[Bug] gws auth login fails on macOS - Keychain integration not working

[nadia1971]

---

name: 🐛 Bug Report
about: Create a report to help us improve
title: "[Bug] gws auth login fails on macOS - Keychain integration not working, credentials not saved"
labels: bug

Bug Description

On macOS, gws auth login completes the OAuth flow successfully, but credentials are not properly saved or recognized. Subsequent commands fail with "Access denied. No credentials provided."

Environment

• OS: macOS (Darwin 25.3.0, arm64)
• gws version: 0.4.4
• Installation: Homebrew (npm install -g @googleworkspace/cli)
• Node version: v25.6.1

Steps to Reproduce

1. Run gws auth login
2. Complete OAuth authentication in browser
3. See "Authentication successful. Encrypted credentials saved." message
4. Run any gws command (e.g., gws drive files list)
5. Get error: "Access denied. No credentials provided"

Expected Behavior

After successful authentication, credentials should be saved and subsequent commands should work without re-authentication.

Actual Behavior

$ gws auth login
Open this URL in your browser to authenticate:
  https://accounts.google.com/o/oauth2/auth?...

# Complete authentication in browser

{
  "account": "(unknown)",
  "credentials_file": "/Users/yangtian/.config/gws/credentials.enc",
  "encryption": "AES-256-GCM (key secured by OS Keyring or local `.encryption_key`)",
  "message": "Authentication successful. Encrypted credentials saved.",
  "status": "success"
}

$ gws drive files list --params '{"pageSize": 3}'
{
  "error": {
    "code": 401,
    "message": "Access denied. No credentials provided. Run `gws auth login`...",
    "reason": "authError"
  }
}

$ gws auth list
{
  "accounts": [],
  "count": 0,
  "default": ""
}

Additional Context

Files Created

~/.config/gws/
├── .encryption_key        # ✅ Created
├── credentials.enc        # ✅ Created (encrypted)
└── client_secret.json     # ✅ Exists

Keychain Status

# No gws-cli entry in macOS Keychain
$ security find-generic-password -s "gws-cli" -a "google-oauth" -w
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

Workaround

Python-based authentication works correctly:

• Using google-auth library directly
• Token saved to ~/.gws/token.json
• Commands work when using Python scripts

Hypothesis

The issue appears to be with macOS Keychain integration:

1. gws CLI attempts to store encryption key in Keychain
2. Keychain entry is not created (no error shown)
3. Encrypted credentials cannot be decrypted without the key
4. Authentication appears successful but is unusable

Possible Solutions

1. Fix macOS Keychain integration
2. Provide fallback to unencrypted credentials file
3. Add debug output for Keychain operations
4. Document workaround for macOS users

Impact

• Severity: High - CLI is unusable on macOS after authentication
• Workaround: Use Python scripts or MCP integration instead
• Users Affected: All macOS users without Keychain integration

Related

• Similar issues with Keychain integration in other Node.js CLI tools
• May be related to macOS permissions or entitlements

[ybpinto]

I ran into the same issue on macOS Tahoe (Darwin 25.3.0, arm64) with gws 0.4.4.

gws auth status shows everything healthy (token_valid: true, encryption_valid: true, has_refresh_token: true), but any actual command returns the 401 "No credentials provided" error.

Fix: The root cause is that gws auth login without --account saves credentials under (unknown), so subsequent commands can't find them. Re-running login with your email fixes it:

gws auth login --account your-email@domain.com

(Credit to #187 (comment))

Alternative workaround if the above doesn't work — export credentials to plaintext and point the CLI at the file:

gws auth export --unmasked > ~/.config/gws/credentials.json
echo 'export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=~/.config/gws/credentials.json' >> ~/.zshrc
source ~/.zshrc

[26tajeen]

yeah also seeing this.