finding (cat-2): per-user Google OAuth consent works but token does not vault for headless Arcade-User-ID
This commit is contained in:
+11
@@ -61,3 +61,14 @@ Self-hosted on `backstage-wus2-v4` via Flux; vendor Helm chart **1.8.8**
|
|||||||
servers must be **registered** (run the server + dashboard "Add Server", type Arcade, URL + worker
|
servers must be **registered** (run the server + dashboard "Add Server", type Arcade, URL + worker
|
||||||
secret) — the tunnel pattern for local dev, or an in-cluster deploy for prod — not `arcade deploy`.
|
secret) — the tunnel pattern for local dev, or an in-cluster deploy for prod — not `arcade deploy`.
|
||||||
Relevant to cat-4 (SDK/deploy), cat-8 (deployment), cat-9 (DX).
|
Relevant to cat-4 (SDK/deploy), cat-8 (deployment), cat-9 (DX).
|
||||||
|
- **Per-user Google OAuth: consent URL works, but token does NOT vault for the headless
|
||||||
|
`Arcade-User-ID`** (verified 2026-06-18, cat-2). `tools.authorize("GoogleDocs_CreateDocumentFromText",
|
||||||
|
user_id)` stays `status=pending` for both a real id (`ztaylor@servicetitan.com`) and a fresh id
|
||||||
|
(`gdoc-test-user`) even after completing the exact consent link in-browser (Google approval 200 →
|
||||||
|
coordinator callback 303 → dashboard 200, no visible error). Provider `google-docs-provider` is
|
||||||
|
configured (mints consent URLs; scopes userinfo.email/profile + drive.file; redirect via
|
||||||
|
`coordinator.arcade.st.dev`). Root cause TBD: (A) token exchange/storage fails server-side (Google
|
||||||
|
client secret / redirect-uri misconfig), or (B) browser consent in a dashboard-logged-in session
|
||||||
|
rebinds the token to the dashboard/account identity, not the headless user_id. Next: check
|
||||||
|
`arcade-coordinator` logs for the callback/token-exchange. **Blocks headless per-user execution for
|
||||||
|
OAuth tools.** (cat-1 `whoami` exec-proof uses no external OAuth, so it's unaffected.)
|
||||||
|
|||||||
Reference in New Issue
Block a user