cmd,{get-authkey,tailscale}: remove unnecessary scope qualifier from OAuth clients

OAuth clients that were used to generate an auth_key previously specified the scope 'device'. 'device' is not an actual scope, the real scope is 'devices'. The resulting OAuth token ended up including all scopes from the specified OAuth client, so the code was able to successfully create auth_keys. It's better not to hardcode a scope here anyway, so that we have the flexibility of changing which scope(s) are used in the future without having to update old clients. Since the qualifier never actually did anything, this commit simply removes it. Updates tailscale/corp#24934 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-02-20 11:58:39 +00:00 · 2024-12-04 14:43:43 -06:00 · 2024-12-04 14:43:43 -06:00 · 06a82f416f
commit 06a82f416f
parent dc6728729e
2 changed files with 0 additions and 2 deletions
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@ -46,7 +46,6 @@ func main() {
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		TokenURL:     baseURL + "/api/v2/oauth/token",
-		Scopes:       []string{"device"},
 	}

 	ctx := context.Background()
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@ -1157,7 +1157,6 @@ func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
 		ClientID:     "some-client-id", // ignored
 		ClientSecret: clientSecret,
 		TokenURL:     baseURL + "/api/v2/oauth/token",
-		Scopes:       []string{"device"},
 	}

 	tsClient := tailscale.NewClient("-", nil)