Skip to content

[Bug] approval API user-identity calls broken: metadata uses deprecated scopes (approval:task:read) that have been replaced by approval:task (tenant-only) #780

Open
Open
[Bug] approval API user-identity calls broken: metadata uses deprecated scopes (approval:task:read) that have been replaced by approval:task (tenant-only)#780
Labels
bugSomething isn't workingdomain/authAuthentication subsystemdomain/taskPR touches the task domain
@Rejudge-F

Description

@Rejudge-F
Rejudge-F
opened on May 8, 2026

Summary

All approval API methods are unusable under user identity (--as user) because the API metadata returned by https://open.feishu.cn/api/tools/open/api_definition still references deprecated scope names (approval:task:read, approval:task:write, approval:instance:read, approval:instance:write) that the Feishu developer console has merged into new names (approval:task, approval:instance) — and the new names are only available for tenant identity, not user identity.

This breaks every approval task / instance command for end users.

Environment

  • lark-cli version: 1.0.24 (also reproduced from latest metadata)
  • Brand: feishu
  • OS: macOS 14.6 (darwin 24.6.0)

Steps to reproduce

  1. Open the Feishu developer console permission page, search approval. Observe the available scopes are the merged ones: approval:approval, approval:approval.list:readonly, approval:definition, approval:instance, approval:task. Note approval:task and approval:instance only expose tenant identity, no user identity option.
  2. Enable every available approval scope for both identities (where possible) and run lark-cli auth login --domain approval.
  3. Run lark-cli approval tasks query --params '{"topic":"1"}' --as user.

Expected

Returns the user's pending approval tasks.

Actual

{
  "ok": false,
  "identity": "user",
  "error": {
    "type": "permission",
    "message": "insufficient permissions (required scope: approval:task:read)",
    "hint": "run `lark-cli auth login --scope \"approval:task:read\"` in the background. ..."
  }
}

auth login --scope "approval:task:read approval:task:write approval:instance:read approval:instance:write" reports:

授权结果异常: 以下请求 scopes 未被授予: approval:task:read approval:task:write approval:instance:read approval:instance:write
本次新授予 scopes: (空)

The Feishu OAuth server rejects the deprecated scope names entirely — they no longer exist as grantable scopes.

Root cause

Direct fetch of the metadata endpoint:

curl 'https://open.feishu.cn/api/tools/open/api_definition?protocol=meta&client_version=1.0.24'

shows the approval service still references the deprecated scopes:

{
  "tasks": {
    "methods": {
      "query": {
        "scopes": ["approval:task:read"],
        "accessTokens": ["user"]
      },
      "approve": { "scopes": ["approval:task:write"], ... }
    }
  }
}

All approval-related scopes in the metadata are deprecated names:

  • approval:instance:read
  • approval:instance:write
  • approval:task:read
  • approval:task:write

But Feishu's developer console (and the OAuth grant endpoint) only accepts the new merged names:

  • approval:approval, approval:approval.list:readonly, approval:definition, approval:instance, approval:task

Furthermore, approval:task and approval:instance expose only tenant identity in the console, while tasks.query requires user identity per the metadata. Per the official API doc, the query API now requires approval:approval:readonly OR approval:task:list_by_user — neither of which is in the lark-cli metadata.

Suggested fix

  1. Update the upstream api_definition metadata so approval methods reference the current scope names (approval:approval:readonly, approval:task:list_by_user, approval:task, approval:instance).
  2. Ensure the new scopes are exposed for user identity in the developer console, since tasks.query only accepts user_access_token.
  3. Until then, lark-cli could ship a scope_overrides.json mapping from deprecated → current names so users aren't blocked.

Impact

The entire lark-cli approval command surface (tasks query/approve/reject/transfer/remind, instances get/cancel/cc/initiated) is unusable for personal approval workflow automation, which is the primary use case.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdomain/authAuthentication subsystemdomain/taskPR touches the task domain

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions