Summary
When GOOGLE_WORKSPACE_CLI_CLIENT_ID and GOOGLE_WORKSPACE_CLI_CLIENT_SECRET environment variables are set, they silently override ~/.config/gws/client_secret.json for authentication. However, gws auth status still reports credential_source: "client_secret.json" and shows the correct config_client_id from the file — giving no indication that env vars are actually being used.
This makes it extremely difficult to debug when the env vars contain stale or deleted OAuth credentials, since every diagnostic command points to the (correct) config file while auth silently uses the (broken) env vars.
Steps to Reproduce
- Create a valid
~/.config/gws/client_secret.json with a working OAuth client
- Set env vars to a different (or deleted) client:
export GOOGLE_WORKSPACE_CLI_CLIENT_ID="deleted-id.apps.googleusercontent.com"
export GOOGLE_WORKSPACE_CLI_CLIENT_SECRET="old-secret"
- Run
gws auth status — it shows credential_source: "client_secret.json" and the correct config_client_id from the file
- Run
gws auth login — it uses the env var client ID, not the config file one, resulting in Error 401: deleted_client
Expected Behavior
gws auth status should show credential_source: "environment" when env vars are activegws auth login should log which credential source it resolved to (env vars vs config file)- Ideally,
gws auth status should show both env_client_id and config_client_id when env vars are set, making the override visible
Relevant Code
In resolve_client_credentials(), env vars take priority:
let env_id = std::env::var("GOOGLE_WORKSPACE_CLI_CLIENT_ID").ok();
let env_secret = std::env::var("GOOGLE_WORKSPACE_CLI_CLIENT_SECRET").ok();
if let (Some(id), Some(secret)) = (env_id, env_secret) {
let project_id = crate::oauth_config::load_client_config().ok().map(|c| c.project_id);
return Ok((id, secret, project_id));
}But gws auth status doesn't reflect this resolution order — it always reports the config file as the source.
Environment
- gws version: 0.22.5
- OS: macOS 15, Apple Silicon (arm64)
Summary
When
GOOGLE_WORKSPACE_CLI_CLIENT_IDandGOOGLE_WORKSPACE_CLI_CLIENT_SECRETenvironment variables are set, they silently override~/.config/gws/client_secret.jsonfor authentication. However,gws auth statusstill reportscredential_source: "client_secret.json"and shows the correctconfig_client_idfrom the file — giving no indication that env vars are actually being used.This makes it extremely difficult to debug when the env vars contain stale or deleted OAuth credentials, since every diagnostic command points to the (correct) config file while auth silently uses the (broken) env vars.
Steps to Reproduce
~/.config/gws/client_secret.jsonwith a working OAuth clientgws auth status— it showscredential_source: "client_secret.json"and the correctconfig_client_idfrom the filegws auth login— it uses the env var client ID, not the config file one, resulting inError 401: deleted_clientExpected Behavior
gws auth statusshould showcredential_source: "environment"when env vars are activegws auth loginshould log which credential source it resolved to (env vars vs config file)gws auth statusshould show bothenv_client_idandconfig_client_idwhen env vars are set, making the override visibleRelevant Code
In
resolve_client_credentials(), env vars take priority:But
gws auth statusdoesn't reflect this resolution order — it always reports the config file as the source.Environment