Shared O11y OAuth onboarding and export controls#133
Draft
tilakchowdary wants to merge 1 commit into
Draft
Conversation
6e16b73 to
8bd5438
Compare
1bfba39 to
8fee1df
Compare
8fee1df to
98d6b85
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a shared Obstudio onboarding path for Splunk Observability Cloud:
obstudio cloud registeropens the Splunk Observability Cloud Free registration page.obstudio cloud loginruns authorization-code OAuth with PKCE in the Go binary.obstudio cloud statusreturns redacted connection metadata.obstudio cloud logoutrevokes the server token before deleting the local credential.SecretStorage.$splunk-o11y-onboardwraps the same commands for Codex, Claude Code, and Cursor.Companion changes:
User flows
New organization
Obstudio opens the Splunk-hosted Free registration page. The user completes registration and email verification in the browser, then connects the resulting organization with
cloud login.Existing organization
The browser reuses the user's existing Splunk Observability Cloud session. The Splunk-hosted page owns organization context, consent, and optional-scope selection.
OAuth call flow
1. Authorization-server discovery
Go OAuth client -> realm-specific Splunk Observability Cloud issuer:
The response supplies the exact issuer plus
/oauth/authorize,/v2/oauth/token, and/v2/oauth/revoke. Obstudio requires authorization code, query response mode, public clients, PKCE S256, revocation, and authorization-responseisssupport. All endpoints must use the configured issuer origin.2. Browser authorization
The Go client binds
127.0.0.1:<random-port>/callback, creates a 256-bitstateand PKCE verifier, then opens:Registered clients include
obstudio-cli,obstudio-vscode, andobstudio-cursor. No access token is placed in the browser URL or exposed to browser JavaScript.3. Consent and authorization code
SignalView uses the existing authenticated browser session to call App Platform:
App Platform validates the registered client, exact loopback redirect shape, requested scopes, and PKCE challenge. Approval returns a short-lived one-time code and issuer. The browser redirects:
Obstudio accepts exactly one callback only after exact
stateandissvalidation.4. PKCE token exchange
Go OAuth client -> App Platform:
Successful response:
{ "access_token": "<scoped-token>", "token_type": "Bearer", "expires_in": 31536000, "scope": "ingest api", "splunk_issuer": "https://app.<realm>.signalfx.com", "splunk_realm": "<realm>", "splunk_ingest_endpoint": "https://ingest.<realm>.signalfx.com", "splunk_org_id": "<org-id>", "splunk_token_id": "<token-id>", "splunk_token_name": "<token-name>" }Obstudio verifies the issuer, bearer type, required
ingestscope, granted-scope subset, realm, and canonical ingest endpoint before accepting the connection.5. Secure storage and Observer configuration
Standalone CLI stores the connection in macOS Keychain, Windows Credential Manager, or Linux Secret Service. A later standalone Observer loads only an unexpired key with
ingest; environment credentials take precedence.VS Code and Cursor invoke the bundled binary with an explicit session-only JSON handoff, capture stdout, and immediately store the connection in IDE
SecretStorage. If IDE persistence fails, the extension revokes the newly issued token before returning an error.The extension configures its managed Observer over the loopback control API:
The response is redacted. Export remains disabled until explicitly enabled; when enabled, telemetry continues to be stored locally and is also sent remotely.
6. Logout / Forget key
Only after successful revocation does Obstudio delete the OS-keychain or IDE
SecretStorageconnection.--local-onlyis an explicit break-glass option.Security properties
Verification
make test-all: passed