nil

+	case UserFull:

+		return []authorizationapi.PolicyRule{

+			{Verbs: sets.NewString("*"), APIGroups: []string{"*"}, Resources: sets.NewString("*")},

+			{Verbs: sets.NewString("*"), NonResourceURLs: sets.NewString("*")},

+		}, nil

 	default:

 		return nil, fmt.Errorf("unrecognized scope: %v", scope)

 	}

@@ -33,28 +33,28 @@ func TestUserEvaluator(t *testing.T) {

 		},

 		{

 			name:     "info",

-			scopes:   []string{UserIndicator + UserInfo},

+			scopes:   []string{UserInfo},

 			numRules: 2,

 		},

 		{

 			name:     "one-error",

-			scopes:   []string{UserIndicator, UserIndicator + UserInfo},

+			scopes:   []string{UserIndicator, UserInfo},

 			err:      "unrecognized scope",

 			numRules: 2,

 		},

 		{

 			name:     "access",

-			scopes:   []string{UserIndicator + UserAccessCheck},

+			scopes:   []string{UserAccessCheck},

 			numRules: 3,

 		},

 		{

 			name:     "both",

-			scopes:   []string{UserIndicator + UserInfo, UserIndicator + UserAccessCheck},

+			scopes:   []string{UserInfo, UserAccessCheck},

 			numRules: 4,

 		},

 		{

 			name:     "list-projects",

-			scopes:   []string{UserIndicator + UserListProject},

+			scopes:   []string{UserListProject},

 			numRules: 2,

 		},

 	}

@@ -15,6 +15,7 @@ type OAuthClientAuthorizationInterface interface {

 	Create(obj *oauthapi.OAuthClientAuthorization) (*oauthapi.OAuthClientAuthorization, error)

 	List(opts kapi.ListOptions) (*oauthapi.OAuthClientAuthorizationList, error)

 	Get(name string) (*oauthapi.OAuthClientAuthorization, error)

+	Update(obj *oauthapi.OAuthClientAuthorization) (*oauthapi.OAuthClientAuthorization, error)

 	Delete(name string) error

 	Watch(opts kapi.ListOptions) (watch.Interface, error)

 }

@@ -35,6 +36,12 @@ func (c *oauthClientAuthorizations) Create(obj *oauthapi.OAuthClientAuthorizatio

 	return

 }

+func (c *oauthClientAuthorizations) Update(obj *oauthapi.OAuthClientAuthorization) (result *oauthapi.OAuthClientAuthorization, err error) {

+	result = &oauthapi.OAuthClientAuthorization{}

+	err = c.r.Put().Resource("oAuthClientAuthorizations").Name(obj.Name).Body(obj).Do().Into(result)

+	return

+}

+

 func (c *oauthClientAuthorizations) List(opts kapi.ListOptions) (result *oauthapi.OAuthClientAuthorizationList, err error) {

 	result = &oauthapi.OAuthClientAuthorizationList{}

 	err = c.r.Get().Resource("oAuthClientAuthorizations").VersionedParams(&opts, kapi.ParameterCodec).Do().Into(result)

@@ -39,6 +39,15 @@ func (c *FakeOAuthClientAuthorization) Create(inObj *oauthapi.OAuthClientAuthori

 	return obj.(*oauthapi.OAuthClientAuthorization), err

 }

+func (c *FakeOAuthClientAuthorization) Update(inObj *oauthapi.OAuthClientAuthorization) (*oauthapi.OAuthClientAuthorization, error) {

+	obj, err := c.Fake.Invokes(ktestclient.NewRootUpdateAction("oauthClientAuthorizations", inObj), inObj)

+	if obj == nil {

+		return nil, err

+	}

+

+	return obj.(*oauthapi.OAuthClientAuthorization), err

+}

+

 func (c *FakeOAuthClientAuthorization) Delete(name string) error {

 	_, err := c.Fake.Invokes(ktestclient.NewRootDeleteAction("oauthClientAuthorizations", name), &oauthapi.OAuthClientAuthorization{})

 	return err

@@ -370,14 +370,14 @@ func (c *AuthConfig) getGrantHandler(mux cmdutil.Mux, auth authenticator.Request

 func (c *AuthConfig) getAuthenticationFinalizer() osinserver.AuthorizeHandler {

 	if c.SessionAuth != nil {

 		// The session needs to know the authorize flow is done so it can invalidate the session

