Skip to content

fix(auth): expand OAuth support to 69 scopes across all supported domains#153

Merged
platinummonkey merged 6 commits intodatadog-labs:mainfrom
srosenthal-dd:feat/oauth-scopes-batch2
Mar 4, 2026
Merged

fix(auth): expand OAuth support to 69 scopes across all supported domains#153
platinummonkey merged 6 commits intodatadog-labs:mainfrom
srosenthal-dd:feat/oauth-scopes-batch2

Conversation

@srosenthal-dd
Copy link
Contributor

@srosenthal-dd srosenthal-dd commented Mar 3, 2026
edited
Loading

Summary

Expands OAuth scope coverage from 48 to 69 scopes and enables OAuth for all command domains except API/App Keys, Fleet Automation, AWS/GCP integrations, and metrics metadata update. Previously many commands (RUM, Notebooks, Events search, Status Pages) forced API key fallback even though OAuth scopes exist for them.

Changes

  • src/auth/types.rs — Reorganized default_scopes() alphabetically by domain. Net result: 69 scopes (was 48). Added 14 new scopes, removed 6 unnecessary ones.
  • src/commands/events.rs — Remove forced API key requirement for events search; use bearer client
  • src/commands/rum.rs — Remove all 18 forced API key bail! blocks; use bearer client for all RUM functions (apps, metrics, retention filters, playlists, heatmaps)
  • src/main.rs — Remove 3 validate_api_and_app_keys() gates for Status Pages (Pages, Components, Degradations)
  • src/client.rs — Remove RUM (10), Notebooks (5), and Events (1) from OAUTH_EXCLUDED_ENDPOINTS (40 → 24)

Scopes added (14)

Scope Commands
apm_service_catalog_read service-catalog list/get
azure_configuration_read cloud azure list
bits_investigations_read BITS investigations
bits_investigations_write BITS investigations
ci_visibility_read cicd pipelines/tests/events
code_coverage_read cicd code-coverage
data_scanner_read Data Scanner
dora_metrics_write cicd dora
host_tags_write tags update
status_pages_settings_read Status Pages
status_pages_settings_write Status Pages
teams_read on-call teams
test_optimization_read cicd tests/flaky-tests
test_optimization_write cicd flaky-tests update

Scopes removed (6)

Scope Reason
slos_corrections Not needed
synthetics_global_variable_read Not needed
synthetics_global_variable_write Not needed
synthetics_private_location_write Not needed
security_monitoring_suppressions_read Not needed
user_self_profile_read Not needed

OAuth-enabled domains (previously blocked)

Domain Change
Events search Removed bail + excluded endpoint
RUM (apps, metrics, retention filters, playlists, heatmaps) Removed 18 bail blocks + 10 excluded endpoints
Notebooks Removed 5 excluded endpoints (code already used bearer client)
Status Pages (pages, components, degradations) Removed 3 validate_api_and_app_keys() gates (code already used bearer client)

E2E validation (staging, DD_SITE=datad0g.com)

50 passed, 3 failed (transient), 1 skipped across 27 domains:

Domain Commands tested Result
APM apm services list Pass
Service Catalog service-catalog list Pass
Audit Logs audit-logs search Pass
BITS investigations list Pass
Cases cases search Pass
CI Visibility cicd pipelines list, cicd tests list, cicd events search Pass
Cloud Azure cloud azure list Pass
Code Coverage code-coverage branch-summary Pass (API error, not auth)
Dashboards dashboards list Pass
Data Governance data-governance scanner rules list Pass
Error Tracking error-tracking issues search Pass
Events events list, events search Pass
HAMR hamr connections get, hamr connections create (write) Pass (client serde bug on read)
Hosts infrastructure hosts list, tags list Pass (tags: transient EOF)
Incidents incidents list Pass
Integrations integrations jira accounts list, integrations webhooks list, integrations jira templates create (write) Pass (client serde bug on jira)
Logs logs search, logs list, logs archives list, logs metrics list, logs restriction-queries list Pass
Metrics metrics list, metrics query Pass
Monitors monitors list, downtime list Transient 503 (passed in prior runs)
Notebooks notebooks list Pass
OCI oci tenancy-configs list Skipped (command not on main)
Organizations organizations list Pass
RUM rum apps list, rum events, rum sessions list, rum playlists list Pass
Security security signals list, security rules list, security findings search, security content-packs list, security content-packs activate (write), security rules bulk-export (write) Pass
Status Pages status-pages pages list, status-pages degradations list Pass
SLOs slos list Transient 503 (passed in prior runs)
Synthetics synthetics tests list, synthetics locations list Pass
Traces traces search Pass
Teams on-call teams list Pass
Usage usage summary Pass
Users users list Pass

Not yet supported with OAuth

  • API/App Keys — 24 endpoints excluded in code
  • Fleet Automation — 24 endpoints excluded in code
  • AWS and GCP integrations — scopes not requested
  • Metrics metadata updatemetrics_metadata_write scope not requested

Testing

  • cargo test — 342 passed
  • cargo clippy -- -D warnings — clean
  • cargo fmt --check — clean

🤖 Generated with Claude Code

srosenthal-dd and others added 3 commits March 3, 2026 14:46
@srosenthal-dd @claude
fix(auth): add OAuth scopes for integrations, organizations, security…
57403fc 
…, events, HAMR

Add missing OAuth scopes so these command domains work with bearer token
auth instead of requiring API key fallback.

