Skip to content

auth login -s people does not include contacts write scope #673

Open
Open
auth login -s people does not include contacts write scope#673
@StephaneEJ

Description

@StephaneEJ
StephaneEJ
opened on Apr 4, 2026

Description

When using gws auth login -s people, the scope picker generates People API scopes for reading profiles, but does not include https://www.googleapis.com/auth/contacts which is required for write operations like createContact.

Steps to reproduce

  1. gws auth login -s people
  2. Approve scopes in browser
  3. gws people people createContact --json '{"names":[{"givenName":"Test","familyName":"Contact"}]}'

Expected: Contact is created.
Actual: 403 - Request had insufficient authentication scopes.

Workaround attempted

  • --scopes https://www.googleapis.com/auth/contacts works alone but cannot be combined with -s to get other service scopes in the same login.
  • --full does not include the contacts scope either.
  • Combining multiple full scope URLs in --scopes causes truncation in the OAuth redirect URL, resulting in invalid_scope errors.

Current workaround

Using curl directly with the People API and a dedicated refresh token obtained from a contacts-only gws auth login --scopes https://www.googleapis.com/auth/contacts.

Suggested fix

  1. Map -s people (or add -s contacts) to include https://www.googleapis.com/auth/contacts in the scope picker.
  2. Support incremental auth (adding scopes to an existing token without replacing it).

Environment

  • gws 0.22.5
  • macOS (Apple Silicon)
  • OAuth app in production mode (not testing)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions