Permission problem on the /ls call for a restricted endpoint #2
Description
Harvard has seen a use case where a user is trying to upload/transfer from an endpoint and, after the user has selected the endpoint and the app calls /ls, we see a 403 response like:
{
"authorization_parameters": {
"required_scopes": [
"urn:globus:auth:scope:transfer.api.globus.org:all[*https://auth.globus.org/scopes//data_access]"
],
"session_message": "Missing required data_access consent"
},
"code": "ConsentRequired",
"message": "Missing required data_access consent",
"request_id": "Irut2NW4D",
"required_scopes": [
"urn:globus:auth:scope:transfer.api.globus.org:all[*https://auth.globus.org/scopes//data_access]"
],
"resource": "/operation/endpoint//ls"
}
We're assuming this is because the collection is not world-readable, but it could also be because the collection requires Globus credentials associated with the organization.
From what I can tell, the regular Globus client just does a new authorize call at this point asking for that required scope (the dv-globus app just asks for urn:globus:auth:scope:transfer.api.globus.org:all without the additional collection-specific /data_access scope). I think that could be a fix for the dv-globus app as well, i.e. just catch the 403 and reauthenticate, but I'm not sure what would be needed to maintain state/continue with the /ls call after the user approves granting the new scope.