Skip to content

fix: drop ungrantable introspection scope from OAuth authorize URL#443

Draft
MattBro wants to merge 1 commit into
mainfrom
posthog-code/drop-introspection-scope
Draft

fix: drop ungrantable introspection scope from OAuth authorize URL#443
MattBro wants to merge 1 commit into
mainfrom
posthog-code/drop-introspection-scope

Conversation

@MattBro
Copy link
Copy Markdown
Contributor

@MattBro MattBro commented May 7, 2026

Summary

  • Drops the introspection entry from the OAuth scopes array in src/utils/setup-utils.ts (around line 495). It is not present in posthog/scopes.py (the canonical scope list), is not grantable, and the authorization server currently rejects the authorize request as invalid_scope.
  • Removes the matching bullet from the README's "Required API Key Scopes" list so users don't try to enable a scope that doesn't exist.

Token introspection continues to work without it as a granted scope: introspection is an endpoint per RFC 7662, authenticated via the bearer token, not a scope that needs to be requested at authorize time.

Test plan

  • pnpm build (passes locally; smoke test green)
  • Run the wizard's OAuth flow end-to-end and confirm the authorize step no longer returns invalid_scope
  • Verify token introspection (e.g. via /oauth/introspect) still succeeds for a token issued with the trimmed scope set

Created with PostHog Code

@MattBro
fix: drop ungrantable introspection scope from OAuth authorize URL
1049773 
The authorization server rejects `introspection` as `invalid_scope` because
it isn't in `posthog/scopes.py` (the canonical scope list). Token
introspection is an endpoint per RFC 7662, not a grantable scope, so it
keeps working without being requested at authorize time.

Generated-By: PostHog Code
Task-Id: 2ba7eb25-0ba0-4c0c-9f02-7b4b35839c84
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

  • /wizard-ci all

Test all apps in a directory:

  • /wizard-ci basic-integration
  • /wizard-ci misc
  • /wizard-ci revenue

Test an individual app:

  • /wizard-ci basic-integration/android
  • /wizard-ci basic-integration/angular
  • /wizard-ci basic-integration/astro
Show more apps
  • /wizard-ci basic-integration/django
  • /wizard-ci basic-integration/fastapi
  • /wizard-ci basic-integration/flask
  • /wizard-ci basic-integration/javascript-node
  • /wizard-ci basic-integration/javascript-web
  • /wizard-ci basic-integration/laravel
  • /wizard-ci basic-integration/next-js
  • /wizard-ci basic-integration/nuxt
  • /wizard-ci basic-integration/python
  • /wizard-ci basic-integration/rails
  • /wizard-ci basic-integration/react-native
  • /wizard-ci basic-integration/react-router
  • /wizard-ci basic-integration/sveltekit
  • /wizard-ci basic-integration/swift
  • /wizard-ci basic-integration/tanstack-router
  • /wizard-ci basic-integration/tanstack-start
  • /wizard-ci basic-integration/vue
  • /wizard-ci misc/quack-quack
  • /wizard-ci revenue/stripe

Results will be posted here when complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MattBro