Skip to content

feat(oauth): expand OAuth support to audit-logs, logs, error tracking, and OCI#136

Merged
platinummonkey merged 2 commits intodatadog-labs:mainfrom
srosenthal-dd:feat/expand-oauth-scopes-v2
Feb 27, 2026
Merged

feat(oauth): expand OAuth support to audit-logs, logs, error tracking, and OCI#136
platinummonkey merged 2 commits intodatadog-labs:mainfrom
srosenthal-dd:feat/expand-oauth-scopes-v2

Conversation

@srosenthal-dd
Copy link
Contributor

@srosenthal-dd srosenthal-dd commented Feb 27, 2026
edited
Loading

Summary

Expands OAuth bearer token support to logs, error tracking, cloud OCI, and audit logs commands that previously required API+App key authentication or were missing scopes. Also adds 12 new OAuth scopes to the login flow.

Changes

  • Add 12 new OAuth scopes: audit_logs_read, error_tracking_read, incident_notification_settings_read, incident_settings_read, incident_settings_write, logs_generate_metrics, logs_read_archives, logs_read_config, logs_write_archives, oci_configuration_edit, oci_configuration_read, oci_configurations_manage (src/auth/types.rs)
  • Remove forced API key fallback from all logs commands: search, list, query, aggregate, archives (list/get/delete), custom-destinations (list/get), metrics (list/get/delete) (src/commands/logs.rs)
  • Remove forced API key fallback from error tracking commands: issues search, issues get (src/commands/error_tracking.rs)
  • Remove 13 entries from OAUTH_EXCLUDED_ENDPOINTS table (src/client.rs)
  • Update tests to verify OAuth works for previously excluded endpoints (src/client.rs, src/test_commands.rs)

Cloud OCI and Incidents commands already used the make_bearer_client pattern, so no code changes were needed for those.

Testing

  • All 307 unit tests pass
  • cargo clippy -- -D warnings clean
  • cargo fmt --check clean
  • E2E validated with OAuth against both staging and prod — see PR comment for details

🤖 Generated with Claude Code

srosenthal-dd and others added 2 commits February 27, 2026 13:35
@srosenthal-dd @claude
feat(oauth): expand OAuth support to logs, error tracking, and OCI co…
f9c5e5f 
…mmands

Server-side changes now allow OAuth for logs, error tracking, incidents,
and cloud OCI endpoints. This removes the forced API key fallback for
these commands and adds bearer token support via make_bearer_client.

- Add 11 new OAuth scopes (error_tracking_read, incident_settings_*,
  logs_read_archives, logs_read_config, logs_generate_metrics,
  logs_write_archives, oci_configuration_*)
- Remove API key requirement from all logs commands (search, aggregate,
  archives, custom-destinations, metrics)
- Remove API key requirement from error tracking commands (issues search/get)
- Remove 13 entries from OAUTH_EXCLUDED_ENDPOINTS table
- Update tests to verify OAuth works for previously excluded endpoints

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@srosenthal-dd @claude
feat(oauth): add audit_logs_read scope
9ac0ff3 
Add the audit_logs_read scope to the OAuth login flow. The audit logs
commands already support bearer token auth, but the scope was not being
requested.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@srosenthal-dd
Copy link
Contributor Author

srosenthal-dd commented Feb 27, 2026
edited
Loading

E2E Validation Results

Staging (datad0g.com)

Command Scope Result
logs search --query "test" --from 1h logs_read_data PASS
logs aggregate --query "test" --from 1h logs_read_data PASS
logs archives list logs_read_archives PASS
logs metrics list logs_generate_metrics PASS
logs custom-destinations list logs_read_config PASS
logs restriction-queries list logs_read_config PASS
incidents list incident_read PASS
incidents settings get incident_settings_read PASS
cloud oci tenancies list oci_configuration_read PASS
audit-logs list --from 1h audit_logs_read PASS

Prod (datadoghq.com)

Command Scope Result Notes
logs search --query "test" --from 1h logs_read_data PASS
logs aggregate --query "test" --from 1h logs_read_data PASS
logs archives list logs_read_archives PASS
logs metrics list logs_generate_metrics PASS
logs custom-destinations list logs_read_config PASS
logs restriction-queries list logs_read_config FAIL 401 — server-side OAuth not yet enabled on prod
incidents list incident_read PASS
incidents settings get incident_settings_read FAIL Serde error (schema mismatch in API client crate, not auth-related)
cloud oci tenancies list oci_configuration_read PASS
audit-logs list --from 1h audit_logs_read PASS
error-tracking issues get <fake-uuid> error_tracking_read PASS 404 (not 403) confirms auth works

Summary

  • Staging: 10/10 passed
  • Prod: 9/11 passed, 2 known issues (not auth-related to this PR)

Not validated (write ops, skipped for safety):
logs_write_archives, logs_generate_metrics, incident_write, incident_settings_write, oci_configuration_edit, oci_configurations_manage

Not validated (blocked by pre-existing pup bugs, not auth-related):

  • error_tracking_read on staging — issues search requires track/persona param pup doesn't expose
  • incident_notification_settings_read — postmortem-templates list requires filter[incident-type] param pup doesn't expose

@srosenthal-dd srosenthal-dd changed the title feat(oauth): expand OAuth support to logs, error tracking, and OCI commands feat(oauth): expand OAuth support to audit-logs, logs, error tracking, and OCI Feb 27, 2026
@srosenthal-dd srosenthal-dd marked this pull request as ready for review February 27, 2026 22:38
@platinummonkey platinummonkey merged commit 8712ed5 into datadog-labs:main Feb 27, 2026
6 checks passed
@srosenthal-dd srosenthal-dd deleted the feat/expand-oauth-scopes-v2 branch February 27, 2026 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srosenthal-dd @platinummonkey