fix(credentials): remove special scopes from additional scopes required hook, remove additionalScopes arg from tool definition

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/components/tool-input/tool-input.tsx

@@ -21,7 +21,11 @@ import {
 import { Switch } from '@/components/ui/switch'
 import { Toggle } from '@/components/ui/toggle'
 import { createLogger } from '@/lib/logs/console/logger'
-import type { OAuthProvider, OAuthService } from '@/lib/oauth/oauth'
+import {
+  getCanonicalScopesForProvider,
+  type OAuthProvider,
+  type OAuthService,
+} from '@/lib/oauth/oauth'
 import { cn } from '@/lib/utils'
 import {
   ChannelSelectorInput,
@@ -1713,7 +1717,7 @@ export function ToolInput({
                             value={tool.params.credential || ''}
                             onChange={(value) => handleParamChange(toolIndex, 'credential', value)}
                             provider={oauthConfig.provider as OAuthProvider}
-                            requiredScopes={oauthConfig.additionalScopes || []}
+                            requiredScopes={getCanonicalScopesForProvider(oauthConfig.provider)}
                             label={`Select ${oauthConfig.provider} account`}
                             serviceId={oauthConfig.provider}
                             disabled={disabled}

apps/sim/hooks/use-oauth-scope-status.ts

@@ -44,19 +44,40 @@ export function getCredentialsNeedingReauth(credentials: Credential[]): Credenti
   return credentials.filter(credentialNeedsReauth)
 }
 
+/**
+ * Scopes that control token behavior but are not returned in OAuth token responses.
+ * These should be ignored when validating credential scopes.
+ */
+const IGNORED_SCOPES = new Set([
+  'offline_access', // Microsoft - requests refresh token
+  'refresh_token', // Salesforce - requests refresh token
+  'offline.access', // Airtable - requests refresh token (note: dot not underscore)
+])
+
 /**
  * Compute which of the provided requiredScopes are NOT granted by the credential.
+ * Note: Ignores special OAuth scopes that control token behavior (like offline_access)
+ * as they are not returned in the token response's scope list even when granted.
  */
 export function getMissingRequiredScopes(
   credential: Credential | undefined,
   requiredScopes: string[] = []
 ): string[] {
-  if (!credential) return [...requiredScopes]
+  if (!credential) {
+    // Filter out ignored scopes from required scopes as they're not returned by OAuth providers
+    return requiredScopes.filter((s) => !IGNORED_SCOPES.has(s))
+  }
+
   const granted = new Set((credential.scopes || []).map((s) => s))
   const missing: string[] = []
+
   for (const s of requiredScopes) {
+    // Skip ignored scopes as providers don't return them in the scope list even when granted
+    if (IGNORED_SCOPES.has(s)) continue
+
     if (!granted.has(s)) missing.push(s)
   }
+
   return missing
 }
 

apps/sim/tools/asana/add_comment.ts

@@ -10,7 +10,6 @@ export const asanaAddCommentTool: ToolConfig<AsanaAddCommentParams, AsanaAddComm
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/create_task.ts

@@ -10,7 +10,6 @@ export const asanaCreateTaskTool: ToolConfig<AsanaCreateTaskParams, AsanaCreateT
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/get_projects.ts

@@ -10,7 +10,6 @@ export const asanaGetProjectsTool: ToolConfig<AsanaGetProjectsParams, AsanaGetPr
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/get_task.ts

@@ -10,7 +10,6 @@ export const asanaGetTaskTool: ToolConfig<AsanaGetTaskParams, AsanaGetTaskRespon
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/search_tasks.ts

@@ -10,7 +10,6 @@ export const asanaSearchTasksTool: ToolConfig<AsanaSearchTasksParams, AsanaSearc
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/asana/update_task.ts

@@ -10,7 +10,6 @@ export const asanaUpdateTaskTool: ToolConfig<AsanaUpdateTaskParams, AsanaUpdateT
   oauth: {
     required: true,
     provider: 'asana',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/gmail/add_label.ts

@@ -10,7 +10,6 @@ export const gmailAddLabelTool: ToolConfig<GmailLabelParams, GmailToolResponse>
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/archive.ts

