Skip to content

Auth scope picker missing scopes for People, Chat, and other services #316

New issue
New issue
Open
Open
Auth scope picker missing scopes for People, Chat, and other services#316
@nudesk-kenny

Description

@nudesk-kenny
nudesk-kenny
opened on Mar 9, 2026

Summary

gws auth login presents an interactive scope picker with 9 scopes, but several supported services require scopes that aren't listed. Users who enable these services via -s (e.g., people, chat) get 403 Request had insufficient authentication scopes errors because the auth flow never requests the necessary scopes.

Affected Services & Missing Scopes

Service Required Scope In Picker?
People (contacts) contacts.readonly No
People (directory) directory.readonly No
Chat (spaces) chat.spaces No
Chat (messages) chat.messages No

The MCP server config (gws mcp -s drive,gmail,calendar,sheets,docs,slides,chat,people) exposes these services, but the auth token doesn't have the right scopes to call them.

Current Picker (9 scopes)

[x] Google Drive       https://www.googleapis.com/auth/drive
[x] Google Sheets      https://www.googleapis.com/auth/spreadsheets
[x] Gmail              https://www.googleapis.com/auth/gmail.modify
[x] Google Calendar    https://www.googleapis.com/auth/calendar
[x] Google Docs        https://www.googleapis.com/auth/documents
[x] Google Slides      https://www.googleapis.com/auth/presentations
[x] Google Tasks       https://www.googleapis.com/auth/tasks
[x] Cloud Pub/Sub      https://www.googleapis.com/auth/pubsub
[x] Cloud Platform     https://www.googleapis.com/auth/cloud-platform

Workaround

  1. Run gws auth login (starts local listener on a random port)
  2. Copy the generated OAuth URL
  3. Manually append missing scopes to the scope= query parameter
  4. Open the modified URL in the browser instead of the original
  5. The redirect completes against the CLI's listener and the token is saved with all scopes

This works but is not discoverable and error-prone.

Suggested Fix

One or both of:

  1. Expand the picker — dynamically include scopes for all services passed via -s or all supported services
  2. Add a --scopes flag — e.g., gws auth login --scopes "contacts.readonly,directory.readonly,chat.spaces,chat.messages" to append additional scopes to the auth request

Environment

  • @googleworkspace/cli v0.7.0
  • macOS (Darwin 24.6.0)
  • Used as an MCP server with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions