`gws auth login` unusable with personal @gmail.com accounts — invalid_scope + ignores custom client_secret.json

[shaun-agent]

Summary

gws auth login (v0.3.4) is completely unusable with personal @gmail.com accounts. Two separate issues compound to make authentication impossible:

1. The "Recommended" scope preset includes admin-only scopes that Google rejects with 400 invalid_scope for non-Workspace accounts
2. The CLI ignores a custom OAuth client placed at ~/.config/gws/client_secret.json and always uses its hardcoded built-in client ID

Environment

• gws version: 0.3.4 (npm install)
• OS: macOS (Apple Silicon)
• Account type: Personal @gmail.com (not Google Workspace)
• GCP project: Has all relevant APIs enabled (Calendar, Drive, Gmail, Docs, Sheets, Forms, Chat, etc.)

Steps to Reproduce

Issue 1: invalid_scope with Recommended preset

1. Run gws auth login
2. Select "Recommended" scope preset (or any preset that includes admin scopes)
3. Browser opens Google OAuth consent screen
4. Google returns 400 invalid_scope

The scope list sent to Google includes these admin-only scopes that are invalid for personal accounts:

https://www.googleapis.com/auth/apps.alerts
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/apps.licensing
https://www.googleapis.com/auth/apps.order
https://www.googleapis.com/auth/cloud-identity.devices
https://www.googleapis.com/auth/cloud-identity.groups
https://www.googleapis.com/auth/cloud-identity.inboundsso
https://www.googleapis.com/auth/cloud-identity.policies
https://www.googleapis.com/auth/ediscovery
https://www.googleapis.com/auth/directory.readonly
https://www.googleapis.com/auth/groups
https://www.googleapis.com/auth/chat.admin.memberships
https://www.googleapis.com/auth/chat.admin.spaces

These scopes require Google Workspace Admin SDK / domain-wide delegation and will always fail for @gmail.com accounts.

Issue 2: Custom client_secret.json ignored

1. Create a Desktop OAuth client in Google Cloud Console
2. Download the JSON and save to ~/.config/gws/client_secret.json
3. Run gws auth login
4. The OAuth URL still uses the built-in client ID (725852102922-v9qj7...) instead of the custom one

The README documents this path as the manual OAuth setup method, but the CLI appears to ignore it entirely.

What I Tried

Over the course of ~2 hours, I attempted:

1. gws auth login with Recommended scopes → 400 invalid_scope (admin scopes rejected)
2. Created custom OAuth client (Desktop app type) in my GCP project → placed at ~/.config/gws/client_secret.json
3. Re-ran gws auth login → CLI still used its hardcoded client ID, not my custom one
4. Swapped client_secret.json to a different GCP project's OAuth client → same behavior, hardcoded client ID used
5. Observed 404 on localhost callback → timing issue where the local HTTP server wasn't ready when the OAuth redirect came back
6. Observed 401 invalid_client → after recreating the OAuth client, the old client ID was still being used by gws

At no point was I able to successfully authenticate.

Expected Behavior

1. Scope presets should be account-type-aware: Either detect that the account is personal (not Workspace) and exclude admin-only scopes, or provide a "Personal account" preset that only includes consumer-compatible scopes (Calendar, Drive, Gmail, Sheets, Docs, Forms, Contacts, Tasks, etc.)

2. Custom client_secret.json should be respected: When a user places their own OAuth client credentials at ~/.config/gws/client_secret.json per the README instructions, gws auth login should use those credentials instead of the built-in client.

Suggested Fix

For scope filtering:

Filter out scopes that require Workspace admin access when authenticating personal accounts. The following scope prefixes should be excluded for non-Workspace accounts:

• apps.alerts, apps.groups.settings, apps.licensing, apps.order
• cloud-identity.*
• ediscovery
• directory.readonly
• groups
• chat.admin.*
• classroom.* (requires Google Classroom)

Note: PR #108 addresses apps.alerts specifically, but the problem is much broader.

For client_secret.json:

Ensure the manual OAuth setup path documented in the README actually works — check for ~/.config/gws/client_secret.json before falling back to the built-in client.

Related Issues

• [ISSUE] Scope "apps.alerts" fails with 400 "invalid_scope" #73 — apps.alerts scope fails with invalid_scope (same root cause, but only covers one scope)
• fix: filter alertcenter scopes from user OAuth login flow #108 — PR to filter alertcenter scopes (partial fix)

Impact

This effectively makes gws unusable for anyone with a personal Google account. Given that the README prominently features gws auth login as the primary auth method, this is a significant barrier to adoption for non-Workspace users.