-		return osinserver.AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+		return osinserver.AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 			_ = c.SessionAuth.InvalidateAuthentication(w, ar.HttpRequest)

 			return false, nil

 		})

 	}

 	// Otherwise return a no-op finalizer

-	return osinserver.AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+	return osinserver.AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 		return false, nil

 	})

 }

@@ -14,22 +14,25 @@ type Mux interface {

 // AuthorizeHandler populates an AuthorizeRequest or handles the request itself

 type AuthorizeHandler interface {

-	// HandleAuthorize populates an AuthorizeRequest (typically the Authorized and UserData fields)

-	// and returns false, or writes the response itself and returns true.

-	HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (handled bool, err error)

+	// HandleAuthorize does one of the following:

+	// 1. populates an AuthorizeRequest (typically the Authorized and UserData fields) and returns false

+	// 2. populates the error fields of a Response object and returns false

+	// 3. returns an internal server error and returns false

+	// 4. writes the response itself and returns true

+	HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (handled bool, err error)

 }

-type AuthorizeHandlerFunc func(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error)

+type AuthorizeHandlerFunc func(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error)

-func (f AuthorizeHandlerFunc) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

-	return f(ar, w)

+func (f AuthorizeHandlerFunc) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

+	return f(ar, resp, w)

 }

 type AuthorizeHandlers []AuthorizeHandler

-func (all AuthorizeHandlers) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+func (all AuthorizeHandlers) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 	for _, h := range all {

-		if handled, err := h.HandleAuthorize(ar, w); handled || err != nil {

+		if handled, err := h.HandleAuthorize(ar, resp, w); handled || err != nil {

 			return handled, err

 		}

 	}

@@ -82,7 +82,7 @@ func (s *Server) handleAuthorize(w http.ResponseWriter, r *http.Request) {

 		} else {

-			handled, err := s.authorize.HandleAuthorize(ar, w)

+			handled, err := s.authorize.HandleAuthorize(ar, resp, w)

 			if err != nil {

 				s.errorHandler.HandleError(err, w, r)

 				return

@@ -22,7 +22,7 @@ func TestClientCredentialFlow(t *testing.T) {

 	oauthServer := New(

 		NewDefaultServerConfig(),

 		storage,

-		AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+		AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 			ar.Authorized = true

 			return false, nil

 		}),

@@ -65,7 +65,7 @@ func TestAuthorizeStartFlow(t *testing.T) {

 	oauthServer := New(

 		NewDefaultServerConfig(),

 		storage,

-		AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+		AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 			ar.Authorized = true

 			return false, nil

 		}),

@@ -83,7 +83,7 @@ func (a *saOAuthClientAdapter) GetClient(ctx kapi.Context, name string) (*oautha

 func getScopeRestrictionsFor(namespace, name string) []oauthapi.ScopeRestriction {

 	return []oauthapi.ScopeRestriction{

-		{ExactValues: []string{scopeauthorizer.UserIndicator + scopeauthorizer.UserInfo, scopeauthorizer.UserIndicator + scopeauthorizer.UserAccessCheck}},

+		{ExactValues: []string{scopeauthorizer.UserInfo, scopeauthorizer.UserAccessCheck}},

 		{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{RoleNames: []string{"*"}, Namespaces: []string{namespace}, AllowEscalation: true}},

