Skip to content

fix(auth): add missing OAuth scopes for CI Visibility, Service Catalog, and Teams#144

Open
wzoom wants to merge 2 commits intodatadog-labs:mainfrom
wzoom:fix/add-missing-oauth-scopes
Open

fix(auth): add missing OAuth scopes for CI Visibility, Service Catalog, and Teams#144
wzoom wants to merge 2 commits intodatadog-labs:mainfrom
wzoom:fix/add-missing-oauth-scopes

Conversation

@wzoom
Copy link

@wzoom wzoom commented Mar 2, 2026
edited
Loading

What does this PR do?

Adds 6 missing OAuth scopes to default_scopes() in src/auth/types.rs so that CI Visibility, Service Catalog, and Teams commands no longer return 403 Forbidden when authenticated via pup auth login.

Scopes Added

Scope Commands Affected
ci_visibility_read pup cicd pipelines list/get/search, pup cicd tests list/search, code coverage, flaky tests
ci_visibility_pipelines_write Pipeline event submission
apm_service_catalog_read pup service-catalog list/get
apm_service_catalog_write Service catalog write operations
teams_read pup on-call teams list/get, pup on-call memberships list
teams_manage pup on-call teams create/update/delete, memberships management

Motivation

src/auth/types.rs:default_scopes() defines the OAuth scopes requested during pup auth login. These scopes were missing, so the OAuth token lacked the necessary permissions for CI Visibility, Service Catalog, and Teams API endpoints. API key authentication was not affected since it uses separate RBAC permissions.

Additional Notes

The following scopes may also be missing but need verification against Datadog API docs before adding:

  • sensitive_data_scanner_read — for pup data-governance scanner-rules list
  • status_pages_read / status_pages_write — for pup status-pages commands
  • integrations_read / integrations_write — for pup integrations (Jira, ServiceNow, Slack, Webhooks)

Checklist

  • The code change follows the project conventions (see CONTRIBUTING.md) ⚠️ <<< Folks, the instructions should use the GitHub PR template, now it's hardcoded.
  • Tests have been added/updated (if applicable)
  • Documentation has been updated (if applicable)
  • All CI checks pass
  • Code coverage is maintained or improved

Related Issues

@wzoom @claude
fix(auth): add missing OAuth scopes for CI Visibility, Service Catalo…
2192780 
…g, and Teams

Several commands returned 403 Forbidden when using OAuth authentication
because the required scopes were not requested during login. This adds
6 missing scopes:

- ci_visibility_read (pipelines list/search, tests list/search, code coverage, flaky tests)
- ci_visibility_pipelines_write (pipeline event submission)
- apm_service_catalog_read (service-catalog list/get)
- apm_service_catalog_write (service-catalog create/delete)
- teams_read (on-call teams list/get, memberships list)
- teams_write (on-call teams create/update/delete, memberships add/update/remove)

Co-Authored-By: Claude Opus <noreply@anthropic.com>
@wzoom wzoom force-pushed the fix/add-missing-oauth-scopes branch from 00bfae7 to 2192780 Compare March 2, 2026 21:33
@platinummonkey platinummonkey added the api-coverage API coverage and command implementations label Mar 3, 2026
@platinummonkey
Copy link
Collaborator

platinummonkey commented Mar 3, 2026

  • looks like teams_write doesn't exist and it should be teams_manage and potentially user_access_manage for some other teams related functionality
  • ci_visibility_pipelines_write also does not exist and should be ci_provider_settings_write

@wzoom
Copy link
Author

wzoom commented Mar 3, 2026

  • looks like teams_write doesn't exist and it should be teams_manage and potentially user_access_manage for some other teams related functionality
  • ci_visibility_pipelines_write also does not exist and should be ci_provider_settings_write

@platinummonkey Updated the teams_manage.

I see ci_visibility_pipelines_write in my org so I kept it.
Available scopes in UI

I didn't add user_access_manage nor ci_provider_settings_write, because those need escalated permissions I think. If you insist, I can still add them, let me know.

@palootcenas-outreach @claude
fix(auth): replace teams_write scope with teams_manage
3a01a90 
Rename the Teams write OAuth scope from teams_write to teams_manage
to match the correct Datadog API scope name.

- Update default_scopes() in src/auth/types.rs
- Add teams_manage assertion to test_default_scopes in src/auth/types.rs
- Update scope documentation in docs/OAUTH2.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@platinummonkey
Copy link
Collaborator

platinummonkey commented Mar 3, 2026

Ah yeah app key scopes are ahead of oauth scopes, this explains why my test failed, will bring this back internally to get those updated before merging

@srosenthal-dd
Copy link
Contributor

srosenthal-dd commented Mar 3, 2026

I've added the scopes on the server-side which will fix the invalid scope problem. I don't think the scopes are quite right yet, though. Working on validating them.

  • cicd flaky-tests looks like it requires test_optimization_read
  • cicd dora patch-deployment looks like it requires dora_metrics_write
  • I don't think see current pup commands that require teams_manage, apm_service_catalog_write, or ci_visibility_pipelines_write

@srosenthal-dd srosenthal-dd mentioned this pull request Mar 3, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

api-coverage API coverage and command implementations product:apm product:code-health product:users_teams

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wzoom @platinummonkey @srosenthal-dd @palootcenas-outreach