diff --git a/cmd/error_tracking.go b/cmd/error_tracking.go index 430aa04..24f15b3 100644 --- a/cmd/error_tracking.go +++ b/cmd/error_tracking.go @@ -32,7 +32,12 @@ EXAMPLES: pup error-tracking issues get issue-id AUTHENTICATION: - Requires either OAuth2 authentication or API keys.`, + Requires either OAuth2 authentication (with error_tracking_read scope) + or API keys. + + Note: If you encounter OAuth2 scope issues ("invalid_scope" during login + or 401 errors), use API key authentication as a workaround. See + docs/TROUBLESHOOTING.md for details.`, } var errorTrackingIssuesCmd = &cobra.Command{ diff --git a/docs/OAUTH2.md b/docs/OAUTH2.md index ae19542..64dc7a1 100644 --- a/docs/OAUTH2.md +++ b/docs/OAUTH2.md @@ -224,6 +224,9 @@ Pup requests the following OAuth scopes based on PR #84: ### Usage - `usage_read` - Read usage data +### Error Tracking +- `error_tracking_read` - Read error tracking issues + ## Token Management ### Automatic Refresh diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 598992e..9fdc48f 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -131,6 +131,80 @@ curl -X GET "https://api.datadoghq.com/api/v1/validate" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ``` +### Error Tracking OAuth2 Scope Issues + +**Symptoms:** +``` +Error: 401 Unauthorized +# When using error-tracking commands with OAuth2 + +Error: OAuth error: invalid_scope +# During OAuth2 login after adding error_tracking_read scope +``` + +**Background:** + +The `error_tracking_read` OAuth2 scope is [documented](https://docs.datadoghq.com/api/latest/scopes/) and required for Error Tracking API endpoints. Pup v0.2.0+ includes this scope in the default OAuth2 scopes list. + +However, there may be scenarios where Datadog's OAuth2 authorization endpoint rejects the scope during login: + +1. **Scope not available for Dynamic Client Registration (DCR)**: Some OAuth2 scopes may only be available for pre-registered OAuth applications, not for dynamically registered clients like pup uses. + +2. **Org-level permissions required**: Your Datadog organization may need specific Error Tracking features or plan tiers enabled before the scope becomes available. + +3. **Timing/rollout issues**: The scope might not yet be available in all Datadog regions or for all customers. + +**Workaround - Use API Keys:** + +If you encounter OAuth2 issues with error-tracking commands, use API key authentication instead: + +```bash +# Logout from OAuth2 +pup auth logout + +# Set API keys +export DD_API_KEY="your-api-key" +export DD_APP_KEY="your-app-key" +export DD_SITE="datadoghq.com" + +# Use error-tracking commands +pup error-tracking issues search +pup error-tracking issues get +``` + +**Testing OAuth2 scope availability:** + +If you want to test whether the scope works for your organization: + +```bash +# 1. Backup existing OAuth2 credentials +mkdir -p ~/.config/pup/backup +cp ~/.config/pup/tokens_*.json ~/.config/pup/backup/ 2>/dev/null || true +cp ~/.config/pup/client_*.json ~/.config/pup/backup/ 2>/dev/null || true + +# 2. Logout and re-login to trigger new OAuth2 flow +pup auth logout +pup auth login + +# 3. Test error-tracking command +pup error-tracking issues search --from=1d + +# If you get "invalid_scope" error during login, the scope is not available +# If you get 401 during the command, there may be permission issues + +# 4. Restore backup if needed +cp ~/.config/pup/backup/*.json ~/.config/pup/ 2>/dev/null || true +``` + +**Reporting scope issues:** + +If you encounter OAuth2 scope problems with error-tracking: + +1. Confirm your Datadog org has Error Tracking enabled +2. Verify API key authentication works: `pup error-tracking issues search` +3. Report to [Datadog Support](https://help.datadoghq.com/) if the scope should be available +4. Open a [GitHub issue](https://github.com/DataDog/pup/issues) if this is a pup-specific problem + ## API Call Issues ### Rate Limiting diff --git a/pkg/auth/types/types.go b/pkg/auth/types/types.go index ea0bde0..cfa587c 100644 --- a/pkg/auth/types/types.go +++ b/pkg/auth/types/types.go @@ -99,6 +99,8 @@ func DefaultScopes() []string { "timeseries_query", // Usage "usage_read", + // Error Tracking + "error_tracking_read", } } diff --git a/pkg/auth/types/types_test.go b/pkg/auth/types/types_test.go index ed5de8b..7ba60f6 100644 --- a/pkg/auth/types/types_test.go +++ b/pkg/auth/types/types_test.go @@ -172,6 +172,8 @@ func TestDefaultScopes(t *testing.T) { "timeseries_query", // Usage "usage_read", + // Error Tracking + "error_tracking_read", } if len(scopes) != len(expectedScopes) {