Skip to content

Classify scope-insufficient 403s as oauth_scope_insufficient#1385

Merged
RhysSullivan merged 1 commit into
mainfrom
fix-1381-scope-insufficient-code
Jul 10, 2026
Merged

Classify scope-insufficient 403s as oauth_scope_insufficient#1385
RhysSullivan merged 1 commit into
mainfrom
fix-1381-scope-insufficient-code

Conversation

@RhysSullivan

@RhysSullivan RhysSullivan commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

A 403 that names a scope shortfall (RFC 6750 insufficient_scope, Google ACCESS_TOKEN_SCOPE_INSUFFICIENT) cannot be fixed by re-running the same OAuth grant, but all three protocol plugins mapped it to connection_rejected, whose recovery hint tells the agent to call oauth.start and retry — an infinite loop through identical consent screens.

This adds an oauth_scope_insufficient failure code with its own recovery guidance (reconnect with broader access, deliberately no oauth.start hint), a shared detector in the core SDK, and detection at the three collapse sites (openapi, graphql, mcp). A 403 without a recognised scope signal keeps the existing classification.

Fixes #1381

Stack

  1. Classify scope-insufficient 403s as oauth_scope_insufficient #1385 👈 current
  2. Carry OAuth scopes through extraction to the invocation credential #1386

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
executor-marketing a1fafd2 Commit Preview URL

Branch Preview URL
Jul 10 2026, 09:33 AM

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Cloudflare preview

Torn down — the PR is closed.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
executor-cloud a1fafd2 Jul 10 2026, 09:34 AM

@pkg-pr-new

pkg-pr-new Bot commented Jul 10, 2026

Copy link
Copy Markdown

Open in StackBlitz

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1385

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1385

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1385

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1385

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1385

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1385

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1385

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1385

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1385

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1385

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1385

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1385

executor

npm i https://pkg.pr.new/executor@1385

commit: 3ea2889

@RhysSullivan RhysSullivan force-pushed the fix-1381-scope-insufficient-code branch 12 times, most recently from 735d363 to 3ea2889 Compare July 10, 2026 09:23
A 403 whose body or WWW-Authenticate challenge names a scope shortfall
(RFC 6750 insufficient_scope, Google ACCESS_TOKEN_SCOPE_INSUFFICIENT)
cannot be fixed by re-running the same OAuth grant, but all three
protocol plugins collapsed it into connection_rejected, whose recovery
block tells the agent to call oauth.start and retry: an infinite loop
through identical consent screens.

Add an oauth_scope_insufficient failure code with its own recovery
guidance (reconnect with broader access; deliberately no startOAuthTool
hint), a shared detector in the core SDK, and detection at the three
collapse sites: openapi (body + headers), graphql (body), mcp (the
transport error message, the only place the 403 body survives). A 403
without a recognised scope signal keeps the existing classification.

Fixes #1381
@RhysSullivan RhysSullivan force-pushed the fix-1381-scope-insufficient-code branch from 3ea2889 to a1fafd2 Compare July 10, 2026 09:31
@RhysSullivan RhysSullivan marked this pull request as ready for review July 10, 2026 09:32
@RhysSullivan RhysSullivan merged commit eabb67a into main Jul 10, 2026
17 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

auth: scope-insufficient 403 collapses into connection_rejected

1 participant