Add OpenAPI spec for OAuth2 client endpoints

features/v2/cloud_cost_management.feature

@@ -606,22 +606,6 @@ Feature: Cloud Cost Management
     When the request is sent
     Then the response status is 200 OK
 
-  @generated @skip @team:DataDog/cloud-cost-management
-  Scenario: List Cloud Cost Management tag metadata months returns "Bad Request" response
-    Given operation "ListCostTagMetadataMonths" enabled
-    And new "ListCostTagMetadataMonths" request
-    And request contains "filter[provider]" parameter from "REPLACE.ME"
-    When the request is sent
-    Then the response status is 400 Bad Request
-
-  @generated @skip @team:DataDog/cloud-cost-management
-  Scenario: List Cloud Cost Management tag metadata months returns "OK" response
-    Given operation "ListCostTagMetadataMonths" enabled
-    And new "ListCostTagMetadataMonths" request
-    And request contains "filter[provider]" parameter from "REPLACE.ME"
-    When the request is sent
-    Then the response status is 200 OK
-
   @generated @skip @team:DataDog/cloud-cost-management
   Scenario: List Cloud Cost Management tag sources returns "Bad Request" response
     Given operation "ListCostTagKeySources" enabled

features/v2/oauth2_client_public.feature

@@ -0,0 +1,100 @@
+@endpoint(oauth2-client-public) @endpoint(oauth2-client-public-v2)
+Feature: OAuth2 Client Public
+  Configure OAuth2 clients for Datadog. Supports RFC 7591 Dynamic Client
+  Registration and management of OAuth2 client scopes restrictions.
+
+  Background:
+    Given a valid "apiKeyAuth" key in the system
+    And a valid "appKeyAuth" key in the system
+    And an instance of "OAuth2ClientPublic" API
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an OAuth2 client scopes restriction returns "Bad Request" response
+    Given operation "DeleteScopesRestriction" enabled
+    And new "DeleteScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an OAuth2 client scopes restriction returns "No Content" response
+    Given operation "DeleteScopesRestriction" enabled
+    And new "DeleteScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 204 No Content
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an OAuth2 client scopes restriction returns "Not Found" response
+    Given operation "DeleteScopesRestriction" enabled
+    And new "DeleteScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an OAuth2 client scopes restriction returns "Bad Request" response
+    Given operation "GetScopesRestriction" enabled
+    And new "GetScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an OAuth2 client scopes restriction returns "Not Found" response
+    Given operation "GetScopesRestriction" enabled
+    And new "GetScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an OAuth2 client scopes restriction returns "OK" response
+    Given operation "GetScopesRestriction" enabled
+    And new "GetScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 200 OK
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Register an OAuth2 client returns "Bad Request" response
+    Given operation "RegisterOAuthClient" enabled
+    And new "RegisterOAuthClient" request
+    And body with value {"client_name": "Example MCP Client", "client_uri": "https://example.com", "grant_types": ["authorization_code", "refresh_token"], "jwks_uri": "https://example.com/.well-known/jwks.json", "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/privacy", "redirect_uris": ["https://example.com/oauth/callback"], "response_types": ["code"], "scope": "openid profile", "token_endpoint_auth_method": "none", "tos_uri": "https://example.com/tos"}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Register an OAuth2 client returns "Created" response
+    Given operation "RegisterOAuthClient" enabled
+    And new "RegisterOAuthClient" request
+    And body with value {"client_name": "Example MCP Client", "client_uri": "https://example.com", "grant_types": ["authorization_code", "refresh_token"], "jwks_uri": "https://example.com/.well-known/jwks.json", "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/privacy", "redirect_uris": ["https://example.com/oauth/callback"], "response_types": ["code"], "scope": "openid profile", "token_endpoint_auth_method": "none", "tos_uri": "https://example.com/tos"}
+    When the request is sent
+    Then the response status is 201 Created
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Upsert an OAuth2 client scopes restriction returns "Bad Request" response
+    Given operation "UpsertScopesRestriction" enabled
+    And new "UpsertScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"oidc_scopes": ["openid", "email"], "permission_scopes": ["dashboards_read", "metrics_read"]}, "type": "upsert_scopes_restriction"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Upsert an OAuth2 client scopes restriction returns "Not Found" response
+    Given operation "UpsertScopesRestriction" enabled
+    And new "UpsertScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"oidc_scopes": ["openid", "email"], "permission_scopes": ["dashboards_read", "metrics_read"]}, "type": "upsert_scopes_restriction"}}
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Upsert an OAuth2 client scopes restriction returns "OK" response
+    Given operation "UpsertScopesRestriction" enabled
+    And new "UpsertScopesRestriction" request
+    And request contains "client_uuid" parameter from "REPLACE.ME"
+    And body with value {"data": {"attributes": {"oidc_scopes": ["openid", "email"], "permission_scopes": ["dashboards_read", "metrics_read"]}, "type": "upsert_scopes_restriction"}}
+    When the request is sent
+    Then the response status is 200 OK

