🐛 Fix cached dependencies when using a dependency in `Security()` and other places (e.g. `Depends()`) with different OAuth2 scopes (#2945)

Co-authored-by: Sebastián Ramírez <tiangolo@gmail.com>

fastapi/dependencies/utils.py

@@ -161,7 +161,6 @@ def get_sub_dependant(
     )
     if security_requirement:
         sub_dependant.security_requirements.append(security_requirement)
-    sub_dependant.security_scopes = security_scopes
     return sub_dependant
 
 
@@ -278,7 +277,13 @@ def get_dependant(
     path_param_names = get_path_param_names(path)
     endpoint_signature = get_typed_signature(call)
     signature_params = endpoint_signature.parameters
-    dependant = Dependant(call=call, name=name, path=path, use_cache=use_cache)
+    dependant = Dependant(
+        call=call,
+        name=name,
+        path=path,
+        security_scopes=security_scopes,
+        use_cache=use_cache,
+    )
     for param_name, param in signature_params.items():
         if isinstance(param.default, params.Depends):
             sub_dependant = get_param_sub_dependant(
@@ -495,7 +500,6 @@ async def solve_dependencies(
                 name=sub_dependant.name,
                 security_scopes=sub_dependant.security_scopes,
             )
-            use_sub_dependant.security_scopes = sub_dependant.security_scopes
 
         solved_result = await solve_dependencies(
             request=request,

tests/test_dependency_cache.py

@@ -1,4 +1,4 @@
-from fastapi import Depends, FastAPI
+from fastapi import Depends, FastAPI, Security
 from fastapi.testclient import TestClient
 
 app = FastAPI()
@@ -35,6 +35,19 @@ async def get_sub_counter_no_cache(
     return {"counter": count, "subcounter": subcount}
 
 
+@app.get("/scope-counter")
+async def get_scope_counter(
+    count: int = Security(dep_counter),
+    scope_count_1: int = Security(dep_counter, scopes=["scope"]),
+    scope_count_2: int = Security(dep_counter, scopes=["scope"]),
+):
+    return {
+        "counter": count,
+        "scope_counter_1": scope_count_1,
+        "scope_counter_2": scope_count_2,
+    }
+
+
 client = TestClient(app)
 
 
@@ -66,3 +79,13 @@ def test_sub_counter_no_cache():
     response = client.get("/sub-counter-no-cache/")
     assert response.status_code == 200, response.text
     assert response.json() == {"counter": 4, "subcounter": 3}
+
+
+def test_security_cache():
+    counter_holder["counter"] = 0
+    response = client.get("/scope-counter/")
+    assert response.status_code == 200, response.text
+    assert response.json() == {"counter": 1, "scope_counter_1": 2, "scope_counter_2": 2}
+    response = client.get("/scope-counter/")
+    assert response.status_code == 200, response.text
+    assert response.json() == {"counter": 3, "scope_counter_1": 4, "scope_counter_2": 4}