GetWorkspace API call requires cloud-billing scope

Post author
RobinK

I have been trying to access the api through another application which also generates oauth2 tokens for google cloud. The scope I am given for the token is: 

And when calling the firecloud API with this token (https://api.firecloud.org/api/workspaces/%s/%s) I am getting an insufficient scope error. 

When I login to the swagger API and authenticate for the same GetWorkspace call, I can check openid, email and profile, but I leave cloud-billing unchecked, as GetWorkspace doesn't require it.

 

However the token that is generated by Swagger does have the cloud-billing scope when the token is inspected with `oauth2l info --token`.

"scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/cloud-billing"

This suggests that

  1. api.firecloud.org swagger is generating a token with scopes greater than expected, and/or:
  2. Swagger is incorrectly listing the scope requirements for api calls. 

Swagger is listing the required scopes as openid, email and profile.

We would like to have users gain the ability to edit workspaces, the data model, and methods, without having to get a token with the cloud-billing scope if possible, mainly because having our application generate a token with that scope requires extra security. 

Thanks,

Robin

Comments

1 comment

  • Comment author
    Tiffany Miller

    Hi Robin,

    1. You are right about that. We are investigating this.

    2. I authenticated directly via https://api.firecloud.org/#!/Workspaces/listWorkspaces API (not clicking the authorize button at the top where the cloud-billing scope is listed) and the cloud-billing scope was not returned for me. Are you able to do that too?

    0

Please sign in to leave a comment.