fix(scopes): Allow project:distribution scope to be granted to integration tokens #102967
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
Scope: Backend
…ation tokens The project:distribution scope is a specialized token-only scope that is not included in any user role (including owner). However, the validation logic for creating Custom Integration tokens was checking if the user had the scope in their role first, causing it to fail. Additionally, the show_auth_info method was preventing the client secret from being visible when an integration had token-only scopes, because it checked if the user had all the scopes in the integration. This change introduces SENTRY_TOKEN_ONLY_SCOPES to define scopes that can be granted to integration tokens even if the user doesn't have them, and updates both the validation and visibility logic to handle these scopes properly. This allows users to: 1. Create integration tokens with the project:distribution scope 2. View the client secret for integrations with token-only scopes
runningcode
force-pushed
the
no/fix-project-distribution-scope-validation
branch
from
926694a to
b4a0657
Compare
michelletran-sentry
approved these changes
Nov 10, 2025
Contributor
michelletran-sentry
left a comment
michelletran-sentry
left a comment
There was a problem hiding this comment.
Generally LGTM!
Jesse-Box
pushed a commit
that referenced
this pull request
Nov 12, 2025
…ation tokens (#102967) ## Summary Fixes two related issues with the `project:distribution` scope for Custom Integration tokens: 1. **Creation Error**: Users couldn't add the `project:distribution` permission when creating Custom Integration tokens, getting the error: *"Requested permission of project:distribution exceeds requester's permission. Please contact an administrator to make the requested change."* <img width="1266" height="241" alt="Screenshot 2025-11-07 at 18 01 11" src="https://github.com/user-attachments/assets/a7fdee78-182b-4f0c-a9da-be0b6d89d520" /> 2. **Client Secret Masked**: Even if users bypassed the creation error, the client secret was immediately masked as `****` instead of being visible. <img width="604" height="223" alt="Screenshot 2025-11-07 at 18 20 03" src="https://github.com/user-attachments/assets/66f50d31-06bd-4454-9f7e-c280a9f6ab9e" /> ## Root Cause The `project:distribution` scope is a specialized token-only scope that is intentionally not included in any user role (including owner). This design allows distribution tokens to be used in apps that are distributed without risking accidentally leaking a token with broader permissions. However, two pieces of validation logic were checking if the user personally had these scopes: 1. **`SentryAppParser.validate_scopes()`** - Blocked creation if the user didn't have the requested scopes 2. **`SentryApp.show_auth_info()`** - Hid the client secret if the user didn't have all the integration's scopes ## Changes - Added `SENTRY_TOKEN_ONLY_SCOPES` constant in `server.py` to define scopes that can be granted to integration tokens even if the user doesn't have them - Updated `SentryAppParser.validate_scopes()` to skip permission checks for token-only scopes - Updated `SentryApp.show_auth_info()` to exclude token-only scopes when determining if the client secret should be visible - Added `project:distribution` to `SENTRY_SCOPE_SETS` for documentation - Added test coverage for token-only scope validation and visibility
andrewshie-sentry
pushed a commit
that referenced
this pull request
Nov 13, 2025
…ation tokens (#102967) ## Summary Fixes two related issues with the `project:distribution` scope for Custom Integration tokens: 1. **Creation Error**: Users couldn't add the `project:distribution` permission when creating Custom Integration tokens, getting the error: *"Requested permission of project:distribution exceeds requester's permission. Please contact an administrator to make the requested change."* <img width="1266" height="241" alt="Screenshot 2025-11-07 at 18 01 11" src="https://github.com/user-attachments/assets/a7fdee78-182b-4f0c-a9da-be0b6d89d520" /> 2. **Client Secret Masked**: Even if users bypassed the creation error, the client secret was immediately masked as `****` instead of being visible. <img width="604" height="223" alt="Screenshot 2025-11-07 at 18 20 03" src="https://github.com/user-attachments/assets/66f50d31-06bd-4454-9f7e-c280a9f6ab9e" /> ## Root Cause The `project:distribution` scope is a specialized token-only scope that is intentionally not included in any user role (including owner). This design allows distribution tokens to be used in apps that are distributed without risking accidentally leaking a token with broader permissions. However, two pieces of validation logic were checking if the user personally had these scopes: 1. **`SentryAppParser.validate_scopes()`** - Blocked creation if the user didn't have the requested scopes 2. **`SentryApp.show_auth_info()`** - Hid the client secret if the user didn't have all the integration's scopes ## Changes - Added `SENTRY_TOKEN_ONLY_SCOPES` constant in `server.py` to define scopes that can be granted to integration tokens even if the user doesn't have them - Updated `SentryAppParser.validate_scopes()` to skip permission checks for token-only scopes - Updated `SentryApp.show_auth_info()` to exclude token-only scopes when determining if the client secret should be visible - Added `project:distribution` to `SENTRY_SCOPE_SETS` for documentation - Added test coverage for token-only scope validation and visibility
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two related issues with the
project:distributionscope for Custom Integration tokens:project:distributionpermission when creating Custom Integration tokens, getting the error: "Requested permission of project:distribution exceeds requester's permission. Please contact an administrator to make the requested change."****instead of being visible.Root Cause
The
project:distributionscope is a specialized token-only scope that is intentionally not included in any user role (including owner). This design allows distribution tokens to be used in apps that are distributed without risking accidentally leaking a token with broader permissions.However, two pieces of validation logic were checking if the user personally had these scopes:
SentryAppParser.validate_scopes()- Blocked creation if the user didn't have the requested scopesSentryApp.show_auth_info()- Hid the client secret if the user didn't have all the integration's scopesChanges
SENTRY_TOKEN_ONLY_SCOPESconstant inserver.pyto define scopes that can be granted to integration tokens even if the user doesn't have themSentryAppParser.validate_scopes()to skip permission checks for token-only scopesSentryApp.show_auth_info()to exclude token-only scopes when determining if the client secret should be visibleproject:distributiontoSENTRY_SCOPE_SETSfor documentation