 	}

 }

@@ -82,7 +82,7 @@ func TestNodeAuth(t *testing.T) {

 		ObjectMeta: kapi.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit"},

 		ClientName: origin.OpenShiftCLIClientID,

 		ExpiresIn:  200,

-		Scopes:     []string{scope.UserIndicator + scope.UserInfo},

+		Scopes:     []string{scope.UserInfo},

 		UserName:   bobUser.Name,

 		UserUID:    string(bobUser.UID),

 	}

@@ -86,7 +86,7 @@ func TestOAuthStorage(t *testing.T) {

 	oauthServer := osinserver.New(

 		osinserver.NewDefaultServerConfig(),

 		storage,

-		osinserver.AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

+		osinserver.AuthorizeHandlerFunc(func(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

 			ar.UserData = "test"

 			ar.Authorized = true

 			return false, nil

@@ -2,18 +2,18 @@ package integration

 import (

 	"crypto/tls"

-	"encoding/base64"

-	"io/ioutil"

 	"net/http"

+	"net/http/cookiejar"

 	"net/http/httptest"

 	"net/http/httputil"

-	"net/url"

-	"regexp"

-	"strings"

+	"reflect"

 	"testing"

 	"time"

+	"golang.org/x/net/html"

+

 	"github.com/RangelReale/osincli"

+	"github.com/golang/glog"

 	kapi "k8s.io/kubernetes/pkg/api"

 	kapierrors "k8s.io/kubernetes/pkg/api/errors"

@@ -23,11 +23,12 @@ import (

 	"k8s.io/kubernetes/pkg/util/wait"

 	"github.com/openshift/origin/pkg/client"

-	"github.com/openshift/origin/pkg/cmd/server/origin"

 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

+	oauthapi "github.com/openshift/origin/pkg/oauth/api"

 	"github.com/openshift/origin/pkg/oauth/scope"

 	saoauth "github.com/openshift/origin/pkg/serviceaccounts/oauthclient"

 	testutil "github.com/openshift/origin/test/util"

+	htmlutil "github.com/openshift/origin/test/util/html"

 	testserver "github.com/openshift/origin/test/util/server"

 )

@@ -52,6 +53,7 @@ func TestSAAsOAuthClient(t *testing.T) {

 		}

 	}))

 	defer oauthServer.Close()

+	redirectURL := oauthServer.URL + "/oauthcallback"

 	clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)

 	if err != nil {

@@ -74,6 +76,17 @@ func TestSAAsOAuthClient(t *testing.T) {

 		t.Fatalf("unexpected error: %v", err)

 	}

+	promptingClient, err := clusterAdminClient.OAuthClients().Create(&oauthapi.OAuthClient{

+		ObjectMeta:            kapi.ObjectMeta{Name: "prompting-client"},

+		Secret:                "prompting-client-secret",

+		RedirectURIs:          []string{redirectURL},

+		GrantMethod:           oauthapi.GrantHandlerPrompt,

+		RespondWithChallenges: true,

+	})

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+

 	// get the SA ready with redirect URIs and secret annotations

 	var defaultSA *kapi.ServiceAccount

@@ -86,7 +99,7 @@ func TestSAAsOAuthClient(t *testing.T) {

 		if defaultSA.Annotations == nil {

 			defaultSA.Annotations = map[string]string{}

 		}

-		defaultSA.Annotations[saoauth.OAuthRedirectURISecretAnnotationPrefix+"one"] = oauthServer.URL

+		defaultSA.Annotations[saoauth.OAuthRedirectURISecretAnnotationPrefix+"one"] = redirectURL

 		defaultSA.Annotations[saoauth.OAuthWantChallengesAnnotationPrefix] = "true"

 		defaultSA, err = clusterAdminKubeClient.ServiceAccounts(projectName).Update(defaultSA)

 		return err

@@ -116,209 +129,315 @@ func TestSAAsOAuthClient(t *testing.T) {

 		t.Fatalf("unexpected error: %v", err)

 	}

-	oauthClientConfig := &osincli.ClientConfig{

-		ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

-		ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),

-		AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",

-		TokenUrl:     clusterAdminClientConfig.Host + "/oauth/token",

-		RedirectUrl:  oauthServer.URL,

-		Scope:        scope.Join([]string{"user:info", "role:edit:" + projectName}),

-		SendClientSecretInParams: true,

+	promptApprovalSuccess := []string{

+		"GET /oauth/authorize",

+		"received challenge",

+		"GET /oauth/authorize",

+		"redirect to /oauth/approve",

+		"form",

+		"POST /oauth/approve",

+		"redirect to /oauth/authorize",

+		"redirect to /oauthcallback",

+		"code",

+	}

+	noPromptSuccess := []string{

+		"GET /oauth/authorize",

+		"received challenge",

+		"GET /oauth/authorize",

+		"redirect to /oauthcallback",

+		"code",

 	}

-	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true)

-	clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

-

-	oauthClientConfig = &osincli.ClientConfig{

-		ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

-		ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),

-		AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",

-		TokenUrl:     clusterAdminClientConfig.Host + "/oauth/token",

-		RedirectUrl:  oauthServer.URL,

-		Scope:        scope.Join([]string{"user:info", "role:edit:other-ns"}),

-		SendClientSecretInParams: true,

-	}

-	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, false, false)

-	clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

-

-	oauthClientConfig = &osincli.ClientConfig{

-		ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

-		ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),

-		AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",

-		TokenUrl:     clusterAdminClientConfig.Host + "/oauth/token",

-		RedirectUrl:  oauthServer.URL,

-		Scope:        scope.Join([]string{"user:info"}),

-		SendClientSecretInParams: true,

-	}

-	runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, false)

-	clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

-}

-var grantCSRFRegex = regexp.MustCompile(`input type="hidden" name="csrf" value="([^"]*)"`)

-var grantThenRegex = regexp.MustCompile(`input type="hidden" name="then" value="([^"]*)"`)

+	// Test with a normal OAuth client

+	{

+		oauthClientConfig := &osincli.ClientConfig{

+			ClientId:                 promptingClient.Name,

+			ClientSecret:             promptingClient.Secret,

+			AuthorizeUrl:             clusterAdminClientConfig.Host + "/oauth/authorize",

+			TokenUrl:                 clusterAdminClientConfig.Host + "/oauth/token",

+			RedirectUrl:              redirectURL,

+			SendClientSecretInParams: true,

+		}

+		t.Log("Testing unrestricted scope")

+		oauthClientConfig.Scope = ""

+		// approval steps are needed for unscoped access

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true, promptApprovalSuccess)

+		// verify the persisted client authorization looks like we expect

+		if clientAuth, err := clusterAdminClient.OAuthClientAuthorizations().Get("harold:" + oauthClientConfig.ClientId); err != nil {

+			t.Fatalf("Unexpected error: %v", err)

+		} else if !reflect.DeepEqual(clientAuth.Scopes, []string{"user:full"}) {

+			t.Fatalf("Unexpected scopes: %v", clientAuth.Scopes)

+		} else {

+			// update the authorization to not contain any approved scopes

+			clientAuth.Scopes = nil

+			if _, err := clusterAdminClient.OAuthClientAuthorizations().Update(clientAuth); err != nil {

+				t.Fatalf("Unexpected error: %v", err)

+			}

+		}

+		// approval steps are needed again for unscoped access

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true, promptApprovalSuccess)

+		// with the authorization stored, approval steps are skipped

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true, noPromptSuccess)

-func runOAuthFlow(t *testing.T, clusterAdminClientConfig *restclient.Config, projectName string, oauthClientConfig *osincli.ClientConfig, authorizationCodes, authorizationErrors chan string, expectGrantSuccess, expectBuildSuccess bool) {

-	oauthRuntimeClient, err := osincli.NewClient(oauthClientConfig)

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	oauthRuntimeClient.Transport = &http.Transport{

-		TLSClientConfig: &tls.Config{

-			InsecureSkipVerify: true,

-		},

-	}

+		// Approval step is needed again. Second time, the approval steps is not needed

+		t.Log("Testing restricted scope")

+		oauthClientConfig.Scope = "user:info"

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, false, promptApprovalSuccess)

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, false, noPromptSuccess)

-	directHTTPClient := &http.Client{

-		Transport: &http.Transport{

-			TLSClientConfig: &tls.Config{

-				InsecureSkipVerify: true,

-			},

-		},

-	}

+		// Now request an unscoped token again, and no approval should be needed

+		t.Log("Testing unrestricted scope")

