Skip to content

docs(api): Add OAuth2 documentation with PKCE support #15904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dcramer merged 3 commits into from
Jan 5, 2026
Merged

docs(api): Add OAuth2 documentation with PKCE support #15904

dcramer merged 3 commits into from
Jan 5, 2026

Conversation

@dcramer
Copy link
Member

@dcramer dcramer commented Jan 5, 2026
edited
Loading

  • Adds comprehensive OAuth2 documentation to docs/api/auth.mdx covering authorization flow, token exchange, refresh tokens, and PKCE implementation
  • Consolidates OAuth documentation by streamlining the partnership platform page to reference the central auth docs, eliminating duplication
  • Includes complete Python/Flask code examples demonstrating PKCE-enabled OAuth flow

Refs getsentry/sentry#104418

@dcramer @claude
docs(api): Add OAuth2 documentation with PKCE support
e8b3ad4 
Consolidate OAuth documentation by adding comprehensive OAuth2 section
to auth.mdx covering authorization flow, token exchange, refresh tokens,
and PKCE implementation. Streamline partnership OAuth page to reference
the central documentation, reducing duplication.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Jan 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
sentry-docs Ready Ready Preview, Comment Jan 5, 2026 9:36pm
1 Skipped Deployment
Project Deployment Review Updated (UTC)
develop-docs Ignored Ignored Preview Jan 5, 2026 9:36pm

@dcramer
Copy link
Member Author

dcramer commented Jan 5, 2026 

Usage by model:
        claude-haiku:  217.2k input, 3.0k output, 0 cache read, 0 cache write ($0.2320)
     claude-opus-4-5:  1.6k input, 29.0k output, 3.1m cache read, 219.8k cache write ($3.68)

coolguyzone
coolguyzone reviewed Jan 5, 2026
View reviewed changes
coolguyzone
coolguyzone reviewed Jan 5, 2026
View reviewed changes
coolguyzone
coolguyzone approved these changes Jan 5, 2026
View reviewed changes
Copy link
Contributor

@coolguyzone coolguyzone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

dcramer and others added 2 commits January 5, 2026 13:25
@dcramer @coolguyzone
Update docs/api/auth.mdx
ae77b64 
Co-authored-by: Alex Krawiec <alex.krawiec@sentry.io>
@dcramer @coolguyzone
Update docs/api/auth.mdx
1bb1ae7 
Co-authored-by: Alex Krawiec <alex.krawiec@sentry.io>
sentry[bot]
sentry bot reviewed Jan 5, 2026
View reviewed changes
docs/api/auth.mdx
"code": code,
"code_verifier": code_verifier
})
tokens = response.json()
Copy link

@sentry sentry bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The OAuth callback example code does not check the HTTP status code before parsing the token response, causing a KeyError when the server returns an error.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

The example code for the OAuth callback function makes a POST request to the token endpoint but does not validate the HTTP status code of the response. In common failure scenarios, such as an expired authorization code, the OAuth server will return an error response (e.g., HTTP 400) with a JSON body that does not contain access_token or refresh_token keys. The code proceeds to parse this JSON and immediately attempts to access tokens['access_token'], which raises a KeyError and causes an unhandled exception, crashing the application.

💡 Suggested Fix

Before parsing the JSON with response.json(), check if response.status_code is successful (e.g., response.raise_for_status() or if response.status_code == 200). Handle non-200 status codes gracefully instead of attempting to access token keys that will not be present in an error response.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: docs/api/auth.mdx#L200

Potential issue: The example code for the OAuth callback function makes a `POST` request
to the token endpoint but does not validate the HTTP status code of the response. In
common failure scenarios, such as an expired authorization code, the OAuth server will
return an error response (e.g., HTTP 400) with a JSON body that does not contain
`access_token` or `refresh_token` keys. The code proceeds to parse this JSON and
immediately attempts to access `tokens['access_token']`, which raises a `KeyError` and
causes an unhandled exception, crashing the application.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 8192205

docs/api/auth.mdx
"client_id": CLIENT_ID,
"client_secret": CLIENT_SECRET,
"grant_type": "refresh_token",
"refresh_token": session['refresh_token']
Copy link

@sentry sentry bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The refresh_token function accesses session['refresh_token'] without a check, causing a KeyError if the key is not present in the session.
Severity: HIGH | Confidence: High

🔍 Detailed Analysis

The refresh_token function in the example code directly accesses session['refresh_token'] without first verifying its existence. If this function is called in a scenario where the refresh token has not yet been stored in the session (e.g., due to a previous error in the callback, an expired session, or being called out of sequence), the application will raise a KeyError. This results in an unhandled exception, crashing the token refresh process.

💡 Suggested Fix

Validate the presence of the refresh_token in the session before using it. Use a safe access method like session.get('refresh_token') and handle the case where the token is None. This prevents a KeyError if the function is called on a session without a valid token.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: docs/api/auth.mdx#L211

Potential issue: The `refresh_token` function in the example code directly accesses
`session['refresh_token']` without first verifying its existence. If this function is
called in a scenario where the refresh token has not yet been stored in the session
(e.g., due to a previous error in the callback, an expired session, or being called out
of sequence), the application will raise a `KeyError`. This results in an unhandled
exception, crashing the token refresh process.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 8192205

@dcramer dcramer merged commit 45bef2e into master Jan 5, 2026
14 checks passed
@dcramer dcramer deleted the feat/document-pkce branch January 5, 2026 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coolguyzone coolguyzone coolguyzone approved these changes

+1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dcramer @coolguyzone