fix: preserve operator scopes for shared auth connections#27498

Closed

kevinWangSheng wants to merge 1 commit intoopenclaw:mainfrom

kevinWangSheng:fix/operator-scopes-shared-auth

kevinWangSheng commented Feb 26, 2026

Summary

When connecting via shared gateway token (no device identity), the operator scopes were being cleared, causing API operations to fail with 'missing scope' errors.

Fix

This fix preserves scopes when is true, allowing headless/API operator clients to retain their requested scopes.

Related Issue

Fixes #27494


          fix: preserve operator scopes for shared auth connections

c71c894

When connecting via shared gateway token (no device identity),
the operator scopes were being cleared, causing API operations
to fail with 'missing scope' errors.

This fix preserves scopes when sharedAuthOk is true, allowing
headless/API operator clients to retain their requested scopes.

Fixes openclaw#27494

openclaw-barnacle bot added gateway size: XS labels

Contributor

greptile-apps bot commented Feb 26, 2026

Greptile Summary

Fixed operator scope preservation for shared gateway token authentication. When operators connect via shared token/password without device identity (headless/API clients), their scopes are now correctly preserved instead of being cleared.

Added !sharedAuthOk condition to clearUnboundScopes() to preserve scopes when shared auth succeeds
Aligns with existing roleCanSkipDeviceIdentity() policy that allows operators with shared auth to skip device identity requirements
No security concerns: sharedAuthOk requires successful token/password authentication

Confidence Score: 5/5

This PR is safe to merge with minimal risk
The fix is a simple, focused one-line change that correctly addresses the scope preservation issue. The logic is consistent with existing authentication policies and doesn't introduce security vulnerabilities. The change has clear purpose and aligns with the system's design that operators with successful shared auth can skip device identity requirements.
No files require special attention

_{Last reviewed commit: c71c894}

This comment was marked as spam.

Sign in to view

steipete added a commit that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

96aad96

Landed follow-up for #27535 and aligned shared-auth gateway expectations after #27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

Contributor

steipete commented Feb 26, 2026

Landed on main.

Landed via commit 9c14299 on main. Follow-up test alignment included in 96aad96. Thanks @kevinWangSheng.

steipete closed this

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

f6842cf

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

4d5e8f3

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

gemini-code-assist bot mentioned this pull request

chore(sync): replay rollup fixes on upstream/main MillionthOdin16/openclaw#94

Merged

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

93ad635

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

87bc7f0

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

f6e904e

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

execute008 pushed a commit to execute008/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

8a21801

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

r4jiv007 pushed a commit to r4jiv007/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

8ae65b9

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

mylukin pushed a commit to mylukin/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

829554d

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

8a7ab51

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

ed6eca1

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

0e2217c

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

wanjizheng pushed a commit to wanjizheng/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

cc54c18

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 4850148)

vincentkoc pushed a commit to Sid-Qin/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

d12b869

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

vincentkoc pushed a commit to rylena/rylen-openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

a0070b3

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

hughdidit pushed a commit to hughdidit/DAISy-Agency that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

02abea4

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 96aad96)

# Conflicts:
#	src/agents/subagent-announce.ts
#	src/gateway/server.auth.test.ts

steipete added a commit to Sid-Qin/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

64a4606

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

robertchang-ga pushed a commit to robertchang-ga/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

a3ccfc8

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

hughdidit pushed a commit to hughdidit/DAISy-Agency that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

a3689f7

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
(cherry picked from commit 96aad96)

# Conflicts:
#	src/agents/subagent-announce.ts
#	src/gateway/server.auth.test.ts

dorgonman pushed a commit to kanohorizonia/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

d20a385

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

zooqueen pushed a commit to hanzoai/bot that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

c8a4dc8

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

thebenjaminlee pushed a commit to escape-velocity-ventures/openclaw that referenced this pull request


          fix: land NO_REPLY announce suppression and auth scope assertions

6ed94fc

Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498.

Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gateway size: XS