Rename scope -> scopes for Set types

Fixes gh-4644
2017-10-18 16:41:57 -04:00 · 2017-10-18 16:41:57 -04:00 · 1e891b38ab
parent b81c1ce2c0
commit 1e891b38ab
21 changed files with 79 additions and 81 deletions
--- a/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java
+++ b/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java
@ -37,7 +37,7 @@ public enum CommonOAuth2Provider {
 		public Builder getBuilder(String registrationId) {
 			ClientRegistration.Builder builder = getBuilder(registrationId,
 					ClientAuthenticationMethod.BASIC, DEFAULT_REDIRECT_URL);
-			builder.scope("openid", "profile", "email", "address", "phone");
+			builder.scopes("openid", "profile", "email", "address", "phone");
 			builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
 			builder.tokenUri("https://www.googleapis.com/oauth2/v4/token");
 			builder.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs");
@ -54,7 +54,7 @@ public enum CommonOAuth2Provider {
 		public Builder getBuilder(String registrationId) {
 			ClientRegistration.Builder builder = getBuilder(registrationId,
 					ClientAuthenticationMethod.BASIC, DEFAULT_REDIRECT_URL);
-			builder.scope("user");
+			builder.scopes("user");
 			builder.authorizationUri("https://github.com/login/oauth/authorize");
 			builder.tokenUri("https://github.com/login/oauth/access_token");
 			builder.userInfoUri("https://api.github.com/user");
@ -70,7 +70,7 @@ public enum CommonOAuth2Provider {
 		public Builder getBuilder(String registrationId) {
 			ClientRegistration.Builder builder = getBuilder(registrationId,
 					ClientAuthenticationMethod.POST, DEFAULT_REDIRECT_URL);
-			builder.scope("public_profile", "email");
+			builder.scopes("public_profile", "email");
 			builder.authorizationUri("https://www.facebook.com/v2.8/dialog/oauth");
 			builder.tokenUri("https://graph.facebook.com/v2.8/oauth/access_token");
 			builder.userInfoUri("https://graph.facebook.com/me");
@ -86,7 +86,7 @@ public enum CommonOAuth2Provider {
 		public Builder getBuilder(String registrationId) {
 			ClientRegistration.Builder builder = getBuilder(registrationId,
 					ClientAuthenticationMethod.BASIC, DEFAULT_REDIRECT_URL);
-			builder.scope("openid", "profile", "email", "address", "phone");
+			builder.scopes("openid", "profile", "email", "address", "phone");
 			builder.userNameAttributeName(IdTokenClaim.SUB);
 			builder.clientName("Okta");
 			return builder;
--- a/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
+++ b/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
@ -52,7 +52,7 @@ public class CommonOAuth2ProviderTests {
 		assertThat(registration.getAuthorizationGrantType())
 			.isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
-		assertThat(registration.getScope()).containsOnly("openid", "profile", "email",
+		assertThat(registration.getScopes()).containsOnly("openid", "profile", "email",
 			"address", "phone");
 		assertThat(registration.getClientName()).isEqualTo("Google");
 		assertThat(registration.getRegistrationId()).isEqualTo("123");
@ -76,7 +76,7 @@ public class CommonOAuth2ProviderTests {
 		assertThat(registration.getAuthorizationGrantType())
 			.isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
-		assertThat(registration.getScope()).containsOnly("user");
+		assertThat(registration.getScopes()).containsOnly("user");
 		assertThat(registration.getClientName()).isEqualTo("GitHub");
 		assertThat(registration.getRegistrationId()).isEqualTo("123");
 	}
@ -99,7 +99,7 @@ public class CommonOAuth2ProviderTests {
 		assertThat(registration.getAuthorizationGrantType())
 			.isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
-		assertThat(registration.getScope()).containsOnly("public_profile", "email");
+		assertThat(registration.getScopes()).containsOnly("public_profile", "email");
 		assertThat(registration.getClientName()).isEqualTo("Facebook");
 		assertThat(registration.getRegistrationId()).isEqualTo("123");
 	}
@ -124,7 +124,7 @@ public class CommonOAuth2ProviderTests {
 		assertThat(registration.getAuthorizationGrantType())
 			.isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
-		assertThat(registration.getScope()).containsOnly("openid", "profile", "email",
+		assertThat(registration.getScopes()).containsOnly("openid", "profile", "email",
 			"address", "phone");
 		assertThat(registration.getClientName()).isEqualTo("Okta");
 		assertThat(registration.getRegistrationId()).isEqualTo("123");
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
@ -65,7 +65,7 @@ public class AuthorizationCodeAuthenticationProvider implements AuthenticationPr
 		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
-		if (authorizationCodeAuthentication.getAuthorizationRequest().getScope().contains("openid")) {
+		if (authorizationCodeAuthentication.getAuthorizationRequest().getScopes().contains("openid")) {
 			// This is an OpenID Connect Authentication Request so return null
 			// and let OidcAuthorizationCodeAuthenticationProvider handle it instead
 			return null;
@ -94,7 +94,7 @@ public class AuthorizationCodeAuthenticationProvider implements AuthenticationPr

 		AccessToken accessToken = new AccessToken(tokenResponse.getTokenType(),
 			tokenResponse.getTokenValue(), tokenResponse.getIssuedAt(),
-			tokenResponse.getExpiresAt(), tokenResponse.getScope());
+			tokenResponse.getExpiresAt(), tokenResponse.getScopes());

 		OAuth2ClientAuthenticationToken clientAuthentication =
 			new OAuth2ClientAuthenticationToken(authorizationCodeAuthentication.getClientRegistration(), accessToken);
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
@ -122,16 +122,16 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 			accessTokenType = AccessToken.TokenType.BEARER;
 		}
 		long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
-		Set<String> scope = Collections.emptySet();
+		Set<String> scopes = Collections.emptySet();
 		if (!CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
-			scope = new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
+			scopes = new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
 		}
 		Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());

 		return TokenResponse.withToken(accessToken)
 			.tokenType(accessTokenType)
 			.expiresIn(expiresIn)
-			.scope(scope)
+			.scopes(scopes)
 			.additionalParameters(additionalParameters)
 			.build();
 	}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2ClientAuthenticationToken.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2ClientAuthenticationToken.java
@ -74,13 +74,13 @@ public class OAuth2ClientAuthenticationToken extends AbstractAuthenticationToken
 		return this.accessToken;
 	}

-	public final Set<String> getAuthorizedScope() {
+	public final Set<String> getAuthorizedScopes() {
 		// As per spec, in section 5.1 Successful Access Token Response
 		// https://tools.ietf.org/html/rfc6749#section-5.1
-		// If AccessToken.scope is empty, then default to the scope
+		// If AccessToken.scopes is empty, then default to the scopes
 		// originally requested by the client in the Authorization Request
-		return (CollectionUtils.isEmpty(this.getAccessToken().getScope()) ?
-			this.getClientRegistration().getScope() :
-			this.getAccessToken().getScope());
+		return (CollectionUtils.isEmpty(this.getAccessToken().getScopes()) ?
+			this.getClientRegistration().getScopes() :
+			this.getAccessToken().getScopes());
 	}
 }
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/userinfo/OAuth2UserAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/userinfo/OAuth2UserAuthenticationProvider.java
@ -64,7 +64,7 @@ public class OAuth2UserAuthenticationProvider implements AuthenticationProvider
 		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
-		if (clientAuthentication.getAuthorizedScope().contains("openid")) {
+		if (clientAuthentication.getAuthorizedScopes().contains("openid")) {
 			// This is an OpenID Connect Authentication Request so return null
 			// and let OidcUserAuthenticationProvider handle it instead
 			return null;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
@ -40,7 +40,7 @@ public class ClientRegistration {
 	private ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.BASIC;
 	private AuthorizationGrantType authorizationGrantType;
 	private String redirectUri;
-	private Set<String> scope = Collections.emptySet();
+	private Set<String> scopes = Collections.emptySet();
 	private ProviderDetails providerDetails = new ProviderDetails();
 	private String clientName;

@ -95,12 +95,12 @@ public class ClientRegistration {
 		this.redirectUri = redirectUri;
 	}

-	public Set<String> getScope() {
-		return this.scope;
+	public Set<String> getScopes() {
+		return this.scopes;
 	}

-	protected void setScope(Set<String> scope) {
-		this.scope = scope;
+	protected void setScopes(Set<String> scopes) {
+		this.scopes = scopes;
 	}

 	public ProviderDetails getProviderDetails() {
@ -192,7 +192,7 @@ public class ClientRegistration {
 		private ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.BASIC;
 		private AuthorizationGrantType authorizationGrantType;
 		private String redirectUri;
-		private Set<String> scope;
+		private Set<String> scopes;
 		private String authorizationUri;
 		private String tokenUri;
 		private String userInfoUri;
@ -212,7 +212,7 @@ public class ClientRegistration {
 			this.authorizationGrantType(clientRegistrationProperties.getAuthorizationGrantType());
 			this.redirectUri(clientRegistrationProperties.getRedirectUri());
 			if (!CollectionUtils.isEmpty(clientRegistrationProperties.getScope())) {
-				this.scope(clientRegistrationProperties.getScope().toArray(new String[0]));
+				this.scopes(clientRegistrationProperties.getScope().toArray(new String[0]));
 			}
 			this.authorizationUri(clientRegistrationProperties.getAuthorizationUri());
 			this.tokenUri(clientRegistrationProperties.getTokenUri());
@ -229,8 +229,8 @@ public class ClientRegistration {
 			this.clientAuthenticationMethod(clientRegistration.getClientAuthenticationMethod());
 			this.authorizationGrantType(clientRegistration.getAuthorizationGrantType());
 			this.redirectUri(clientRegistration.getRedirectUri());
-			if (!CollectionUtils.isEmpty(clientRegistration.getScope())) {
-				this.scope(clientRegistration.getScope().toArray(new String[0]));
+			if (!CollectionUtils.isEmpty(clientRegistration.getScopes())) {
+				this.scopes(clientRegistration.getScopes().toArray(new String[0]));
 			}
 			this.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri());
 			this.tokenUri(clientRegistration.getProviderDetails().getTokenUri());
@ -265,10 +265,10 @@ public class ClientRegistration {
 			return this;
 		}

-		public Builder scope(String... scope) {
-			if (scope != null && scope.length > 0) {
-				this.scope = Collections.unmodifiableSet(
-						new LinkedHashSet<>(Arrays.asList(scope)));
+		public Builder scopes(String... scopes) {
+			if (scopes != null && scopes.length > 0) {
+				this.scopes = Collections.unmodifiableSet(
+						new LinkedHashSet<>(Arrays.asList(scopes)));
 			}
 			return this;
 		}
@ -322,7 +322,7 @@ public class ClientRegistration {
 			clientRegistration.setClientAuthenticationMethod(this.clientAuthenticationMethod);
 			clientRegistration.setAuthorizationGrantType(this.authorizationGrantType);
 			clientRegistration.setRedirectUri(this.redirectUri);
-			clientRegistration.setScope(this.scope);
+			clientRegistration.setScopes(this.scopes);

 			ProviderDetails providerDetails = clientRegistration.new ProviderDetails();
 			providerDetails.setAuthorizationUri(this.authorizationUri);
@ -345,10 +345,10 @@ public class ClientRegistration {
 			Assert.hasText(this.clientSecret, "clientSecret cannot be empty");
 			Assert.notNull(this.clientAuthenticationMethod, "clientAuthenticationMethod cannot be null");
 			Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
-			Assert.notEmpty(this.scope, "scope cannot be empty");
+			Assert.notEmpty(this.scopes, "scopes cannot be empty");
 			Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
 			Assert.hasText(this.tokenUri, "tokenUri cannot be empty");
-			if (this.scope.contains(OidcScope.OPENID)) {
+			if (this.scopes.contains(OidcScope.OPENID)) {
 				// OIDC Clients need to verify/validate the ID Token
 				Assert.hasText(this.jwkSetUri, "jwkSetUri cannot be empty");
 			}
@ -361,7 +361,7 @@ public class ClientRegistration {
 			Assert.hasText(this.registrationId, "registrationId cannot be empty");
 			Assert.hasText(this.clientId, "clientId cannot be empty");
 			Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
-			Assert.notEmpty(this.scope, "scope cannot be empty");
+			Assert.notEmpty(this.scopes, "scopes cannot be empty");
 			Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
 			Assert.hasText(this.clientName, "clientName cannot be empty");
 		}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java
@ -21,7 +21,6 @@ import org.springframework.security.oauth2.core.AccessToken;
 import org.springframework.util.Assert;

 import java.util.Base64;
-import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;

@ -76,7 +75,7 @@ public final class InMemoryAccessTokenRepository implements SecurityTokenReposit
 			builder.append("[").append(clientRegistration.getClientId()).append("]");

 			// Access Token Response attributes
-			builder.append("[").append(clientRegistration.getScope().toString()).append("]");
+			builder.append("[").append(clientRegistration.getScopes().toString()).append("]");

 			return Base64.getEncoder().encodeToString(builder.toString().getBytes());
 		}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java
@ -146,7 +146,7 @@ public class AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
 				.clientId(clientRegistration.getClientId())
 				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
 				.redirectUri(redirectUriStr)
-				.scope(clientRegistration.getScope())
+				.scopes(clientRegistration.getScopes())
 				.state(this.stateGenerator.generateKey())
 				.additionalParameters(additionalParameters)
 				.build();
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
@ -37,7 +37,7 @@ public class DefaultAuthorizationRequestUriBuilder implements AuthorizationReque

 	@Override
 	public URI build(AuthorizationRequest authorizationRequest) {
-		Set<String> scopes = authorizationRequest.getScope();
+		Set<String> scopes = authorizationRequest.getScopes();
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder
 			.fromUriString(authorizationRequest.getAuthorizationUri())
 			.queryParam(OAuth2Parameter.RESPONSE_TYPE, authorizationRequest.getResponseType().getValue())
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/OidcAuthorizationCodeAuthenticationProvider.java
@ -79,7 +79,7 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
 		// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		// scope
 		// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
-		if (!authorizationCodeAuthentication.getAuthorizationRequest().getScope().contains(OidcScope.OPENID)) {
+		if (!authorizationCodeAuthentication.getAuthorizationRequest().getScopes().contains(OidcScope.OPENID)) {
 			// This is NOT an OpenID Connect Authentication Request so return null
 			// and let AuthorizationCodeAuthenticationProvider handle it instead
 			return null;
@ -108,7 +108,7 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati

 		AccessToken accessToken = new AccessToken(tokenResponse.getTokenType(),
 			tokenResponse.getTokenValue(), tokenResponse.getIssuedAt(),
-			tokenResponse.getExpiresAt(), tokenResponse.getScope());
+			tokenResponse.getExpiresAt(), tokenResponse.getScopes());

 		ClientRegistration clientRegistration = authorizationCodeAuthentication.getClientRegistration();

--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
@ -96,7 +96,7 @@ public class OidcUserService implements OAuth2UserService {
 			oidcClientAuthentication.getClientRegistration().getAuthorizationGrantType())) {

 			// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
-			return oidcClientAuthentication.getAuthorizedScope().stream().anyMatch(userInfoScopes::contains);
+			return oidcClientAuthentication.getAuthorizedScopes().stream().anyMatch(userInfoScopes::contains);
 		}

 		return false;
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilterTests.java
@ -201,7 +201,7 @@ public class AuthorizationCodeAuthenticationFilterTests {
 				.clientId(clientRegistration.getClientId())
 				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
 				.redirectUri(clientRegistration.getRedirectUri())
-				.scope(clientRegistration.getScope())
+				.scopes(clientRegistration.getScopes())
 				.state(state)
 				.additionalParameters(additionalParameters)
 				.build();
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilterTests.java
@ -109,7 +109,7 @@ public class AuthorizationRequestRedirectFilterTests {
 		Assertions.assertThat(authorizationRequest.getResponseType()).isNotNull();
 		Assertions.assertThat(authorizationRequest.getClientId()).isNotNull();
 		Assertions.assertThat(authorizationRequest.getRedirectUri()).isNotNull();
-		Assertions.assertThat(authorizationRequest.getScope()).isNotNull();
+		Assertions.assertThat(authorizationRequest.getScopes()).isNotNull();
 		Assertions.assertThat(authorizationRequest.getState()).isNotNull();
 	}

--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilderTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilderTests.java
@ -41,7 +41,7 @@ public class DefaultAuthorizationRequestUriBuilderTests {
 			.clientId("client-id")
 			.state("thestate")
 			.redirectUri("https://client.example.com/login/oauth2")
-			.scope(new HashSet<>(Arrays.asList("openid", "user")))
+			.scopes(new HashSet<>(Arrays.asList("openid", "user")))
 			.build();

