Refactor OAuth2 connectors: caller-owned scopes, error handling, simpler config

[aureliensibiril]

Summary

This PR overhauls the OAuth2 connector layer in three coherent passes:

1. Simpler bootstrap config

• Move OAuth2 provider definitions (auth URL, token URL, extra params, token endpoint auth) into the connector package so deployment config only carries ClientID and ClientSecret
• Simplify ConnectorRegistry to a pure store; wire provider defaults at registration time
• Restore GOOGLE_WORKSPACE and LINEAR provider definitions which were silently dropped during the bootstrap simplification (both were broken on this branch before this PR)

2. OAuth2 callback error handling

• Extract the /connectors/complete handler from NewMux into dedicated functions
• Handle OAuth2 error callbacks (RFC 6749 §4.1.2.1): log the error with provider context and redirect the user back to their continuation URL with error and error_description query params instead of falling through to the code exchange

3. Caller-owned OAuth2 scopes

The same provider may need different scopes in different contexts. Google Workspace is the canonical case: the SCIM bridge needs full directory + groups + customer + userschema (4 scopes); access review only needs to list users (2 scopes). Baking scopes into the connector at registration time made this impossible.

• Add InitiateOptions{Scopes []string} to the Connector interface; /connectors/initiate reads repeated ?scope= query parameters and forwards them
• Each owning Go module declares its scopes as a constant or registry:
  • pkg/accessreview/drivers/oauth2_scopes.go — per-provider scopes for access review
  • pkg/slack/oauth2_scopes.go — Slack compliance page scopes
  • pkg/iam/scim/bridge/provider/googleworkspace/oauth2_scopes.go — Google Workspace SCIM scopes
• Scopes are surfaced via GraphQL on the type each consumer queries:
  • ConnectorProviderInfo.oauth2Scopes (access review providers list)
  • AccessSource.oauth2Scopes (reconnect flow)
  • Organization.slackOAuth2Scopes (compliance page)
  • Organization.googleWorkspaceOAuth2Scopes (SCIM bridge — on Organization, not SCIMConfiguration, since the Connect button shows when SCIM is unconfigured)
• Frontend reads scopes from Relay fragments — zero hardcoded scope strings in TypeScript
• Drop the dead CreateAccessSourceDialog React component, rename file to accessSourceMutations.ts

Persistence note

OAuth2 refresh tokens do not need scopes (RFC 6749 §6) — the refreshed token inherits the originally granted scopes. Scopes only matter at the auth code exchange step, so they are not persisted on the connector record.

Test plan

• Verify each access review OAuth2 source still connects (HubSpot, GitHub, Sentry, Brex, DocuSign, Notion, Intercom, Linear, Google Workspace)
• Verify Slack compliance page connect flow
• Verify Google Workspace SCIM bridge connect flow
• Deny consent on a provider and confirm the error is logged with provider context and the user is redirected back with error params
• Verify access source reconnect flow uses the right scopes

[cubic-dev-ai]

No issues found across 7 files

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/server/api/console/v1/resolver.go">

<violation number="1" location="pkg/server/api/console/v1/resolver.go:283">
P2: OAuth2 error callback always redirects to base URL and drops state continuation/organization context.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}