New scopes: integrations_read, manage_integrations, org_management,
security_monitoring_filters_write, security_monitoring_rules_write,
logs_modify_indexes, disaster_recovery_status_read,
disaster_recovery_status_write.

Also enables events search for OAuth by removing the forced API key
requirement and the OAUTH_EXCLUDED_ENDPOINTS entry.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@srosenthal-dd @claude
fix(auth): enable OAuth for RUM and Notebooks commands
ec78d5e 
Remove RUM and Notebooks from OAUTH_EXCLUDED_ENDPOINTS and replace all
forced API key bail blocks with bearer client middleware in rum.rs.

New scopes: notebooks_read, notebooks_write, rum_generate_metrics,
rum_session_replay_read (rum_apps_read/write and
rum_retention_filters_read/write were already present).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@srosenthal-dd @claude
fix(auth): align OAuth scopes with full expected set (68 scopes)
b27d7bf 
Reorganize default_scopes() alphabetically by domain and align with
the complete expected scope list. Adds 13 missing scopes (CI Visibility,
Service Catalog, Teams, BITS, Data Scanner, Status Pages, host_tags_write)
and removes 6 unnecessary scopes (slos_corrections,
synthetics_global_variable_*, synthetics_private_location_write,
security_monitoring_suppressions_read, user_self_profile_read).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@platinummonkey
Copy link
Collaborator

platinummonkey commented Mar 3, 2026

related to #96 and #144

@platinummonkey @claude
style(client): fix rustfmt formatting in test
9055949 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@srosenthal-dd srosenthal-dd changed the title fix(auth): add OAuth scopes for integrations, organizations, security, events, HAMR fix(auth): expand OAuth support to 68 scopes across all supported domains Mar 4, 2026
@srosenthal-dd srosenthal-dd marked this pull request as ready for review March 4, 2026 00:41
@srosenthal-dd
Copy link
Contributor Author

srosenthal-dd commented Mar 4, 2026

related to #96 and #144

#96 is old enough to be targeting Go code; it shouldn't be necessary anymore

#144 plus my addition srosenthal-dd#1 still has some valuable additions, so is valuable separately. If it makes it simpler, I can merge all of the work into a single PR.

@srosenthal-dd @claude
fix(auth): enable OAuth for Status Pages and add Azure scope
8b85ad2 
- Remove 3 validate_api_and_app_keys() gates in main.rs for status-pages
  (Pages, Components, Degradations) — the command module already had
  bearer client support via make_api()
- Add azure_configuration_read scope (69 total)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@srosenthal-dd srosenthal-dd changed the title fix(auth): expand OAuth support to 68 scopes across all supported domains fix(auth): expand OAuth support to 69 scopes across all supported domains Mar 4, 2026
@platinummonkey @claude
style(main): run cargo fmt to fix formatting
8d31742 
The status_pages match arms were written with manual nesting instead of
the rustfmt-preferred inline match style.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@platinummonkey platinummonkey merged commit 3fe1f12 into datadog-labs:main Mar 4, 2026
6 checks passed
This was referenced Mar 4, 2026
Closed
Closed
@srosenthal-dd srosenthal-dd deleted the feat/oauth-scopes-batch2 branch March 4, 2026 02:22
srosenthal-dd added a commit to srosenthal-dd/pup that referenced this pull request Mar 4, 2026
@wzoom @srosenthal-dd @claude
fix(auth): add teams_manage scope and SearchFlakyTests unstable op
a025d31 
Remaining changes from PR datadog-labs#144 that weren't covered by PR datadog-labs#153:
- Add teams_manage OAuth scope for team create/update/delete operations
- Enable v2.search_flaky_tests as an unstable operation

Co-Authored-By: Stephen Rosenthal <stephen.rosenthal@datadoghq.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@srosenthal-dd srosenthal-dd mentioned this pull request Mar 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

api-coverage API coverage and command implementations Bits AI enhancement New feature or request product:apm product:bits-ai product:code-health product:data-observability product:infrastructure product:organization product:software-delivery product:users_teams

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srosenthal-dd @platinummonkey