features/v2/undo.json

@@ -1898,12 +1898,6 @@
       "type": "safe"
     }
   },
-  "ListCostTagMetadataMonths": {
-    "tag": "Cloud Cost Management",
-    "undo": {
-      "type": "safe"
-    }
-  },
   "ListCostTagMetadataOrchestrators": {
     "tag": "Cloud Cost Management",
     "undo": {
@@ -4672,6 +4666,30 @@
       "type": "safe"
     }
   },
+  "DeleteScopesRestriction": {
+    "tag": "OAuth2 Client Public",
+    "undo": {
+      "type": "idempotent"
+    }
+  },
+  "GetScopesRestriction": {
+    "tag": "OAuth2 Client Public",
+    "undo": {
+      "type": "safe"
+    }
+  },
+  "UpsertScopesRestriction": {
+    "tag": "OAuth2 Client Public",
+    "undo": {
+      "type": "idempotent"
+    }
+  },
+  "RegisterOAuthClient": {
+    "tag": "OAuth2 Client Public",
+    "undo": {
+      "type": "idempotent"
+    }
+  },
   "ListPipelines": {
     "tag": "Observability Pipelines",
     "undo": {

packages/datadog-api-client/README.md

@@ -420,6 +420,7 @@ apiInstance
 | Monitors | @datadog/datadog-api-client-monitors | [README.md](../../services/monitors/README.md) |
 | Network Device Monitoring | @datadog/datadog-api-client-network-device-monitoring | [README.md](../../services/network-device-monitoring/README.md) |
 | Notebooks | @datadog/datadog-api-client-notebooks | [README.md](../../services/notebooks/README.md) |
+| OAuth2 Client Public | @datadog/datadog-api-client-o-auth2-client-public | [README.md](../../services/o-auth2-client-public/README.md) |
 | Observability Pipelines | @datadog/datadog-api-client-observability-pipelines | [README.md](../../services/observability-pipelines/README.md) |
 | OCI Integration | @datadog/datadog-api-client-oci-integration | [README.md](../../services/oci-integration/README.md) |
 | Okta Integration | @datadog/datadog-api-client-okta-integration | [README.md](../../services/okta-integration/README.md) |

private/bdd_runner/src/support/scenarios_model_mapping.ts

@@ -7515,13 +7515,6 @@ export const ScenariosModelMappings: { [key: string]: OperationMapping } = {
     },
     operationResponseType: "CostMetricsResponse",
   },
-  "CloudCostManagementApi.V2.ListCostTagMetadataMonths": {
-    filterProvider: {
-      type: "string",
-      format: "",
-    },
-    operationResponseType: "CostTagMetadataMonthsResponse",
-  },
   "CloudCostManagementApi.V2.ListCostTagMetadataOrchestrators": {
     filterMonth: {
       type: "string",
@@ -10983,6 +10976,38 @@ export const ScenariosModelMappings: { [key: string]: OperationMapping } = {
     },
     operationResponseType: "SingleAggregatedDnsResponseArray",
   },
+  "OAuth2ClientPublicApi.V2.GetScopesRestriction": {
+    clientUuid: {
+      type: "string",
+      format: "uuid",
+    },
+    operationResponseType: "OAuthScopesRestrictionResponse",
+  },
+  "OAuth2ClientPublicApi.V2.UpsertScopesRestriction": {
+    clientUuid: {
+      type: "string",
+      format: "uuid",
+    },
+    body: {
+      type: "UpsertOAuthScopesRestrictionRequest",
+      format: "",
+    },
+    operationResponseType: "OAuthScopesRestrictionResponse",
+  },
+  "OAuth2ClientPublicApi.V2.DeleteScopesRestriction": {
+    clientUuid: {
+      type: "string",
+      format: "uuid",
+    },
+    operationResponseType: "{}",
+  },
+  "OAuth2ClientPublicApi.V2.RegisterOAuthClient": {
+    body: {
+      type: "OAuthClientRegistrationRequest",
+      format: "",
+    },
+    operationResponseType: "OAuthClientRegistrationResponse",
+  },
   "ObservabilityPipelinesApi.V2.ListPipelines": {
     pageSize: {
       type: "number",