From 4ec5ffb9d8887708ff84b5bc33bce650d76f51b4 Mon Sep 17 00:00:00 2001 From: Alberto Donato Date: Thu, 22 Jan 2026 17:27:12 +0100 Subject: [PATCH 1/2] feat: also request "stacklet/platform" scope [ENG-6478] [ENG-6478](https://stacklet.atlassian.net/browse/ENG-6478) ### what add the `stacklet/platform` scope to the ones requested at login ### why given the client accesses the platform API, it should request the scope ### testing tested locally and verified the resulting access token has the additional scope ### docs n/a --- stacklet/client/platform/vendored/auth.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/stacklet/client/platform/vendored/auth.py b/stacklet/client/platform/vendored/auth.py index c5f6c72..8a7a542 100644 --- a/stacklet/client/platform/vendored/auth.py +++ b/stacklet/client/platform/vendored/auth.py @@ -136,6 +136,8 @@ class BrowserAuthenticator: REDIRECT_URI = f"http://localhost:{CLI_REDIRECT_PORT}" SHORT_LINK = f"http://localhost:{CLI_REDIRECT_PORT}/stacklet_auth" + SCOPES = {"email", "openid", "stacklet/platform"} + def __init__(self, authority_url, client_id, idp_id=""): self.authority_url = authority_url self.client_id = client_id @@ -156,7 +158,7 @@ def build_url(self): "response_type": "token", "redirect_uri": self.REDIRECT_URI, "client_id": self.client_id, - "scope": "email+openid", + "scope": "+".join(self.SCOPES), "idp_identifier": self.idp_id, } ) From 73fab7b9e15999c8844ecfe1ee3f60d5ee454635 Mon Sep 17 00:00:00 2001 From: Alberto Donato Date: Fri, 23 Jan 2026 11:16:56 +0100 Subject: [PATCH 2/2] keep scopes ordered --- stacklet/client/platform/vendored/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stacklet/client/platform/vendored/auth.py b/stacklet/client/platform/vendored/auth.py index 8a7a542..988bb7a 100644 --- a/stacklet/client/platform/vendored/auth.py +++ b/stacklet/client/platform/vendored/auth.py @@ -136,7 +136,7 @@ class BrowserAuthenticator: REDIRECT_URI = f"http://localhost:{CLI_REDIRECT_PORT}" SHORT_LINK = f"http://localhost:{CLI_REDIRECT_PORT}/stacklet_auth" - SCOPES = {"email", "openid", "stacklet/platform"} + SCOPES = ("email", "openid", "stacklet/platform") def __init__(self, authority_url, client_id, idp_id=""): self.authority_url = authority_url