Add with_scopes_if_required helper (#65)

diff --git a/google/auth/credentials.py b/google/auth/credentials.py
index ef28bd7..59d4ffe 100644
--- a/google/auth/credentials.py
+++ b/google/auth/credentials.py
@@ -186,6 +186,30 @@
         return set(scopes).issubset(set(self._scopes or []))
 
 
+def with_scopes_if_required(credentials, scopes):
+    """Creates a copy of the credentials with scopes if scoping is required.
+
+    This helper function is useful when you do not know (or care to know) the
+    specific type of credentials you are using (such as when you use
+    :func:`google.auth.default`). This function will call
+    :meth:`Scoped.with_scopes` if the credentials are scoped credentials and if
+    the credentials require scoping. Otherwise, it will return the credentials
+    as-is.
+
+    Args:
+        credentials (Credentials): The credentials to scope if necessary.
+        scopes (Sequence[str]): The list of scopes to use.
+
+    Returns:
+        Credentials: Either a new set of scoped credentials, or the passed in
+            credentials instance if no scoping was required.
+    """
+    if isinstance(credentials, Scoped) and credentials.requires_scopes:
+        return credentials.with_scopes(scopes)
+    else:
+        return credentials
+
+
 @six.add_metaclass(abc.ABCMeta)
 class Signing(object):
     """Interface for credentials that can cryptographically sign messages."""
diff --git a/tests/test_credentials.py b/tests/test_credentials.py
index d78c554..814369e 100644
--- a/tests/test_credentials.py
+++ b/tests/test_credentials.py
@@ -92,3 +92,34 @@
 def test_scoped_credentials_requires_scopes():
     credentials = ScopedCredentialsImpl()
     assert not credentials.requires_scopes
+
+
+class RequiresScopedCredentialsImpl(credentials.Scoped, CredentialsImpl):
+    def __init__(self, scopes=None):
+        super(RequiresScopedCredentialsImpl, self).__init__()
+        self._scopes = scopes
+
+    @property
+    def requires_scopes(self):
+        return not self.scopes
+
+    def with_scopes(self, scopes):
+        return RequiresScopedCredentialsImpl(scopes=scopes)
+
+
+def test_create_scoped_if_required_scoped():
+    unscoped_credentials = RequiresScopedCredentialsImpl()
+    scoped_credentials = credentials.with_scopes_if_required(
+        unscoped_credentials, ['one', 'two'])
+
+    assert scoped_credentials is not unscoped_credentials
+    assert not scoped_credentials.requires_scopes
+    assert scoped_credentials.has_scopes(['one', 'two'])
+
+
+def test_create_scoped_if_required_not_scopes():
+    unscoped_credentials = CredentialsImpl()
+    scoped_credentials = credentials.with_scopes_if_required(
+        unscoped_credentials, ['one', 'two'])
+
+    assert scoped_credentials is unscoped_credentials