Skip to content

bug: Interactive TUI unconditionally injects cloud-platform scope, breaking org-restricted accounts #562

New issue
New issue
Open
#564
Open
bug: Interactive TUI unconditionally injects cloud-platform scope, breaking org-restricted accounts#562
#564
@VictorML11

Description

@VictorML11
VictorML11
opened on Mar 18, 2026

Problem

The interactive TUI scope picker in gws auth login unconditionally injects the cloud-platform scope after selection, regardless of what the user chose. This causes admin_policy_enforced errors for users in Google Workspace organizations that block the cloud-platform scope.

Root Cause

In src/auth_commands.rs, line ~860:

// Always include cloud-platform scope
if !selected.contains(&PLATFORM_SCOPE.to_string()) {
    selected.push(PLATFORM_SCOPE.to_string());
}

This runs after every TUI selection, forcing cloud-platform into the scope list even when the user explicitly chose only basic services.

Contradiction with DEFAULT_SCOPES

The code comments on lines 56-62 explicitly acknowledge that cloud-platform is restricted and was intentionally removed from DEFAULT_SCOPES:

/// Previously this included `pubsub` and `cloud-platform`, which Google marks
/// as *restricted* and blocks for unverified apps, causing `Error 403:
/// restricted_client`.  Use `--scopes` to add those scopes explicitly when you
/// have a verified app or a GCP project with the APIs enabled and approved.
pub const DEFAULT_SCOPES: &[&str] = MINIMAL_SCOPES;

Yet the TUI path contradicts this design by force-injecting the scope that was deliberately excluded.

Reproduction

# This works (no TUI, no cloud-platform injected):
echo "" | gws auth login

# This fails (TUI injects cloud-platform):
gws auth login

# This also fails (TUI still opens even with -s):
gws auth login -s drive,gmail,calendar,sheets,docs,slides

Error

Error 400: admin_policy_enforced

The generated OAuth URL contains cloud-platform even when only basic services (drive, gmail, calendar) are selected in the TUI.

Expected Behavior

  • The TUI should NOT force-inject cloud-platform — it should respect the user's selection
  • cloud-platform should only be included when the user explicitly selects it in the TUI, uses --full, or adds it via --scopes
  • The TUI behavior should be consistent with DEFAULT_SCOPES (which excludes cloud-platform)

Suggested Fix

Remove or conditionalize the forced injection at line ~860:

-            // Always include cloud-platform scope
-            if !selected.contains(&PLATFORM_SCOPE.to_string()) {
-                selected.push(PLATFORM_SCOPE.to_string());
-            }

If cloud-platform needs to remain available, it should be a selectable option in the TUI rather than being silently injected.

Workaround

Bypass the TUI by piping empty input:

echo "" | gws auth login

Environment

  • gws v0.18.0 (homebrew)
  • Managed Google Workspace account
  • macOS

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions