fix(credentials): remove special scopes from additional scopes required hook, remove additionalScopes arg from tool definition (#1905)

Author: aadamgough

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/components/tool-input/tool-input.tsx

@@ -21,7 +21,11 @@ import {
 import { Switch } from '@/components/ui/switch'
 import { Toggle } from '@/components/ui/toggle'
 import { createLogger } from '@/lib/logs/console/logger'
-import type { OAuthProvider, OAuthService } from '@/lib/oauth/oauth'
+import {
+  getCanonicalScopesForProvider,
+  type OAuthProvider,
+  type OAuthService,
+} from '@/lib/oauth/oauth'
 import { cn } from '@/lib/utils'
 import {
   ChannelSelectorInput,
@@ -1713,7 +1717,7 @@ export function ToolInput({
                             value={tool.params.credential || ''}
                             onChange={(value) => handleParamChange(toolIndex, 'credential', value)}
                             provider={oauthConfig.provider as OAuthProvider}
-                            requiredScopes={oauthConfig.additionalScopes || []}
+                            requiredScopes={getCanonicalScopesForProvider(oauthConfig.provider)}
                             label={`Select ${oauthConfig.provider} account`}
                             serviceId={oauthConfig.provider}
                             disabled={disabled}

apps/sim/hooks/use-oauth-scope-status.ts

@@ -44,19 +44,40 @@ export function getCredentialsNeedingReauth(credentials: Credential[]): Credenti
   return credentials.filter(credentialNeedsReauth)
 }
 
+/**
+ * Scopes that control token behavior but are not returned in OAuth token responses.
+ * These should be ignored when validating credential scopes.
+ */
+const IGNORED_SCOPES = new Set([
+  'offline_access', // Microsoft - requests refresh token
+  'refresh_token', // Salesforce - requests refresh token
+  'offline.access', // Airtable - requests refresh token (note: dot not underscore)
+])
+
 /**
  * Compute which of the provided requiredScopes are NOT granted by the credential.
+ * Note: Ignores special OAuth scopes that control token behavior (like offline_access)
+ * as they are not returned in the token response's scope list even when granted.
  */
 export function getMissingRequiredScopes(
   credential: Credential | undefined,
   requiredScopes: string[] = []
 ): string[] {
-  if (!credential) return [...requiredScopes]
+  if (!credential) {
+    // Filter out ignored scopes from required scopes as they're not returned by OAuth providers
+    return requiredScopes.filter((s) => !IGNORED_SCOPES.has(s))
+  }
+
   const granted = new Set((credential.scopes || []).map((s) => s))
   const missing: string[] = []
+
   for (const s of requiredScopes) {
+    // Skip ignored scopes as providers don't return them in the scope list even when granted
+    if (IGNORED_SCOPES.has(s)) continue
+
     if (!granted.has(s)) missing.push(s)
   }
+
   return missing
 }
 

apps/sim/tools/asana/add_comment.ts

@@ -10,7 +10,6 @@ export const asanaAddCommentTool: ToolConfig<AsanaAddCommentParams, AsanaAddComm
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/create_task.ts

@@ -10,7 +10,6 @@ export const asanaCreateTaskTool: ToolConfig<AsanaCreateTaskParams, AsanaCreateT
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/get_projects.ts

@@ -10,7 +10,6 @@ export const asanaGetProjectsTool: ToolConfig<AsanaGetProjectsParams, AsanaGetPr
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/get_task.ts

@@ -10,7 +10,6 @@ export const asanaGetTaskTool: ToolConfig<AsanaGetTaskParams, AsanaGetTaskRespon
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/search_tasks.ts

@@ -10,7 +10,6 @@ export const asanaSearchTasksTool: ToolConfig<AsanaSearchTasksParams, AsanaSearc
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/update_task.ts

@@ -10,7 +10,6 @@ export const asanaUpdateTaskTool: ToolConfig<AsanaUpdateTaskParams, AsanaUpdateT
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/gmail/add_label.ts

@@ -10,7 +10,6 @@ export const gmailAddLabelTool: ToolConfig<GmailLabelParams, GmailToolResponse>
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/archive.ts

@@ -10,7 +10,6 @@ export const gmailArchiveTool: ToolConfig<GmailMarkReadParams, GmailToolResponse
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {