Summary
We’re requesting the ability to limit OAuth clients and their tokens to specific Glean data sources through an explicit inclusion or exclusion mechanism.
This configuration could be enforced at either the OAuth client level or via data-source-specific scopes—allowing administrators to define precisely which data sources an OAuth client can access during setup.
Problem / Justification
As of now, OAuth Authentication for the Client API (see Glean documentation) appears to grant broad API access to all indexed data sources once authorized.
While Glean-issued tokens provide scope-based access, a comparable data-source-level control does not yet exist for OAuth clients.
From a security and governance perspective, this creates challenges:
- Not all integrations or internal apps require full access to every indexed source.
- Many organizations follow the principle of least privilege, where an app should only access the minimum set of data it needs (e.g., only Jira, or only Confluence).
- Without data-source scoping, administrators cannot easily isolate OAuth access by department, environment, or function.
Proposed Solution
Introduce an optional scoping mechanism at OAuth client creation or configuration time, enabling administrators to define which Glean data sources are accessible.
Example approaches:
- Client-Level Configuration:
During OAuth client registration, allow an admin to specify a list of allowed data source IDs (e.g., jira-instance-1, zendesk-prod, drive-team-eng).
Any tokens issued to that client would then be restricted to only those data sources. - Scope-Level Enforcement:
Extend OAuth scopes to represent data-source access boundaries—e.g., glean.datasource:jira.readonly—so applications can request or be limited to those scopes.
This would mirror how identity providers like Google implement fine-grained API permissions:
For example, an app that requests https://www.googleapis.com/auth/calendar.readonly can access Calendar data but not Drive or Gmail.
Similarly, we’d like to define that a given Glean OAuth client can only query or index data from an approved set of Glean data sources.
Benefits
- Enforces least-privilege access and supports segregation of duties.
- Reduces risk when connecting third-party or departmental apps.
- Simplifies multi-tenant or environment-specific OAuth setups.
- Enhances enterprise compliance and auditability of data-access boundaries.
Relevant Context
This request pertains to the OAuth Authentication (Recommended) method for the Client API. Providing a way to scope OAuth access by data source would significantly strengthen the security posture, operational flexibility, and administrative control of integrations built on the Glean platform.
Thank you.
Joel
