Skip to content

feat(connect): ship registered M365 + Google OAuth apps (#141)#145

Merged
pawellisowski merged 1 commit into
mainfrom
feat/oauth-registered-apps-141
May 23, 2026
Merged

feat(connect): ship registered M365 + Google OAuth apps (#141)#145
pawellisowski merged 1 commit into
mainfrom
feat/oauth-registered-apps-141

Conversation

@pawellisowski
Copy link
Copy Markdown
Contributor

@pawellisowski pawellisowski commented May 23, 2026

Summary

Ships first-party OAuth client IDs so aware connect microsoft-365 --device-code and aware connect google-workspace --oauth work with zero user setupcloses #141.

  • M365 — multi-tenant public client (00929383-…). PKCE + device-code, no secret. 10 delegated Graph scopes covering the curated command surface (files/Excel, SharePoint lists, mail, calendar, Teams, Planner).
  • Google — "Desktop app" client. Client ID committed (public); the client secret is never committed — baked at release-build via option_env!("AWARE_GOOGLE_CLIENT_SECRET") (CI secret) or supplied at runtime via AWARE_OAUTH_GOOGLE_CLIENT_SECRET. Scopes cover Drive/Sheets/Calendar/Gmail/Slides/Forms/Tasks.
  • client_secret threaded through the PKCE, refresh, and device-code token exchanges — appended only when present, so the M365 public-client flow is unaffected.
  • cli/build.rs adds rerun-if-env-changed so releases re-bake the secret.
  • release.yml injects the secret into the cargo build --release step from a GitHub Actions secret.
  • 10-core/oauth-registration.md documents registration, admin consent, and the Google restricted-scope / M365 publisher-verification gates.

Security

  • No secret value in the diff (verified). Only public client IDs are committed.
  • Google desktop-client secret is non-confidential by Google's native-app model but kept out of source to avoid quota abuse + secret scanners.

Test plan

  • cargo build clean
  • auth unit tests pass (incl. new client-secret invariant test)
  • clippy clean on changed files
  • reviewed (local reviewer; Codex unavailable on Windows sandbox)
  • tagged release builds with the secret baked in (CI)
  • aware connect microsoft-365 --device-code end-to-end (own tenant)
  • aware connect google-workspace --oauth end-to-end (test user)

Follow-ups (not blocking)

  • M365 publisher verification (cross-tenant) — in progress in Partner Center.
  • Google production/CASA decision for restricted scopes (currently Testing mode).

@pawellisowski
feat(connect): ship registered M365 + Google OAuth apps (#141)
7fdfdbf 
Bundle first-party client IDs so `aware connect microsoft-365 --device-code`
and `aware connect google-workspace --oauth` work with zero user setup.

- M365: multi-tenant public client — PKCE + device-code, no secret.
- Google: desktop client. The client secret is never committed; it is injected
  at build time via option_env!(AWARE_GOOGLE_CLIENT_SECRET) (see cli/build.rs)
  or supplied at runtime via AWARE_OAUTH_GOOGLE_CLIENT_SECRET. client_secret is
  threaded through the PKCE, refresh, and device-code token exchanges.
- Default scopes widened to match the curated command surface for both agents.
- release.yml bakes the Google secret into release binaries from CI secrets.
- 10-core/oauth-registration.md documents registration + admin consent + the
  Google restricted-scope / M365 publisher-verification gates.
@pawellisowski pawellisowski merged commit 205a23f into main May 23, 2026
@pawellisowski pawellisowski deleted the feat/oauth-registered-apps-141 branch May 23, 2026 18:57
This was referenced May 23, 2026
Closed
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Ship a registered OAuth app + bundled client IDs so aware connect --device-code/--oauth works for end users

1 participant

@pawellisowski