Redesign scope picker: service-first UX with API-enabled badges

[jpoehnelt]

Problem

The scope picker shows raw OAuth scope names (e.g., drive.metadata.readonly). Users think in services, not scopes. This causes:

• Users miss services they need (gws auth login does not include Google Keep scope #184 Keep, Apps Script API returns 401 "invalid authentication credentials" while Drive API works with same credentials #205 Apps Script)
• Too many scopes selected causes OAuth failures ("Something went wrong" in oauth screen #157)
• No visibility into whether APIs are actually enabled in the GCP project

Proposal

Replace the scope-centric picker with a service-first picker:

Which services do you need?
☑ Drive                  ✅ API enabled
☑ Gmail                  ✅ API enabled
☑ Calendar               ✅ API enabled
☐ Keep                   ⚠️  API not enabled
☐ Apps Script            ⚠️  API not enabled
☐ Admin                  ⚠️  API not enabled (Workspace only)

Access level:
◉ Recommended (read + write for core ops)
○ Read Only
○ Full Access

Key design decisions

1. Show all services, badge the unenabled ones — don't filter. Filtering hides useful info and leaves users confused about why a service is missing.
2. Allow selecting unenabled APIs — Google OAuth grants scopes regardless of API enablement. The 403 only happens on actual API calls. Granting the scope preemptively saves a re-login when the user enables the API later.
3. Warn, don't block — if a user selects an unenabled API, show: "Keep API is not enabled. Enable at console.cloud.google.com/apis/... or run gws auth setup. Continue anyway? [Y/n]"
4. Show human-readable descriptions — "Drive — Read, write, and manage files" instead of https://www.googleapis.com/auth/drive
5. Warn about scope count in the picker, not after — show a live count and highlight red when >10 scopes (unverified app limit)
6. Remember previous selections — store last-used scope set in accounts.json, pre-select on re-login

Additional: gws auth add-scope

Support incremental scope addition without full re-login. This would do an incremental consent flow for just the new scope.

Related Issues

Addresses #184 (Keep scope missing), #205 (Apps Script not in picker), #157 (too many scopes)

[jpoehnelt-bot]

Consolidating this thread into the central discussion for the auth UX/user journey work: #245