Allow a shared deployment OAuth client for authenticated users#1713
Open
aryeh-stark wants to merge 1 commit into
Open
Allow a shared deployment OAuth client for authenticated users#1713aryeh-stark wants to merge 1 commit into
aryeh-stark wants to merge 1 commit into
Conversation
OAuth client credentials (GOOGLE_CLIENT_ID/SECRET, GOOGLE_SIGN_IN_CLIENT_*, GITHUB_CLIENT_*) are deployment-wide identity, not per-tenant secrets: every user authorizes the same app for their own account and gets their own tokens. But resolveSecret refused to fall back to the deploy env for signed-in users in a hosted runtime, so a deployment that set GOOGLE_CLIENT_* still showed each logged-in user the "bring your own OAuth app" setup wizard and /google/auth-url returned missing_credentials. Let these keys use the deploy env fallback (same as Builder credential keys); a per-tenant BYO client still wins (resolved first). Also fix GoogleConnectBanner computing "configured" across every env key (Slack/Resend/LLMs) instead of just the Google client keys.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
|
Here's a visual recap of what changed:
Open the full interactive recap |
Contributor
|
great improvement, thanks @aryeh-stark! just need lint to pass on this one too and good to merge |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
OAuth client credentials (
GOOGLE_CLIENT_ID/SECRET,GOOGLE_SIGN_IN_CLIENT_*,GITHUB_CLIENT_*) are deployment-wide identity, not per-tenant secrets: every user authorizes the same app for their own account and gets their own tokens. ButresolveSecretrefuses the deploy-env fallback for any authenticated user in a hosted runtime — correct for per-tenant API keys, wrong for a shared OAuth client.Result: a deployment that sets
GOOGLE_CLIENT_*has working Google sign-in for anonymous requests but/google/auth-urlreturnsmissing_credentialsthe moment a user has a session, and each logged-in user is shown the "bring your own OAuth app" setup wizard.Fix
resolveSecretnow lets OAuth-client keys fall back to the deploy env even for signed-in users (same treatment Builder credential keys already get). A per-tenant client (BYO upload) still wins — user/org/workspace scopes are resolved first. Also fixesGoogleConnectBannercomputing "configured" across every env key (Slack/Resend/LLMs) instead of just the Google client keys.Tests + changeset.