Feat/stateless base scope validation #265
Conversation
- Modify GoogleProvider initialization to use BASE_SCOPES in stateless mode - Enable dynamic tool filtering based on user's granted scopes - Per-tool validation handles service-specific scope checks - Maintains security while supporting partial scope authorization This allows users with different scope configurations to use only the Google Workspace tools they have authorized, with clear error messages for unauthorized tools.
Resolved conflicts by integrating both features: - Preserved stateless mode scope validation (BASE_SCOPES vs full scopes) - Integrated new external OAuth provider support - Updated version to 1.5.4 The merged logic now: 1. Determines required_scopes based on stateless mode 2. Checks for external OAuth provider configuration 3. Creates appropriate provider (External or standard GoogleProvider) 4. Sets server.auth based on provider type This allows the stateless scope validation feature to work with both standard OAuth 2.1 mode and the new external OAuth provider mode.
There was a problem hiding this comment.
Pull Request Overview
This PR adds base scope validation for OAuth 2.1 stateless mode, enabling dynamic tool filtering based on user-granted scopes rather than requiring all scopes upfront. In stateless mode, only identity-related base scopes are validated at initialization, while service-specific scopes are checked per-tool, allowing users to access only the Google Workspace tools they've authorized.
- Modified OAuth scope validation strategy to differentiate between stateless and non-stateless modes
- Added BASE_SCOPES import for minimal identity validation
- Implemented conditional scope checking logic in server configuration
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if is_stateless_mode(): | ||
| # Stateless: Only validate base scopes (identity) | ||
| # Per-tool validation will check service-specific scopes | ||
| required_scopes = BASE_SCOPES |
There was a problem hiding this comment.
In the stateless branch, required_scopes is assigned BASE_SCOPES directly without sorting, while the non-stateless branch uses sorted(get_current_scopes()). For consistency and to ensure predictable behavior in scope comparisons elsewhere in the code, consider applying sorted() to BASE_SCOPES as well: required_scopes = sorted(BASE_SCOPES)
| required_scopes = BASE_SCOPES | |
| required_scopes = sorted(BASE_SCOPES) |
2 participants
feat: Add base scope validation for OAuth 2.1 stateless mode
Modify GoogleProvider initialization to use BASE_SCOPES in stateless mode
Enable dynamic tool filtering based on user's granted scopes
Per-tool validation handles service-specific scope checks
Maintains security while supporting partial scope authorization
This allows users with different scope configurations to use only the Google Workspace tools they have authorized, with clear error messages for unauthorized tools.