Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [openclaw-lark] Owner-only restriction on OAuth and User API prevents multi-user deployment [1 comments, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#55069Fetched 2026-04-08 01:32:51
View on GitHub
Comments
1
Participants
1
Timeline
4
Reactions
0
Author
lijihua2017lijihua2017
Participants
lijihua2017lijihua2017
Timeline (top)
closed ×1commented ×1cross-referenced ×1locked ×1

The openclaw-lark plugin restricts Feishu (Lark) User Access Token (UAT) operations to only the App Owner. This means in a multi-user deployment where the bot serves an entire organization, non-owner employees cannot:

  1. Initiate OAuth authorizationoauth.js checks assertOwnerAccessStrict() and returns permission_denied for non-owners
  2. Call any Feishu user APItool-client.js calls assertOwnerAccessStrict() in invokeAsUser(), blocking all UAT-based tools (calendar, tasks, bitable, IM, etc.) for non-owner users

Error Message

await assertOwnerAccessStrict(account, sdk, senderOpenId); // Non-owner → returns { error: "permission_denied", message: "当前应用仅限所有者(App Owner)使用" }

Root Cause

The openclaw-lark plugin restricts Feishu (Lark) User Access Token (UAT) operations to only the App Owner. This means in a multi-user deployment where the bot serves an entire organization, non-owner employees cannot:

  1. Initiate OAuth authorizationoauth.js checks assertOwnerAccessStrict() and returns permission_denied for non-owners
  2. Call any Feishu user APItool-client.js calls assertOwnerAccessStrict() in invokeAsUser(), blocking all UAT-based tools (calendar, tasks, bitable, IM, etc.) for non-owner users

Fix Action

Workaround

Currently requires manually patching two source files in openclaw-lark/src/ after every plugin update:

  1. src/tools/oauth.js — remove the assertOwnerAccessStrict try/catch block
  2. src/core/tool-client.js — comment out assertOwnerAccessStrict call

Then restart the gateway. This is fragile and breaks on updates.

Code Example

await assertOwnerAccessStrict(account, sdk, senderOpenId);
// Non-owner → returns { error: "permission_denied", message: "当前应用仅限所有者(App Owner)使用" }

---

await assertOwnerAccessStrict(this.account, this.sdk, userOpenId);
// Non-owner → throws, blocking all user-scoped Feishu API calls

---

# openclaw config or lark plugin config
lark:
  ownerOnly: false  # default: true for backward compatibility

---

OPENCLAW_LARK_OWNER_ONLY=false
RAW_BUFFERClick to expand / collapse

Summary

The openclaw-lark plugin restricts Feishu (Lark) User Access Token (UAT) operations to only the App Owner. This means in a multi-user deployment where the bot serves an entire organization, non-owner employees cannot:

  1. Initiate OAuth authorizationoauth.js checks assertOwnerAccessStrict() and returns permission_denied for non-owners
  2. Call any Feishu user APItool-client.js calls assertOwnerAccessStrict() in invokeAsUser(), blocking all UAT-based tools (calendar, tasks, bitable, IM, etc.) for non-owner users

Current Behavior

oauth.js (executeAuthorize)

await assertOwnerAccessStrict(account, sdk, senderOpenId);
// Non-owner → returns { error: "permission_denied", message: "当前应用仅限所有者(App Owner)使用" }

tool-client.js (invokeAsUser)

await assertOwnerAccessStrict(this.account, this.sdk, userOpenId);
// Non-owner → throws, blocking all user-scoped Feishu API calls

Expected Behavior

The owner check should be configurable rather than hardcoded as fail-close. In many legitimate deployments:

  • The Feishu app is created by an admin but used by all employees
  • Each employee authorizes their own OAuth token — the owner check is unnecessary since users can only access their own data via UAT
  • The security model should rely on OAuth scopes and user consent, not on an app-owner gate

Suggested Fix

Add a configuration option to disable the owner check, e.g.:

# openclaw config or lark plugin config
lark:
  ownerOnly: false  # default: true for backward compatibility

Or at minimum, an environment variable:

OPENCLAW_LARK_OWNER_ONLY=false

When disabled, any user who completes OAuth should be able to use all UAT-scoped Feishu tools.

Workaround

Currently requires manually patching two source files in openclaw-lark/src/ after every plugin update:

  1. src/tools/oauth.js — remove the assertOwnerAccessStrict try/catch block
  2. src/core/tool-client.js — comment out assertOwnerAccessStrict call

Then restart the gateway. This is fragile and breaks on updates.

Labels

This is specific to the openclaw-lark plugin (Feishu/Lark integration).

extent analysis

Fix Plan

To address the issue, we will introduce a configurable option to disable the owner check. This can be achieved through the following steps:

  • Add a configuration option ownerOnly to the lark section in the configuration file:
lark:
  ownerOnly: false

Alternatively, an environment variable OPENCLAW_LARK_OWNER_ONLY can be used:

OPENCLAW_LARK_OWNER_ONLY=false
  • Update the oauth.js file to respect the new configuration option:
if (config.lark.ownerOnly) {
  await assertOwnerAccessStrict(account, sdk, senderOpenId);
}
  • Update the tool-client.js file to respect the new configuration option:
if (config.lark.ownerOnly) {
  await assertOwnerAccessStrict(this.account, this.sdk, userOpenId);
}
  • Restart the gateway to apply the changes.

Verification

To verify that the fix worked, follow these steps:

  • Set ownerOnly to false in the configuration file or set the OPENCLAW_LARK_OWNER_ONLY environment variable to false.
  • Initiate OAuth authorization as a non-owner user.
  • Verify that the authorization is successful and the user can access all UAT-scoped Feishu tools.

Extra Tips

  • Make sure to update the configuration file or environment variable accordingly to enable or disable the owner check.
  • Consider adding logging or monitoring to track the usage of the ownerOnly configuration option.
  • When updating the plugin, ensure that the custom changes are reapplied to maintain the desired functionality.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#environment variable#SSR setup#ISR setup#authentication setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING