I have been trying to access the api through another application which also generates oauth2 tokens for google cloud. The scope I am given for the token is:
And when calling the firecloud API with this token (https://api.firecloud.org/api/workspaces/%s/%s) I am getting an insufficient scope error.
When I login to the swagger API and authenticate for the same GetWorkspace call, I can check openid, email and profile, but I leave cloud-billing unchecked, as GetWorkspace doesn't require it.
However the token that is generated by Swagger does have the cloud-billing scope when the token is inspected with `oauth2l info --token`.
This suggests that
- api.firecloud.org swagger is generating a token with scopes greater than expected, and/or:
- Swagger is incorrectly listing the scope requirements for api calls.
Swagger is listing the required scopes as openid, email and profile.
We would like to have users gain the ability to edit workspaces, the data model, and methods, without having to get a token with the cloud-billing scope if possible, mainly because having our application generate a token with that scope requires extra security.