Fix add/remove_authorized_clients to use REST resource shape#48
Merged
Subterrane merged 1 commit intomainfrom Apr 15, 2026
Merged
Fix add/remove_authorized_clients to use REST resource shape#48Subterrane merged 1 commit intomainfrom
Subterrane merged 1 commit intomainfrom
Conversation
The /api/2/api_authorizations/{id}/clients endpoint is a Rails REST
resource: POST creates one association from {app_id, scopes} (both
required), and DELETE targets /clients/{app_id} for one removal at
a time. The MCP was POSTing {client_ids: [...]} and DELETEing the
collection with a body, neither of which the controller accepts —
both calls returned 400.
Reshape the tools to match: add_authorized_clients now takes a
clients array of {app_id, scopes} and posts each; remove_authorized_clients
takes app_ids and deletes each at /clients/{app_id}. Both return a
per-item results array so partial failures surface cleanly.
Verified against shadow (chicken tenant): old shape returned 400
'Missing required field: app_id'; new shape returned 201 and 204.
Fixes #47
Subterrane
added a commit
that referenced
this pull request
Apr 16, 2026
The /scopes endpoint on api_authorizations is a standard nested REST
resource (config/api2_routes.rb:65), not a bulk endpoint. POST creates
one scope from {value, description}; DELETE requires the numeric
scope_id in the URL path.
- add_authorization_scopes now takes scopes: [{value, description?}]
and iterates, reporting per-item status
- remove_authorization_scopes now takes scope_ids: [number] (from
list_authorization_scopes) and iterates DELETE .../scopes/{scope_id}
- Both inspect response.success from the API wrapper so per-item
status reflects actual outcomes (the client returns wrapped errors
rather than throwing)
Same shape fix as PR #48 applied to the sibling /clients route.
Fixes #49
6 tasks
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #47.
The
/api/2/api_authorizations/{id}/clientsendpoint is a Rails REST resource (routes, controller):POST /clientscreates one association from{app_id, scopes}(both required byrequired_params)DELETE /clients/{app_id}removes one (keyed by the OIDC app'sapp_id, matching whatlist_authorized_clientsreturns)The MCP was POSTing
{client_ids: [...]}to the collection and DELETEing the collection with a body — neither shape the controller accepts, so both returned400 Missing required field: app_id.Changes
add_authorized_clientsnow takesclients: [{app_id, scopes: number[]}]and POSTs each (scopes are numeric API scope IDs fromlist_authorization_scopes, not value strings)remove_authorized_clientsnow takesapp_ids: number[]and DELETEs each at/clients/{app_id}resultsarray so partial failures surface cleanlyapp_idvs misleadingclient_id, and that scopes are numeric IDsTest plan
Verified end-to-end against the shadow chicken tenant:
POST /clientswith{client_ids: [N]}→400 Missing required field: app_id(reproduces remove_authorized_clients & add_authorized_clients #47)POST /clientswith{app_id, scopes: [id]}→201with{app_id, api_auth_id}DELETE /clientswith body →400DELETE /clients/{app_id}→204, association removed (verified vialist_authorized_clients)