@@ -10,7 +10,6 @@ export const gmailArchiveTool: ToolConfig<GmailMarkReadParams, GmailToolResponse
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/delete.ts

@@ -10,7 +10,6 @@ export const gmailDeleteTool: ToolConfig<GmailMarkReadParams, GmailToolResponse>
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/draft.ts

@@ -10,7 +10,6 @@ export const gmailDraftTool: ToolConfig<GmailSendParams, GmailToolResponse> = {
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/gmail/mark_read.ts

@@ -10,7 +10,6 @@ export const gmailMarkReadTool: ToolConfig<GmailMarkReadParams, GmailToolRespons
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/mark_unread.ts

@@ -10,7 +10,6 @@ export const gmailMarkUnreadTool: ToolConfig<GmailMarkReadParams, GmailToolRespo
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/move.ts

@@ -10,7 +10,6 @@ export const gmailMoveTool: ToolConfig<GmailMoveParams, GmailToolResponse> = {
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/read.ts

@@ -19,7 +19,6 @@ export const gmailReadTool: ToolConfig<GmailReadParams, GmailToolResponse> = {
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.labels'],
   },
 
   params: {

apps/sim/tools/gmail/remove_label.ts

@@ -10,7 +10,6 @@ export const gmailRemoveLabelTool: ToolConfig<GmailLabelParams, GmailToolRespons
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/gmail/search.ts

@@ -18,7 +18,6 @@ export const gmailSearchTool: ToolConfig<GmailSearchParams, GmailToolResponse> =
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.labels'],
   },
 
   params: {

apps/sim/tools/gmail/send.ts

@@ -10,7 +10,6 @@ export const gmailSendTool: ToolConfig<GmailSendParams, GmailToolResponse> = {
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.send'],
   },
 
   params: {

apps/sim/tools/gmail/unarchive.ts

@@ -10,7 +10,6 @@ export const gmailUnarchiveTool: ToolConfig<GmailMarkReadParams, GmailToolRespon
   oauth: {
     required: true,
     provider: 'google-email',
-    additionalScopes: ['https://www.googleapis.com/auth/gmail.modify'],
   },
 
   params: {

apps/sim/tools/google_calendar/create.ts

@@ -16,7 +16,6 @@ export const createTool: ToolConfig<GoogleCalendarCreateParams, GoogleCalendarCr
   oauth: {
     required: true,
     provider: 'google-calendar',
-    additionalScopes: ['https://www.googleapis.com/auth/calendar'],
   },
 
   params: {

apps/sim/tools/google_calendar/get.ts

@@ -15,7 +15,6 @@ export const getTool: ToolConfig<GoogleCalendarGetParams, GoogleCalendarGetRespo
   oauth: {
     required: true,
     provider: 'google-calendar',
-    additionalScopes: ['https://www.googleapis.com/auth/calendar'],
   },
 
   params: {

apps/sim/tools/google_calendar/invite.ts

@@ -14,7 +14,6 @@ export const inviteTool: ToolConfig<GoogleCalendarInviteParams, GoogleCalendarIn
   oauth: {
     required: true,
     provider: 'google-calendar',
-    additionalScopes: ['https://www.googleapis.com/auth/calendar'],
   },
 
   params: {

apps/sim/tools/google_calendar/list.ts

@@ -16,7 +16,6 @@ export const listTool: ToolConfig<GoogleCalendarListParams, GoogleCalendarListRe
   oauth: {
     required: true,
     provider: 'google-calendar',
-    additionalScopes: ['https://www.googleapis.com/auth/calendar'],
   },
 
   params: {

apps/sim/tools/google_calendar/quick_add.ts

@@ -17,7 +17,6 @@ export const quickAddTool: ToolConfig<
   oauth: {
     required: true,
     provider: 'google-calendar',
-    additionalScopes: ['https://www.googleapis.com/auth/calendar'],
   },
 
   params: {

apps/sim/tools/google_calendar/update.ts

@@ -14,7 +14,6 @@ export const updateTool: ToolConfig<GoogleCalendarUpdateParams, GoogleCalendarTo
   oauth: {
     required: true,
     provider: 'google-calendar',
-    additionalScopes: ['https://www.googleapis.com/auth/calendar'],
   },
 
   params: {

apps/sim/tools/google_docs/create.ts

@@ -13,10 +13,6 @@ export const createTool: ToolConfig<GoogleDocsToolParams, GoogleDocsCreateRespon
   oauth: {
     required: true,
     provider: 'google-docs',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_docs/read.ts

