From 1f748000496216d6956541b003a747598b26c52a Mon Sep 17 00:00:00 2001 From: iztaylor Date: Thu, 18 Jun 2026 14:12:05 -0400 Subject: [PATCH] finding (cat-2): per-user Google OAuth consent works but token does not vault for headless Arcade-User-ID --- LIVE-POC.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/LIVE-POC.md b/LIVE-POC.md index 6319b46..fe2f4b5 100644 --- a/LIVE-POC.md +++ b/LIVE-POC.md @@ -61,3 +61,14 @@ Self-hosted on `backstage-wus2-v4` via Flux; vendor Helm chart **1.8.8** servers must be **registered** (run the server + dashboard "Add Server", type Arcade, URL + worker secret) — the tunnel pattern for local dev, or an in-cluster deploy for prod — not `arcade deploy`. Relevant to cat-4 (SDK/deploy), cat-8 (deployment), cat-9 (DX). +- **Per-user Google OAuth: consent URL works, but token does NOT vault for the headless + `Arcade-User-ID`** (verified 2026-06-18, cat-2). `tools.authorize("GoogleDocs_CreateDocumentFromText", + user_id)` stays `status=pending` for both a real id (`ztaylor@servicetitan.com`) and a fresh id + (`gdoc-test-user`) even after completing the exact consent link in-browser (Google approval 200 → + coordinator callback 303 → dashboard 200, no visible error). Provider `google-docs-provider` is + configured (mints consent URLs; scopes userinfo.email/profile + drive.file; redirect via + `coordinator.arcade.st.dev`). Root cause TBD: (A) token exchange/storage fails server-side (Google + client secret / redirect-uri misconfig), or (B) browser consent in a dashboard-logged-in session + rebinds the token to the dashboard/account identity, not the headless user_id. Next: check + `arcade-coordinator` logs for the callback/token-exchange. **Blocks headless per-user execution for + OAuth tools.** (cat-1 `whoami` exec-proof uses no external OAuth, so it's unaffected.)