if scopes are not set and there is a token stored in the backend then those will be loaded and used in case of a refresh operation

Author: Alejandro Casanovas

O365/account.py

@@ -76,7 +76,8 @@ def is_authenticated(self) -> bool:
         token = self.con.token_backend.get_access_token(username=self.con.current_username)
         if token is None:
             # try to load the token from the backend, although it was previously loaded
-            self.con.token_backend.load_token()
+            if self.con.token_backend.load_token() is False:
+                return False
 
         return not self.con.token_backend.token_is_expired(username=self.con.current_username, refresh_token=True)
 

O365/connection.py

@@ -646,6 +646,11 @@ def get_naive_session(self):
 
         return naive_session
 
+    def _set_scopes_from_token(self):
+        """ This method will set the connection scopes from the scopes set in the token stored in the token backend"""
+        if self.scopes is None:
+            self.scopes = self.token_backend.get_token_scopes(username=self.current_username)
+
     def refresh_token(self) -> bool:
         """
         Refresh the OAuth authorization token.
@@ -669,6 +674,15 @@ def refresh_token(self) -> bool:
             if should_rt is True:
                 # The backend has checked that we can refresh the token
                 log.debug('Refreshing access token')
+
+                if self.scopes is None:
+                    # This method will set the connection scopes from the scopes set in the token stored
+                    # in the token backend
+                    self.scopes = self.token_backend.get_token_scopes(
+                        username=self.current_username,
+                        remove_reserved=True
+                    )
+
                 result = self.msal_client.acquire_token_silent_with_error(
                     scopes=self.scopes,
                     account=self.msal_client.get_accounts(username=self.current_username)[0]

O365/utils/token.py

@@ -11,6 +11,9 @@
 log = logging.getLogger(__name__)
 
 
+RESERVED_SCOPES = {'profile', 'openid', 'offline_access'}
+
+
 class CryptographyManagerType(Protocol):
     def encrypt(self, data: str) -> bytes: ...
     def decrypt(self, data: bytes) -> str: ...
@@ -136,15 +139,21 @@ def get_refresh_token(self, *, username: Optional[str] = None) -> Optional[dict]
         ))
         return results[0] if results else None
 
-    def get_token_scopes(self, *, username: Optional[str] = None) -> Optional[list]:
+    def get_token_scopes(self, *, username: Optional[str] = None,
+                         remove_reserved: bool = False) -> Optional[list]:
         """
         Retrieve the scopes the access token has permissions on
         :param str username: The username from which retrieve the refresh token
+        :param bool remove_reserved: if True RESERVED_SCOPES will be removed from the list
         """
         access_token = self.get_access_token(username=username)
         if access_token:
             scopes_str = access_token.get('target')
-            return scopes_str.split(' ') if scopes_str else None
+            if scopes_str:
+                scopes = scopes_str.split(' ')
+                if remove_reserved:
+                    scopes = [scope for scope in scopes if scope not in RESERVED_SCOPES]
+                return scopes
         return None
 
     def add(self, event, **kwargs) -> None: