Summary
On lark-cli auth login (Device Flow), requesting a scope set that includes both minutes:minutes.transcript:export and the task:* scopes makes the device-authorize request fail with HTTP 403 and a non-JSON body (surfaced as "response not JSON"). Login aborts. Dropping that one scope lets login succeed.
Environment
- lark-cli v1.0.67, brand lark (open.larksuite.com), custom app, user login, macOS
Bisection (reproduction)
- Full 42-scope set incl. the combo → 403, non-JSON.
- Each scope requested on its own → succeeds.
- Dropping only
minutes:minutes.transcript:export (keeping task:*) → login succeeds, 41/42 granted; minutes:minutes and minutes:minutes.media:export still granted.
- Reordering the scopes in the request changes whether it 403s.
The "passes solo, fails only in combination, order-sensitive, 403 + non-JSON body" signature points to a gateway/WAF false-positive on the request rather than an app-config or per-scope permission error (genuine scope errors return JSON 99991xxx).
Impact
Can't mint a user token that includes transcript-export-as-user without dropping minutes:minutes.transcript:export from the login scope set.
Questions
- Known gateway/WAF interaction with this scope combination?
- Would chunking the authorize into smaller scope batches (or different ordering/encoding) be a workaround the CLI could adopt?
Summary
On
lark-cli auth login(Device Flow), requesting a scope set that includes bothminutes:minutes.transcript:exportand thetask:*scopes makes the device-authorize request fail with HTTP 403 and a non-JSON body (surfaced as "response not JSON"). Login aborts. Dropping that one scope lets login succeed.Environment
Bisection (reproduction)
minutes:minutes.transcript:export(keepingtask:*) → login succeeds, 41/42 granted;minutes:minutesandminutes:minutes.media:exportstill granted.The "passes solo, fails only in combination, order-sensitive, 403 + non-JSON body" signature points to a gateway/WAF false-positive on the request rather than an app-config or per-scope permission error (genuine scope errors return JSON
99991xxx).Impact
Can't mint a user token that includes transcript-export-as-user without dropping
minutes:minutes.transcript:exportfrom the login scope set.Questions