rename oauth scopes param to the standard scope

and it's space separated, not comma separated

refs instructuregh-807

note that the old form - scopes - is still accepted for now

Change-Id: I98e038125c3491abd54eb50c99d6efdf3e25acd7
Reviewed-on: https://gerrit.instructure.com/77412
Reviewed-by: Rob Orton <rob@instructure.com>
Tested-by: Jenkins
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>

Author: ccutrer

app/controllers/oauth2_provider_controller.rb

@@ -31,7 +31,7 @@ def auth
       return render()
     end
 
-    scopes = params.fetch(:scopes, '').split(',')
+    scopes = (params[:scope] || params[:scopes] || '').split(' ')
 
     provider = Canvas::Oauth::Provider.new(params[:client_id], params[:redirect_uri], scopes, params[:purpose])
 

doc/api/oauth.md

@@ -79,8 +79,8 @@ To manually generate a token for testing:
 <small><a href="#top">Back to Top</a></small>
 
 Your application can rely on canvas for a user's identity.  During step 1 of
-the web application flow below, specify the optional scopes parameter as
-scopes=/auth/userinfo.  When the user is asked to grant your application
+the web application flow below, specify the optional scope parameter as
+scope=/auth/userinfo.  When the user is asked to grant your application
 access in step 2 of the web application flow, they will also be given an
 option to remember their authorization.  If they grant access and remember
 the authorization, Canvas will skip step 2 of the request flow for future requests.

doc/api/oauth_endpoints.md

@@ -57,7 +57,7 @@ to do this opens your application to the possibility of logging the
 wrong person in, as <a href="http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html">described here</a>.</td>
     </tr>
     <tr>
-      <td class="mono">scopes<span class="label optional"></span></td>
+      <td class="mono">scope<span class="label optional"></span></td>
       <td>This can be used to specify what information the access token
       will provide access to.  By default an access token will have access to
       all api calls that a user can make.  The only other accepted value

spec/controllers/oauth2_provider_controller_spec.rb

@@ -104,10 +104,22 @@
 
       it 'should redirect to the redirect uri if the user already has remember-me token' do
         @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
-        get :auth, client_id: key.id,
+        get :auth,
+            client_id: key.id,
+            redirect_uri: 'https://example.com',
+            response_type: 'code',
+            scope: '/auth/userinfo'
+        expect(response).to be_redirect
+        expect(response.location).to match(/https:\/\/example.com/)
+      end
+
+      it 'it accepts the deprecated name of scopes for scope param' do
+        @user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
+        get :auth,
+            client_id: key.id,
             redirect_uri: 'https://example.com',
             response_type: 'code',
-            scopes: '/auth/userinfo'
+            scope: '/auth/userinfo'
         expect(response).to be_redirect
         expect(response.location).to match(/https:\/\/example.com/)
       end
@@ -126,7 +138,7 @@
         get :auth, client_id: key.id,
             redirect_uri: 'https://example.com',
             response_type: 'code',
-            scopes: '/auth/userinfo'
+            scope: '/auth/userinfo'
         expect(response).to be_redirect
         expect(response.location).to match(/https:\/\/example.com/)
       end