Skip to content

TA-4919: Change profile creation logic for oAuth#314

Open
Buqeta (Buqeta) wants to merge 6 commits intomasterfrom
TA-4919-fix-oauth-profiles
Open

TA-4919: Change profile creation logic for oAuth#314
Buqeta (Buqeta) wants to merge 6 commits intomasterfrom
TA-4919-fix-oauth-profiles

Conversation

@Buqeta
Copy link
Contributor

@Buqeta Buqeta (Buqeta) commented Feb 27, 2026
edited
Loading

Description

1. Client credentials – scope handling

  • Before: One fixed scope list was sent with the token request. If any scope was invalid for the client, the grant failed and profile creation could fail or crash (e.g. reading access_token from undefined).

  • After: The CLI tries all 15 non-empty scope combinations (via getScopeCombinationsOrderedBySize), in order: 4 scopes → all 3-scope → all 2-scope → all 1-scope. The first successful grant is used. Stored scopes come from the token response (or the requested list as fallback). If both basic and post auth fail, profile creation throws instead of storing a broken profile.

  • Reasoning: This change was done for 2 reasons:

    • Support profile creation with client credentials in Omnia, since action-engine scope is missing there.
    • Make it possible to create profiles with all the combinations of the allowed scopes, as mentioned here.

2. Device code – scope handling

  • Before: One fixed scope list was used.
  • After: Two attempts only: first with all 4 scopes, then with 3 scopes (without action-engine.projects). If both fail, profile creation throws. A log line was added to show which scopes are being tried.
  • Reasoning: Support profile creation with device codes in Omnia.

3. Scope source of truth

  • Before: Separate constants for device and client credential scopes.
  • After: One list OAUTH_SCOPES (4 scopes) plus DEVICE_CODE_SCOPES_WITHOUT_ACTION_ENGINE (3 scopes) for the device-code fallback. Client credentials derive their attempts from OAUTH_SCOPES via getScopeCombinationsOrderedBySize.

4. Other

  • Added test cases for the other existing methods on profile.service, since they were missing.

Relevant links

Checklist

  • I have self-reviewed this PR
  • I have tested the change and proved that it works in different scenarios
  • I have updated docs if needed

@Buqeta Buqeta (Buqeta) requested a review from a team as a code owner February 27, 2026 13:39
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 27, 2026

Quality Gate Passed Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
99.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

promeris
Meris Nici (promeris) reviewed Feb 27, 2026
View reviewed changes
ZgjimHaziri
Zgjim Haziri (ZgjimHaziri) reviewed Mar 2, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZgjimHaziri Zgjim Haziri (ZgjimHaziri) ZgjimHaziri left review comments

@promeris Meris Nici (promeris) promeris left review comments

@LaberionAjvazi Laberion Ajvazi (LaberionAjvazi) LaberionAjvazi approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Buqeta @ZgjimHaziri @promeris @LaberionAjvazi