mozilla · nshirley · May 28, 2026
@@ -53,6 +53,9 @@ export enum AdminPanelFeature {
   WafTokens = 'WafTokens',
   ManageWafTokens = 'ManageWafTokens',
   DomainBlocklist = 'DomainBlocklist',
+  OAuthScopes = 'OAuthScopes',
+  CreateOAuthScope = 'CreateOAuthScope',
+  DeleteOAuthScope = 'DeleteOAuthScope',
 }
 
 /** Enum of known user groups */
@@ -229,6 +232,18 @@ const defaultAdminPanelPermissions: Permissions = {
     name: 'Manage Domain Blocklist',
     level: PermissionLevel.Admin,
   },
+  [AdminPanelFeature.OAuthScopes]: {
+    name: 'View OAuth Scopes',
+    level: PermissionLevel.Support,
+  },
+  [AdminPanelFeature.CreateOAuthScope]: {
+    name: 'Create OAuth Scopes',
+    level: PermissionLevel.Admin,
+  },
+  [AdminPanelFeature.DeleteOAuthScope]: {
+    name: 'Delete OAuth Scopes',
+    level: PermissionLevel.Admin,
+  },
 };
 
 /**

@@ -0,0 +1,14 @@
+-- Add an auto-incrementing integer surrogate key to fxa_oauth.scopes so
+-- downstream code can reference scope rows by a stable numeric id. The
+-- existing `scope` string column is demoted from PRIMARY KEY to a UNIQUE
+-- index — uniqueness is still required by grant-time getScope() lookups,
+-- but the row identity moves to `id`. AUTO_INCREMENT backfills `id` for
+-- existing rows during the ALTER.
+
+ALTER TABLE scopes
+  DROP PRIMARY KEY,
+  ADD COLUMN id INT UNSIGNED NOT NULL AUTO_INCREMENT FIRST,
+  ADD PRIMARY KEY (id),
+  ADD UNIQUE KEY scopes_scope_unique (scope);
+
+UPDATE dbMetadata SET value = '37' WHERE name = 'schema-patch-level';
@@ -0,0 +1,9 @@
+-- Reverse of patch-036-037. Reverse patching is disabled in the runner.
+
+-- ALTER TABLE scopes
+--   DROP PRIMARY KEY,
+--   DROP INDEX scopes_scope_unique,
+--   DROP COLUMN id,
+--   ADD PRIMARY KEY (scope);
+
+-- UPDATE dbMetadata SET value = '36' WHERE name = 'schema-patch-level';
@@ -1,3 +1,3 @@
 {
-  "level": 36
+  "level": 37
 }
@@ -18,6 +18,7 @@ import PageAccountReset from './components/PageAccountReset';
 import PageEmailBlocklist from './components/PageEmailBlocklist';
 import PageWafTokens from './components/PageWafTokens';
 import PageDomainBlocklist from './components/PageDomainBlocklist';
+import PageOAuthScopes from './components/PageOAuthScopes';
 
 const App = ({ config }: { config: IClientConfig }) => {
   const [guard, setGuard] = useState<AdminPanelGuard>(config.guard);
@@ -64,6 +65,9 @@ const App = ({ config }: { config: IClientConfig }) => {
                   element={<PageDomainBlocklist />}
                 />
               )}
+              {guard.allow(AdminPanelFeature.OAuthScopes, user.group) && (
+                <Route path="/oauth-scopes" element={<PageOAuthScopes />} />
+              )}
               <Route path="/permissions" element={<PagePermissions />} />
             </Routes>
           </AppLayout>

@@ -144,6 +144,21 @@ export const Nav = () => (
             </NavLink>
           </li>
         </Guard>
+        <Guard features={[AdminPanelFeature.OAuthScopes]}>
+          <li>
+            <NavLink
+              to="/oauth-scopes"
+              className={({ isActive }) => getNavLinkClassName(isActive)}
+            >
+              <img
+                className="inline-flex mr-2 w-4"
+                src={keyIcon}
+                alt="key icon"
+              />
+              OAuth Scopes
+            </NavLink>
+          </li>
+        </Guard>
         <li>
           <NavLink
             to="/permissions"