+		oauthClientConfig.Scope = ""

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true, noPromptSuccess)

-	// make sure we're prompted for a password

-	authorizeRequest := oauthRuntimeClient.NewAuthorizeRequest(osincli.CODE)

-	authorizeURL := authorizeRequest.GetAuthorizeUrlWithParams("opaque-scope")

-	authorizeHTTPRequest, err := http.NewRequest("GET", authorizeURL.String(), nil)

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	authorizeHTTPRequest.Header.Add("X-CSRF-Token", "csrf-01")

-	authorizeResponse, err := directHTTPClient.Do(authorizeHTTPRequest)

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	if authorizeResponse.StatusCode != http.StatusUnauthorized {

-		response, _ := httputil.DumpResponse(authorizeResponse, true)

-		t.Fatalf("didn't get an unauthorized:\n %v", string(response))

+		clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

 	}

-	// first we should get a redirect to a grant flow

-	authenticatedAuthorizeHTTPRequest1, err := http.NewRequest("GET", authorizeURL.String(), nil)

-	authenticatedAuthorizeHTTPRequest1.Header.Add("X-CSRF-Token", "csrf-01")

-	authenticatedAuthorizeHTTPRequest1.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

-	authentictedAuthorizeResponse1, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest1)

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	if authentictedAuthorizeResponse1.StatusCode != http.StatusFound {

-		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse1, true)

-		t.Fatalf("unexpected status :\n %v", string(response))

+	{

+		oauthClientConfig := &osincli.ClientConfig{

+			ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

+			ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),

+			AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",

+			TokenUrl:     clusterAdminClientConfig.Host + "/oauth/token",

+			RedirectUrl:  redirectURL,

+			Scope:        scope.Join([]string{"user:info", "role:edit:" + projectName}),

+			SendClientSecretInParams: true,

+		}

+		t.Log("Testing allowed scopes")

+		// First time, the approval steps are needed

+		// Second time, the approval steps are skipped

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true, promptApprovalSuccess)

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true, noPromptSuccess)

+		clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

 	}

-	// second we get a webpage with a prompt.  Yeah, this next bit gets nasty

-	authenticatedAuthorizeHTTPRequest2, err := http.NewRequest("GET", clusterAdminClientConfig.Host+authentictedAuthorizeResponse1.Header.Get("Location"), nil)

-	authenticatedAuthorizeHTTPRequest2.Header.Add("X-CSRF-Token", "csrf-01")

-	authenticatedAuthorizeHTTPRequest2.Header.Add("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("harold:any-pass")))

-	authentictedAuthorizeResponse2, err := directHTTPClient.Transport.RoundTrip(authenticatedAuthorizeHTTPRequest2)

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	if authentictedAuthorizeResponse2.StatusCode != http.StatusOK {

-		response, _ := httputil.DumpResponse(authentictedAuthorizeResponse2, true)

-		t.Fatalf("unexpected status :\n %v", string(response))

-	}

-	// have to parse the page to get the csrf value.  Yeah, that's nasty, I can't think of another way to do it without creating a new grant handler

-	body, err := ioutil.ReadAll(authentictedAuthorizeResponse2.Body)

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

+	{

+		oauthClientConfig := &osincli.ClientConfig{

+			ClientId:     serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),

+			ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),

+			AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",

+			TokenUrl:     clusterAdminClientConfig.Host + "/oauth/token",

+			RedirectUrl:  redirectURL,

+			Scope:        scope.Join([]string{"user:info", "role:edit:other-ns"}),

+			SendClientSecretInParams: true,

+		}

+		t.Log("Testing disallowed scopes")

+		runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, false, false, []string{

+			"GET /oauth/authorize",

+			"received challenge",

+			"GET /oauth/authorize",

+			"redirect to /oauthcallback",

+			"error:access_denied",

+		})

+		clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)

 	}

-	if !expectGrantSuccess {

-		if !strings.Contains(string(body), "requested illegal scopes") {

-			t.Fatalf("missing expected message: %v", string(body))