Skip to content

fix(hf-auth): force OAuth consent prompt to expose org grants#1092

Open
tfrere wants to merge 1 commit into
mainfrom
fix/oauth-prompt-consent-for-orgs
Open

fix(hf-auth): force OAuth consent prompt to expose org grants#1092
tfrere wants to merge 1 commit into
mainfrom
fix/oauth-prompt-consent-for-orgs

Conversation

@tfrere
Copy link
Copy Markdown
Contributor

@tfrere tfrere commented May 6, 2026

Context

Reported by a user who is a member of pollen-robotics: he sees his own private Spaces tagged reachy_mini_python_app in the app catalog, but never the private ones from pollen-robotics. The desktop app's catalog (which calls HfApi.list_spaces(filter=..., token=token) from the daemon) returns user-private repos correctly, so auth and tagging are fine. The blocker is HF-side: the OAuth token does not have org-level grants.

Root cause

Per HF OAuth docs:

By default, the oauth app does not need to access organization resources.
But some scopes like read-repos or read-billing apply to organizations as well.
The user can select which organizations to grant access to when authorizing the app.

Our read-repos scope is already sufficient. The user just has to tick pollen-robotics (or any other org) in the HF consent screen during the OAuth flow. The problem: the consent screen is only displayed on the first authorization. A user who skipped the org checkbox initially (or joined the org afterwards) has no in-app way to fix it, short of manually revoking the app at https://huggingface.co/settings/connected-applications.

Change

Add prompt=consent to the HuggingFace authorization URL in create_oauth_session. This is a standard OIDC parameter that forces the consent screen to be redisplayed on every login, even when the app has already been authorized. The user can then (re-)pick which orgs to grant access to, without having to revoke anything by hand.

The OAuth scopes are unchanged.

What this does NOT fix

Two things still need to be checked org-side:

  • The pollen-robotics org admins must have authorized the OAuth app 71146982-8184-45a2-b05a-d561b3cd701d for the org (Settings -> Connected applications). Without this, even consent + tick won't work.
  • Private Spaces inside the org must carry the reachy_mini_python_app tag in their README, otherwise they won't pass the filter= query against /api/spaces.

Test plan

  • On a robot with an existing HF login, click "Sign out" then "Sign in" again -> consent screen is shown (instead of being silently skipped) -> org checkboxes are visible -> after ticking the org, private org Spaces tagged reachy_mini_python_app show up in the catalog.
  • On a fresh robot (no prior HF login), the flow still works (consent shown as before).
  • No regression on the lite / wireless variants of the redirect URI.

Made-with: Cursor

Made with Cursor

@tfrere @cursoragent
fix(hf-auth): force OAuth consent prompt to expose org grants
18e1835 
Pass `prompt=consent` on the HuggingFace authorization URL so the
consent screen is displayed on every login, even when the app has
already been authorized.

This is needed because HF lets the user pick which organizations to
grant `read-repos` to during the consent step. A user who skipped that
step the first time (or who joined an org *after* the initial login)
had no in-app way to fix it: the only options were to manually revoke
the app at https://huggingface.co/settings/connected-applications or
edit the OAuth grants by hand.

With this change, "Sign out + Sign in" is enough to re-open the org
checkbox list, which is the common path users hit when private apps
from organizations like `pollen-robotics` fail to appear in the app
catalog.

The OAuth scopes are unchanged: `read-repos` already covers org repos
when the user has explicitly granted org-level access. No additional
scope is required.

Co-authored-by: Cursor <cursoragent@cursor.com>
@pierre-rouanet pierre-rouanet self-assigned this May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pierre-rouanet pierre-rouanet Awaiting requested review from pierre-rouanet

Assignees

@pierre-rouanet pierre-rouanet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tfrere @pierre-rouanet