feat(seer-infra-telemetry): Add DatadogIdentityProvider for OAuth2#117035
Merged
Conversation
github-actions
Bot
added
the
Scope: Backend
srest2021
changed the title
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
srest2021
changed the title
shashjar
approved these changes
Jun 10, 2026
wedamija
approved these changes
Jun 10, 2026
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…copes Replace GET /api/v2/current_user with MCP datadog://mcp/whoami resource for user identity resolution. Add resource-specific OAuth scopes alongside mcp_read for tool access. Update tests to match new whoami response format. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
srest2021
force-pushed
the
srest2021/CW-1469
branch
from
6fe33f1 to
b4d8533
Compare
…e sure we fail loudly if not present
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 1b9dd17. Configure here.
| json={"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {}}, | ||
| ) | ||
| init_resp.raise_for_status() | ||
| headers["Mcp-Session-Id"] = init_resp.headers["mcp-session-id"] |
Contributor
There was a problem hiding this comment.
Missing MCP session header crash
Medium Severity
In get_user_info, the MCP initialize response uses subscript access on init_resp.headers["mcp-session-id"]. If the server returns HTTP 200 without that header (optional per discussion), linking raises an uncaught KeyError instead of a controlled identity error like the whoami body parsing below.
Reviewed by Cursor Bugbot for commit 1b9dd17. Configure here.
3 tasks
shashjar
added a commit
that referenced
this pull request
Jun 16, 2026
…API endpoints (#117478) Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
shashjar
added a commit
that referenced
this pull request
Jun 16, 2026
…API endpoints (#117854) Recreated after reverting #117478. Depends on #117851. Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
vgrozdanic
pushed a commit
that referenced
this pull request
Jun 16, 2026
…API endpoints (#117478) Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
vgrozdanic
pushed a commit
that referenced
this pull request
Jun 16, 2026
…API endpoints (#117854) Recreated after reverting #117478. Depends on #117851. Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
billyvg
pushed a commit
that referenced
this pull request
Jun 17, 2026
…API endpoints (#117478) Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
billyvg
pushed a commit
that referenced
this pull request
Jun 17, 2026
…API endpoints (#117854) Recreated after reverting #117478. Depends on #117851. Resolves https://linear.app/getsentry/issue/CW-1499/monitoring-provider-connection-api-endpoints. Adds API endpoints for listing, connecting, and disconnecting monitoring providers (currently Datadog & GCP). These endpoints wrap the existing identity pipeline to let users initiate the per-user OAuth flow for connecting their monitoring provider accounts to Sentry. The identity providers for Datadog & GCP were previously implemented in #117035 & #117279, respectively. All endpoints are gated behind the `organizations:seer-infra-telemetry` feature flag, which is enabled only internally in the Sentry org for now. Note that monitoring provider connections are per-user (each user links their own account via OAuth), not per-organization. There is some provider-specific config baked into this implementation: Datadog requires a `site` parameter in the POST body (e.g. `datadoghq.com`) for site resolution, while GCP needs no extra config. For Datadog, the `IdentityProvider` is not created in the POST endpoint; it is auto-created by `IdentityPipeline.finish_pipeline()` using the Datadog org UUID from the MCP whoami response as the external ID (see #117491 & #117705). For GCP, the `IdentityProvider` is created upfront by the endpoint. `GET /api/0/organizations/{org}/monitoring-providers/` lists the available providers and the current user's connection status. This will be used to inform the monitoring provider settings UI tracked in https://linear.app/getsentry/issue/CW-1500/monitoring-providers-settings-page. `POST /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to connect a given monitoring provider for a given user. It initiates the OAuth flow and returns a redirect URL to the provider's authorize page, based on the identity pipeline for that provider. `DELETE /api/0/organizations/{org}/monitoring-providers/{provider}/` represents a request to disconnect/delete a given monitoring provider for a given user. It deletes the current user's linked identity for that provider, if one exists. **Note on support for a single user connecting multiple Datadog orgs:** - For v0, we're mainly considering the case where a user has a single Datadog org connected, but in the future we will support multiple - The GET endpoint currently collapses to one entry per provider type (shows `connected: true` if _any_ exist - The POST endpoint currently allows multiple connections to be created - The DELETE endpoint currently deletes all identities for the provider (`idp__type=provider_key`) --------- Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on #117026
Adds
DatadogIdentityProvider, an OAuth2 identity provider for Datadog using PKCE and DCR.