 		URI result = this.builder.build(request);
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AccessToken.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AccessToken.java
@ -36,26 +36,26 @@ import java.util.Set;
 */
 public class AccessToken extends SecurityToken {
 	private final TokenType tokenType;
-	private final Set<String> scope;
+	private final Set<String> scopes;

 	public AccessToken(TokenType tokenType, String tokenValue, Instant issuedAt, Instant expiresAt) {
 		this(tokenType, tokenValue, issuedAt, expiresAt, Collections.emptySet());
 	}

-	public AccessToken(TokenType tokenType, String tokenValue, Instant issuedAt, Instant expiresAt, Set<String> scope) {
+	public AccessToken(TokenType tokenType, String tokenValue, Instant issuedAt, Instant expiresAt, Set<String> scopes) {
 		super(tokenValue, issuedAt, expiresAt);
 		Assert.notNull(tokenType, "tokenType cannot be null");
 		this.tokenType = tokenType;
-		this.scope = Collections.unmodifiableSet(
-			scope != null ? scope : Collections.emptySet());
+		this.scopes = Collections.unmodifiableSet(
+			scopes != null ? scopes : Collections.emptySet());
 	}

 	public TokenType getTokenType() {
 		return this.tokenType;
 	}

-	public Set<String> getScope() {
-		return this.scope;
+	public Set<String> getScopes() {
+		return this.scopes;
 	}

 	public static final class TokenType {
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/AuthorizationRequest.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/AuthorizationRequest.java
@ -45,7 +45,7 @@ public final class AuthorizationRequest implements Serializable {
 	private ResponseType responseType;
 	private String clientId;
 	private String redirectUri;
-	private Set<String> scope;
+	private Set<String> scopes;
 	private String state;
 	private Map<String,Object> additionalParameters;

@ -72,8 +72,8 @@ public final class AuthorizationRequest implements Serializable {
 		return this.redirectUri;
 	}

-	public Set<String> getScope() {
-		return this.scope;
+	public Set<String> getScopes() {
+		return this.scopes;
 	}

 	public String getState() {
@ -98,7 +98,7 @@ public final class AuthorizationRequest implements Serializable {
 		private ResponseType responseType;
 		private String clientId;
 		private String redirectUri;
-		private Set<String> scope;
+		private Set<String> scopes;
 		private String state;
 		private Map<String,Object> additionalParameters;

@ -127,8 +127,8 @@ public final class AuthorizationRequest implements Serializable {
 			return this;
 		}

-		public Builder scope(Set<String> scope) {
-			this.scope = scope;
+		public Builder scopes(Set<String> scopes) {
+			this.scopes = scopes;
 			return this;
 		}

@ -156,9 +156,9 @@ public final class AuthorizationRequest implements Serializable {
 			authorizationRequest.clientId = this.clientId;
 			authorizationRequest.redirectUri = this.redirectUri;
 			authorizationRequest.state = this.state;
-			authorizationRequest.scope = Collections.unmodifiableSet(
-				CollectionUtils.isEmpty(this.scope) ?
-					Collections.emptySet() : new LinkedHashSet<>(this.scope));
+			authorizationRequest.scopes = Collections.unmodifiableSet(
+				CollectionUtils.isEmpty(this.scopes) ?
+					Collections.emptySet() : new LinkedHashSet<>(this.scopes));
 			authorizationRequest.additionalParameters = Collections.unmodifiableMap(
 				CollectionUtils.isEmpty(this.additionalParameters) ?
 					Collections.emptyMap() : new LinkedHashMap<>(this.additionalParameters));
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/TokenResponse.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/TokenResponse.java
@ -55,8 +55,8 @@ public final class TokenResponse {
 		return this.accessToken.getExpiresAt();
 	}

-	public Set<String> getScope() {
-		return this.accessToken.getScope();
+	public Set<String> getScopes() {
+		return this.accessToken.getScopes();
 	}

 	public Map<String, Object> getAdditionalParameters() {
@ -71,7 +71,7 @@ public final class TokenResponse {
 		private String tokenValue;
 		private AccessToken.TokenType tokenType;
 		private long expiresIn;
-		private Set<String> scope;
+		private Set<String> scopes;
 		private Map<String,Object> additionalParameters;

 		private Builder(String tokenValue) {
@ -88,8 +88,8 @@ public final class TokenResponse {
 			return this;
 		}

-		public Builder scope(Set<String> scope) {
-			this.scope = scope;
+		public Builder scopes(Set<String> scopes) {
+			this.scopes = scopes;
 			return this;
 		}

@ -103,7 +103,7 @@ public final class TokenResponse {
 			Instant issuedAt = Instant.now();
 			TokenResponse tokenResponse = new TokenResponse();
 			tokenResponse.accessToken = new AccessToken(this.tokenType, this.tokenValue, issuedAt,
-				issuedAt.plusSeconds(this.expiresIn), this.scope);
+				issuedAt.plusSeconds(this.expiresIn), this.scopes);
 			tokenResponse.additionalParameters = Collections.unmodifiableMap(
 				CollectionUtils.isEmpty(this.additionalParameters) ? Collections.emptyMap() : this.additionalParameters);
 			return tokenResponse;
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/AuthorizationRequestTest.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/AuthorizationRequestTest.java
@ -41,7 +41,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(null)
 			.clientId(CLIENT_ID)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build();
 	}
@ -51,7 +51,7 @@ public class AuthorizationRequestTest {
 		AuthorizationRequest.authorizationCode()
 			.clientId(CLIENT_ID)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build();
 	}
@ -62,7 +62,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(null)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build();
 	}
@ -72,7 +72,7 @@ public class AuthorizationRequestTest {
 		AuthorizationRequest.authorizationCode()
 			.authorizationUri(AUTHORIZE_URI)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build();
 	}
@ -84,7 +84,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(CLIENT_ID)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build();

@ -97,7 +97,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(CLIENT_ID)
 			.redirectUri(null)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build()).doesNotThrowAnyException();
 	}
@ -107,7 +107,7 @@ public class AuthorizationRequestTest {
 		assertThatCode(() -> AuthorizationRequest.authorizationCode()
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(CLIENT_ID)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(STATE)
 			.build()).doesNotThrowAnyException();
 	}
@ -118,7 +118,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(CLIENT_ID)
 			.redirectUri(REDIRECT_URI)
-			.scope(null)
+			.scopes(null)
 			.state(STATE)
 			.build()).doesNotThrowAnyException();
 	}
@ -139,7 +139,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(CLIENT_ID)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.state(null)
 			.build()).doesNotThrowAnyException();
 	}
@ -150,7 +150,7 @@ public class AuthorizationRequestTest {
 			.authorizationUri(AUTHORIZE_URI)
 			.clientId(CLIENT_ID)
 			.redirectUri(REDIRECT_URI)
-			.scope(SCOPE)
+			.scopes(SCOPE)
 			.build()).doesNotThrowAnyException();
 	}
 }
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TokenResponseTest.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TokenResponseTest.java
@ -36,7 +36,7 @@ public class TokenResponseTest {
 		TokenResponse.withToken(null)
 			.expiresIn(EXPIRES_IN)
 			.additionalParameters(Collections.emptyMap())
-			.scope(Collections.emptySet())
+			.scopes(Collections.emptySet())
 			.tokenType(AccessToken.TokenType.BEARER)
 			.build();
 	}
@ -46,7 +46,7 @@ public class TokenResponseTest {
 		TokenResponse.withToken(TOKEN)
 			.expiresIn(INVALID_EXPIRES_IN)
 			.additionalParameters(Collections.emptyMap())
-			.scope(Collections.emptySet())
+			.scopes(Collections.emptySet())
 			.tokenType(AccessToken.TokenType.BEARER)
 			.build();
 	}
--- a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
+++ b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
@ -56,7 +56,6 @@ import org.springframework.web.util.UriComponentsBuilder;
 import java.net.URI;
 import java.net.URL;
 import java.net.URLDecoder;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@ -142,7 +141,7 @@ public class OAuth2LoginApplicationTests {
 		String redirectUri = AUTHORIZE_BASE_URL + "/" + this.githubClientRegistration.getRegistrationId();
 		assertThat(URLDecoder.decode(params.get(OAuth2Parameter.REDIRECT_URI), "UTF-8")).isEqualTo(redirectUri);
 		assertThat(URLDecoder.decode(params.get(OAuth2Parameter.SCOPE), "UTF-8"))
-				.isEqualTo(this.githubClientRegistration.getScope().stream().collect(Collectors.joining(" ")));
+				.isEqualTo(this.githubClientRegistration.getScopes().stream().collect(Collectors.joining(" ")));
 		assertThat(params.get(OAuth2Parameter.STATE)).isNotNull();
 	}