@@ -11,10 +11,6 @@ export const readTool: ToolConfig<GoogleDocsToolParams, GoogleDocsReadResponse>
   oauth: {
     required: true,
     provider: 'google-docs',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_docs/write.ts

@@ -9,10 +9,6 @@ export const writeTool: ToolConfig<GoogleDocsToolParams, GoogleDocsWriteResponse
   oauth: {
     required: true,
     provider: 'google-docs',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
   params: {
     accessToken: {

apps/sim/tools/google_drive/create_folder.ts

@@ -10,10 +10,6 @@ export const createFolderTool: ToolConfig<GoogleDriveToolParams, GoogleDriveUplo
   oauth: {
     required: true,
     provider: 'google-drive',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_drive/download.ts

@@ -14,10 +14,6 @@ export const downloadTool: ToolConfig<GoogleDriveToolParams, GoogleDriveDownload
   oauth: {
     required: true,
     provider: 'google-drive',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_drive/get_content.ts

@@ -18,10 +18,6 @@ export const getContentTool: ToolConfig<GoogleDriveToolParams, GoogleDriveGetCon
   oauth: {
     required: true,
     provider: 'google-drive',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_drive/list.ts

@@ -10,10 +10,6 @@ export const listTool: ToolConfig<GoogleDriveToolParams, GoogleDriveListResponse
   oauth: {
     required: true,
     provider: 'google-drive',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_drive/upload.ts

@@ -18,10 +18,6 @@ export const uploadTool: ToolConfig<GoogleDriveToolParams, GoogleDriveUploadResp
   oauth: {
     required: true,
     provider: 'google-drive',
-    additionalScopes: [
-      'https://www.googleapis.com/auth/drive.readonly',
-      'https://www.googleapis.com/auth/drive.file',
-    ],
   },
 
   params: {

apps/sim/tools/google_form/get_responses.ts

@@ -15,7 +15,6 @@ export const getResponsesTool: ToolConfig<GoogleFormsGetResponsesParams> = {
   oauth: {
     required: true,
     provider: 'google-forms',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/google_sheets/append.ts

@@ -13,7 +13,6 @@ export const appendTool: ToolConfig<GoogleSheetsToolParams, GoogleSheetsAppendRe
   oauth: {
     required: true,
     provider: 'google-sheets',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/google_sheets/read.ts

@@ -10,7 +10,6 @@ export const readTool: ToolConfig<GoogleSheetsToolParams, GoogleSheetsReadRespon
   oauth: {
     required: true,
     provider: 'google-sheets',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/google_sheets/update.ts

@@ -13,7 +13,6 @@ export const updateTool: ToolConfig<GoogleSheetsToolParams, GoogleSheetsUpdateRe
   oauth: {
     required: true,
     provider: 'google-sheets',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/google_sheets/write.ts

@@ -10,7 +10,6 @@ export const writeTool: ToolConfig<GoogleSheetsToolParams, GoogleSheetsWriteResp
   oauth: {
     required: true,
     provider: 'google-sheets',
-    additionalScopes: [],
   },
 
   params: {

apps/sim/tools/google_vault/create_matters.ts

@@ -17,7 +17,6 @@ export const createMattersTool: ToolConfig<GoogleVaultCreateMattersParams> = {
   oauth: {
     required: true,
     provider: 'google-vault',
-    additionalScopes: ['https://www.googleapis.com/auth/ediscovery'],
   },
 
   params: {

apps/sim/tools/google_vault/create_matters_export.ts

@@ -12,7 +12,6 @@ export const createMattersExportTool: ToolConfig<GoogleVaultCreateMattersExportP
   oauth: {
     required: true,
     provider: 'google-vault',
-    additionalScopes: ['https://www.googleapis.com/auth/ediscovery'],
   },
 
   params: {