fix: remove phantom client_app tools#52
Merged
Subterrane merged 1 commit intomainfrom Apr 16, 2026
Merged
Conversation
Removes list_client_apps, get_client_app, create_client_app,
update_client_app, delete_client_app — these hit
/api/2/api_authorizations/clients, which is not a real route. The
/clients sub-resource is nested (config/api2_routes.rb:65), so the
string "clients" was matching the :api_authorization_id parameter;
list returned 404 ("resource not found") and the item operations
returned 400 from Rails' HTML error fallback.
There is no public OneLogin API (v1 or v2) for managing standalone
API credentials / client apps — only an admin-UI session route at
config/routes.rb:847. Nothing to repoint these tools at, so they
come out.
The nested /clients endpoint is already covered correctly by
list_authorized_clients / add_authorized_clients /
remove_authorized_clients.
Reproduction against Chicken-Shadow confirmed reporter's findings
exactly (404 on list, 400 on the rest).
Fixes #50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes five tools that have never worked:
list_client_apps,get_client_app,create_client_app,update_client_app,delete_client_app.They call
/api/2/api_authorizations/clients[...], which is not a real route. Perconfig/api2_routes.rb:65,/clientsis nested under a specific authorization (/api/2/api_authorizations/:api_authorization_id/clients). The literal"clients"in the broken URLs was matching the:api_authorization_idslot, so:list_client_apps→ 404 ("resource with the given id could not be found")get/create/update/delete_client_app→ 400 (Rails HTML error fallback, no matching route)Reproduced end-to-end against Chicken-Shadow — matches the reporter's table exactly.
Why remove rather than repoint?
There is no public OneLogin API (v1 or v2) for managing standalone API credentials. The only
api_credentialsroute in core-api isconfig/routes.rb:847, which is an admin-UI session endpoint, not an API. There's nothing to repoint these tools at.The legitimate nested
/clientsendpoint already has working tools:list_authorized_clients,add_authorized_clients,remove_authorized_clients(fixed in PR #48).Impact
Fixes #50
Test plan
/api/2/api_authorizations/clientsis not a route inconfig/api2_routes.rbgetToolDefinitions()returns 147 tools with zero remainingclient_appreferences