Skip to content

auth login: first-run OAuth flow can fail with Google 403 restricted_client (unregistered/restricted scopes) #25

New issue
New issue
Closed
Closed
auth login: first-run OAuth flow can fail with Google 403 restricted_client (unregistered/restricted scopes)#25
#54 (+2)
@jpoehnelt-bot

Description

@jpoehnelt-bot
jpoehnelt-bot
opened on Mar 4, 2026

Summary

gws auth login generated an OAuth consent URL that failed at Google consent with:

  • Error 403: restricted_client
  • message indicating unregistered/restricted scopes in request.

Repro

gws auth login

Then open generated URL in browser.

Requested scopes included:

  • drive
  • spreadsheets
  • gmail.modify
  • calendar
  • documents
  • presentations
  • tasks
  • pubsub
  • cloud-platform

Actual

  • Browser consent fails before auth completes.
  • CLI has no built-in remediation guidance when this happens.

Expected

  • First-run flow should either:
    1. succeed with a known-good auth profile, or
    2. fail with precise next steps (client setup, required scopes, consent screen requirements).

Suggestions

  1. Add scope profiles (minimal/default/full), with minimal as default.
  2. On restricted_client, detect this class of failure and print targeted guidance:
    • likely cause
    • exact setup steps
    • link to docs
  3. Consider reducing default requested scopes to avoid unnecessary first-run failures.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions