feat(remotesessions): explicitly configure upstream OAuth scope + audience#2941
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
🦋 Changeset detectedLatest commit: ceba4e4 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
qstearns
force-pushed
the
quinn/age-2331-migration
branch
from
ec28913 to
a7da3ac
Compare
qstearns
force-pushed
the
quinn/age-2331-app
branch
from
6525160 to
969b429
Compare
qstearns
force-pushed
the
quinn/age-2331-migration
branch
from
a7da3ac to
9196ebc
Compare
qstearns
force-pushed
the
quinn/age-2331-app
branch
from
969b429 to
e38695d
Compare
|
@claude review once |
There was a problem hiding this comment.
Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.
Once credits are available, comment @claude review on this pull request to trigger a review.
|
Claude encountered an error after 0s —— View job I'll analyze this and get back to you. |
qstearns
force-pushed
the
quinn/age-2331-migration
branch
from
9196ebc to
1bd9658
Compare
Wire scope through CreateRemoteSessionClient and UpdateRemoteSessionClient params, and expose c.scope alongside i.scopes_supported on the two joined client+issuer views the runtime uses to drive the OAuth dance.
|
@codex can you review? |
|
@claude can you review? |
Add an optional scope attribute to the create, clone, and update forms on remoteSessionClients and surface it on the RemoteSessionClient result so operators can override the upstream OAuth scope set the dance requests.
Pass payload.Scope through to the repo layer in CreateRemoteSessionClient, CloneClientFromOAuthProxyProvider, and UpdateRemoteSessionClient, and surface the stored value on the RemoteSessionClient model view.
Resolve the upstream scope set from the remote_session_client's stored scope first, falling back to remote_session_issuers.scopes_supported when unset. Applies to both the authorize URL minted by BuildAuthorizationUrl and the outbound RFC 7591 DCR call fired by CreateRemoteSessionClient.
|
Claude encountered an error after 0s —— View job I'll analyze this and get back to you. |
Adds: - Unit coverage for Client.resolveScopes prefer-then-fallback semantics. - An end-to-end test that drives ListClients → BuildAuthorizationUrl and asserts the upstream authorize URL's `scope` query parameter is sourced from the client override when set and the issuer's scopes_supported when absent. - Round-trip assertions on create/update of the new RemoteSessionClient scope field. Also explicitly initialises Scope on the issuer-driven DCR insert path for exhaustruct, regenerates the TypeScript SDK from the updated OpenAPI, and adds the AGE-2331 changeset.
Wire audience through CreateRemoteSessionClient and UpdateRemoteSessionClient params, and expose c.audience alongside c.scope on the two joined client+issuer views the runtime uses to drive the OAuth dance.
Add an optional audience attribute to the create, clone, and update forms on remoteSessionClients and surface it on the RemoteSessionClient result.
… view Pass payload.Audience through to the repo layer in CreateRemoteSessionClient, CloneClientFromOAuthProxyProvider, and UpdateRemoteSessionClient, and surface the stored value on the RemoteSessionClient model view.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e38695d587
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
When a remote_session_client has audience configured, attach it as the upstream OAuth `audience` parameter on the authorize redirect, the authorization-code → token exchange, and every refresh-token request. Empty audience omits the parameter entirely.
Adds: - Round-trip assertions on create/update of the RemoteSessionClient audience field. - An end-to-end test that drives ListClients → BuildAuthorizationUrl and asserts the upstream authorize URL's `audience` query parameter is emitted when client.audience is set and omitted otherwise. - Refresh-path tests that drive ResolveAccessToken against an httptest token endpoint and assert the POST body echoes audience iff configured. Also regenerates the TypeScript SDK from the updated OpenAPI and adds the AGE-2331 audience changeset.
…rings Code-review cleanup over the AGE-2331 scope/audience commits: - Replace three call sites of `conv.PtrValOr(conv.FromPGText[string](x), "")` with the equivalent `conv.FromPGTextOrEmpty[string](x)` helper that already exists in the conv package. - Trim the new Client struct field docstrings down to the one non-obvious invariant (ClientScope overrides IssuerScopesSupported); the rest just restated the field names.
qstearns
force-pushed
the
quinn/age-2331-app
branch
from
e38695d to
ceba4e4
Compare
🚀 Preview Environment (PR #2941)Preview URL: https://pr-2941.dev.getgram.ai
Gram Preview Bot |
4 participants
Summary
Wires the new
scopeandaudiencecolumns introduced in #2940 through the management API, model view, and OAuth dance.scope(array) andaudience(string) attributes onremoteSessionClients.{create,clone,update}forms and theRemoteSessionClientresult. Goa enforces RFC 6749 §3.3 scope-token regex (^[!#-[\]-~]+$, MaxLength 128 per element) and audience pattern (^[!-~]+$, MaxLength 512) at the request boundary.BuildAuthorizationUrlprefersclient.scopeoverissuer.scopes_supported, falling back when unset.server: minorfor both scope and audience.Stacked on #2940 — base will retarget to
mainafter the migration PR merges.Linear: https://linear.app/speakeasy/issue/AGE-2331
Test plan
mise run test:server ./internal/remotesessions/...(62 tests)mise run lint:serverscope+audienceset🤖 Generated with Claude Code