Skip to content

Intermittent 403 'insufficient scopes' that succeeds on retry with same token (per-call scope mint?) #889

Description

@ortonom

Summary

gog intermittently returns a 403 insufficient scopes (Request had insufficient authentication scopes) on a call that then succeeds on an immediate retry with the same stored refresh token, no re-auth and no consent change. The error wording strongly implies a stale login / missing scope, which leads operators to re-authenticate — but re-auth changes nothing, because the scope was never actually missing.

Observed

  • Build: 0.31.1 (Homebrew), keyring backend keychain, single OAuth account.
  • Two different services hit it in one session:
    • gog calendar create <cal> --summary … --with-meet → 403 insufficient scopes. Retried minutes later, same token, → success (Meet conference created).
    • gog contacts search <q> → 403 insufficient authentication scopes. Retried later, same token, → results returned.
  • Sibling operations on the same service worked throughout (e.g. bare calendar create without --with-meet, and contacts list), so the token plainly held the scopes.
  • Debug logs around the failing calls show per-call scoped-token minting:
    level=DEBUG msg="creating client options with custom scopes" serviceLabel=calendar …
    level=DEBUG msg="client options with custom scopes created successfully" …
    

Hypothesis

The per-service custom-scope access-token mint occasionally yields a token that the API rejects as under-scoped on first use, and a fresh mint on retry resolves it (a mint/propagation race). The 403 is transient, not a genuine scope gap.

Question / request

Should the per-service token-mint path retry once internally on a 403 insufficient scopes (or refresh-then-retry) before surfacing it? At minimum, could the surfaced error distinguish "token genuinely lacks scope X" from "transient mint failure" so callers don't reflexively re-authenticate?

Happy to capture fuller debug output if useful.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Normal priority bug or improvement with limited blast radius.clawsweeper:needs-live-reproClawSweeper needs live local, crabbox, or manual validation to confirm this issue.impact:auth-providerThis issue is about auth, provider routing, model choice, or SecretRef resolution.issue-rating: 🐚 platinum hermitGood issue quality with a plausible reproduction path needing some confirmation.

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions