From 157a4e3c029d2daa871dd680cb07e523a99b5e5f Mon Sep 17 00:00:00 2001 From: Cody Lee Date: Wed, 11 Feb 2026 14:13:16 -0600 Subject: [PATCH] fix(auth): add error_tracking_read OAuth2 scope for error-tracking commands Add the `error_tracking_read` OAuth2 scope to the default scopes list to enable error-tracking commands when using OAuth2 authentication. Changes: - Add `error_tracking_read` to DefaultScopes() in pkg/auth/types/types.go:103 - Update test expectations in pkg/auth/types/types_test.go:176 - Document the scope in docs/OAUTH2.md:227 - Add OAuth2 troubleshooting section in docs/TROUBLESHOOTING.md:109 - Update error-tracking command help text with auth notes The scope is documented in Datadog's API reference: https://docs.datadoghq.com/api/latest/scopes/ Note: There may be edge cases where Datadog's OAuth2 authorization endpoint rejects this scope (e.g., for certain org configurations or DCR limitations). Added comprehensive troubleshooting documentation with API key workaround. Closes #45 Co-Authored-By: Claude Sonnet 4.5 --- cmd/error_tracking.go | 7 +++- docs/OAUTH2.md | 3 ++ docs/TROUBLESHOOTING.md | 74 ++++++++++++++++++++++++++++++++++++ pkg/auth/types/types.go | 2 + pkg/auth/types/types_test.go | 2 + 5 files changed, 87 insertions(+), 1 deletion(-) diff --git a/cmd/error_tracking.go b/cmd/error_tracking.go index 430aa04..24f15b3 100644 --- a/cmd/error_tracking.go +++ b/cmd/error_tracking.go @@ -32,7 +32,12 @@ EXAMPLES: pup error-tracking issues get issue-id AUTHENTICATION: - Requires either OAuth2 authentication or API keys.`, + Requires either OAuth2 authentication (with error_tracking_read scope) + or API keys. + + Note: If you encounter OAuth2 scope issues ("invalid_scope" during login + or 401 errors), use API key authentication as a workaround. See + docs/TROUBLESHOOTING.md for details.`, } var errorTrackingIssuesCmd = &cobra.Command{ diff --git a/docs/OAUTH2.md b/docs/OAUTH2.md index ae19542..64dc7a1 100644 --- a/docs/OAUTH2.md +++ b/docs/OAUTH2.md @@ -224,6 +224,9 @@ Pup requests the following OAuth scopes based on PR #84: ### Usage - `usage_read` - Read usage data +### Error Tracking +- `error_tracking_read` - Read error tracking issues + ## Token Management ### Automatic Refresh diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 598992e..9fdc48f 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -131,6 +131,80 @@ curl -X GET "https://api.datadoghq.com/api/v1/validate" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ``` +### Error Tracking OAuth2 Scope Issues + +**Symptoms:** +``` +Error: 401 Unauthorized +# When using error-tracking commands with OAuth2 + +Error: OAuth error: invalid_scope +# During OAuth2 login after adding error_tracking_read scope +``` + +**Background:** + +The `error_tracking_read` OAuth2 scope is [documented](https://docs.datadoghq.com/api/latest/scopes/) and required for Error Tracking API endpoints. Pup v0.2.0+ includes this scope in the default OAuth2 scopes list. + +However, there may be scenarios where Datadog's OAuth2 authorization endpoint rejects the scope during login: + +1. **Scope not available for Dynamic Client Registration (DCR)**: Some OAuth2 scopes may only be available for pre-registered OAuth applications, not for dynamically registered clients like pup uses. + +2. **Org-level permissions required**: Your Datadog organization may need specific Error Tracking features or plan tiers enabled before the scope becomes available. + +3. **Timing/rollout issues**: The scope might not yet be available in all Datadog regions or for all customers. + +**Workaround - Use API Keys:** + +If you encounter OAuth2 issues with error-tracking commands, use API key authentication instead: + +```bash +# Logout from OAuth2 +pup auth logout + +# Set API keys +export DD_API_KEY="your-api-key" +export DD_APP_KEY="your-app-key" +export DD_SITE="datadoghq.com" + +# Use error-tracking commands +pup error-tracking issues search +pup error-tracking issues get +``` + +**Testing OAuth2 scope availability:** + +If you want to test whether the scope works for your organization: + +```bash +# 1. Backup existing OAuth2 credentials +mkdir -p ~/.config/pup/backup +cp ~/.config/pup/tokens_*.json ~/.config/pup/backup/ 2>/dev/null || true +cp ~/.config/pup/client_*.json ~/.config/pup/backup/ 2>/dev/null || true + +# 2. Logout and re-login to trigger new OAuth2 flow +pup auth logout +pup auth login + +# 3. Test error-tracking command +pup error-tracking issues search --from=1d + +# If you get "invalid_scope" error during login, the scope is not available +# If you get 401 during the command, there may be permission issues + +# 4. Restore backup if needed +cp ~/.config/pup/backup/*.json ~/.config/pup/ 2>/dev/null || true +``` + +**Reporting scope issues:** + +If you encounter OAuth2 scope problems with error-tracking: + +1. Confirm your Datadog org has Error Tracking enabled +2. Verify API key authentication works: `pup error-tracking issues search` +3. Report to [Datadog Support](https://help.datadoghq.com/) if the scope should be available +4. Open a [GitHub issue](https://github.com/DataDog/pup/issues) if this is a pup-specific problem + ## API Call Issues ### Rate Limiting diff --git a/pkg/auth/types/types.go b/pkg/auth/types/types.go index ea0bde0..cfa587c 100644 --- a/pkg/auth/types/types.go +++ b/pkg/auth/types/types.go @@ -99,6 +99,8 @@ func DefaultScopes() []string { "timeseries_query", // Usage "usage_read", + // Error Tracking + "error_tracking_read", } } diff --git a/pkg/auth/types/types_test.go b/pkg/auth/types/types_test.go index ed5de8b..7ba60f6 100644 --- a/pkg/auth/types/types_test.go +++ b/pkg/auth/types/types_test.go @@ -172,6 +172,8 @@ func TestDefaultScopes(t *testing.T) { "timeseries_query", // Usage "usage_read", + // Error Tracking + "error_tracking_read", } if len(scopes) != len(expectedScopes) {