Skip to content

Classify scope-insufficient 403s as oauth_scope_insufficient#1385

Draft
RhysSullivan wants to merge 1 commit into
mainfrom
fix-1381-scope-insufficient-code
Draft

Classify scope-insufficient 403s as oauth_scope_insufficient#1385
RhysSullivan wants to merge 1 commit into
mainfrom
fix-1381-scope-insufficient-code

Conversation

@RhysSullivan

Copy link
Copy Markdown
Collaborator

A 403 that names a scope shortfall (RFC 6750 insufficient_scope, Google ACCESS_TOKEN_SCOPE_INSUFFICIENT) cannot be fixed by re-running the same OAuth grant, but all three protocol plugins mapped it to connection_rejected, whose recovery hint tells the agent to call oauth.start and retry — an infinite loop through identical consent screens.

This adds an oauth_scope_insufficient failure code with its own recovery guidance (reconnect with broader access, deliberately no oauth.start hint), a shared detector in the core SDK, and detection at the three collapse sites (openapi, graphql, mcp). A 403 without a recognised scope signal keeps the existing classification.

Fixes #1381

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
executor-marketing 516719c Commit Preview URL

Branch Preview URL
Jul 10 2026, 03:02 AM

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Cloudflare preview

Console https://executor-preview-pr-1385.executor-e2e.workers.dev
MCP https://executor-preview-pr-1385.executor-e2e.workers.dev/mcp
Deployed commit 516719c

Sign-in is Cloudflare Access (one-time PIN to an allowed email). The preview has its own database and encryption key; it is destroyed when this PR closes.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
executor-cloud 516719c Jul 10 2026, 03:04 AM

@pkg-pr-new

pkg-pr-new Bot commented Jul 10, 2026

Copy link
Copy Markdown

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1385

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1385

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1385

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1385

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1385

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1385

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1385

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1385

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1385

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1385

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1385

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1385

executor

npm i https://pkg.pr.new/executor@1385

commit: 516719c

A 403 whose body or WWW-Authenticate challenge names a scope shortfall
(RFC 6750 insufficient_scope, Google ACCESS_TOKEN_SCOPE_INSUFFICIENT)
cannot be fixed by re-running the same OAuth grant, but all three
protocol plugins collapsed it into connection_rejected, whose recovery
block tells the agent to call oauth.start and retry: an infinite loop
through identical consent screens.

Add an oauth_scope_insufficient failure code with its own recovery
guidance (reconnect with broader access; deliberately no startOAuthTool
hint), a shared detector in the core SDK, and detection at the three
collapse sites: openapi (body + headers), graphql (body), mcp (the
transport error message, the only place the 403 body survives). A 403
without a recognised scope signal keeps the existing classification.

Fixes #1381
@RhysSullivan RhysSullivan force-pushed the fix-1381-scope-insufficient-code branch from 1d08e44 to 516719c Compare July 10, 2026 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

auth: scope-insufficient 403 collapses into connection_rejected

1 participant