Skip to content

Preserve scopes in token refresh request#4428

Merged
amirejaz merged 1 commit intostacklok:mainfrom
gkatz2:fix/oauth-scope-refresh
Mar 30, 2026
Merged

Preserve scopes in token refresh request#4428
amirejaz merged 1 commit intostacklok:mainfrom
gkatz2:fix/oauth-scope-refresh

Conversation

@gkatz2
Copy link
Copy Markdown
Contributor

@gkatz2 gkatz2 commented Mar 30, 2026

Summary

  • OAuth servers that don't comply with RFC 6749 section 6 silently strip scopes during token refresh, breaking all scoped tool calls until manual re-auth
  • Include the scope parameter in refreshWithResource() when config.Scopes is non-empty, matching the existing defensive approach for the RFC 8707 resource parameter

Fixes #4427

Type of change

  • Bug fix

Test plan

  • Unit tests (task test)
  • Linting (task lint-fix)

Does this introduce a user-facing change?

Users connecting to OAuth servers that don't preserve scopes during token refresh will no longer silently lose scopes. Previously, scoped tool calls would fail after token expiry until manual re-auth.

Special notes for reviewers

resourceTokenSource already exists because Go's standard oauth2 library doesn't support adding custom parameters during refresh. This change extends that philosophy to scope: while RFC 6749 section 6 says servers MUST preserve scopes when omitted, being explicit is always spec-safe and protects against non-compliant servers.

Generated with Claude Code

@gkatz2 @claude
Preserve scopes in token refresh request
60a0225 
RFC 6749 section 6 says servers MUST preserve scopes when
the scope parameter is omitted from a refresh request, but
not all servers comply. Explicitly including scope during
refresh is always spec-safe and protects users from silent
scope loss on non-compliant servers.

Fixes stacklok#4427

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Greg Katz <gkatz@indeed.com>
@github-actions github-actions bot added the size/XS Extra small PR: < 100 lines changed label Mar 30, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 30, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.48%. Comparing base (feef6ed) to head (60a0225).
⚠️ Report is 13 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4428      +/-   ##
==========================================
- Coverage   69.50%   69.48%   -0.02%     
==========================================
  Files         486      486              
  Lines       50017    50019       +2     
==========================================
- Hits        34766    34758       -8     
- Misses      12570    12577       +7     
- Partials     2681     2684       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@amirejaz amirejaz merged commit d3dcbdd into stacklok:main Mar 30, 2026
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amirejaz amirejaz amirejaz approved these changes

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

Assignees

No one assigned

Labels

size/XS Extra small PR: < 100 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Preserve scopes defensively during token refresh

2 participants

@gkatz2 @amirejaz