Skip to content

auth login fails with HTTP 403 (non-JSON) when minutes:minutes.transcript:export is combined with task:* scopes #1846

Description

@lipyao96

Summary

On lark-cli auth login (Device Flow), requesting a scope set that includes both minutes:minutes.transcript:export and the task:* scopes makes the device-authorize request fail with HTTP 403 and a non-JSON body (surfaced as "response not JSON"). Login aborts. Dropping that one scope lets login succeed.

Environment

  • lark-cli v1.0.67, brand lark (open.larksuite.com), custom app, user login, macOS

Bisection (reproduction)

  • Full 42-scope set incl. the combo → 403, non-JSON.
  • Each scope requested on its own → succeeds.
  • Dropping only minutes:minutes.transcript:export (keeping task:*) → login succeeds, 41/42 granted; minutes:minutes and minutes:minutes.media:export still granted.
  • Reordering the scopes in the request changes whether it 403s.

The "passes solo, fails only in combination, order-sensitive, 403 + non-JSON body" signature points to a gateway/WAF false-positive on the request rather than an app-config or per-scope permission error (genuine scope errors return JSON 99991xxx).

Impact

Can't mint a user token that includes transcript-export-as-user without dropping minutes:minutes.transcript:export from the login scope set.

Questions

  • Known gateway/WAF interaction with this scope combination?
  • Would chunking the authorize into smaller scope batches (or different ordering/encoding) be a workaround the CLI could adopt?

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdomain/authAuthentication subsystemdomain/coreCLI framework and core librariesdomain/minutesMinutes domaindomain/taskPR touches the task domain

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions