Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit495cecc

Browse files
committed
feat(oauth2): add RFC 8707 resource indicators and audience validation
Implements RFC 8707 Resource Indicators for OAuth2 provider to enable properaudience validation and token binding for multi-tenant scenarios.Key changes:- Add resource parameter support to authorization and token endpoints- Implement server-side audience validation for opaque tokens- Add database fields: ResourceUri (codes) and Audience (tokens)- Add comprehensive resource parameter validation logic- Add cross-resource audience validation in API middleware- Add extensive test coverage for RFC 8707 scenarios- Enhance PKCE implementation with timing attack protectionThis enables OAuth2 clients to specify target resource servers and preventstoken abuse across different Coder deployments through proper audience binding.Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1bSigned-off-by: Thomas Kosiewski <tk@coder.com>
1 parent870e5eb commit495cecc

File tree

13 files changed

+550
-7
lines changed

13 files changed

+550
-7
lines changed

‎CLAUDE.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,10 @@ Read [cursor rules](.cursorrules).
8989
- Format:`{number}_{description}.{up|down}.sql`
9090
- Number must be unique and sequential
9191
- Always include both up and down migrations
92+
-**Use helper scripts**:
93+
-`./coderd/database/migrations/create_migration.sh "migration name"` - Creates new migration files
94+
-`./coderd/database/migrations/fix_migration_numbers.sh` - Renumbers migrations to avoid conflicts
95+
-`./coderd/database/migrations/create_fixture.sh "fixture name"` - Creates test fixtures for migrations
9296

9397
2.**Update database queries**:
9498
- MUST DO! Any changes to database - adding queries, modifying queries should be done in the`coderd/database/queries/*.sql` files
@@ -125,6 +129,29 @@ Read [cursor rules](.cursorrules).
125129
4.Run`make gen` again
126130
5.Run`make lint` to catch any remaining issues
127131

132+
###In-MemoryDatabaseTesting
133+
134+
When adding new database fields:
135+
136+
- **CRITICAL**:Update`coderd/database/dbmem/dbmem.go` in-memory implementations
137+
-The`Insert*` functions must includeALL new fields, not just basic ones
138+
-Common issue:Tests pass with real database but fail with in-memory database due to missing field mappings
139+
-Always verify in-memory database functions match the real database schema after migrations
140+
141+
Example pattern:
142+
143+
```go
144+
// In dbmem.go - ensure ALL fields are included
145+
code := database.OAuth2ProviderAppCode{
146+
ID: arg.ID,
147+
CreatedAt: arg.CreatedAt,
148+
// ... existing fields ...
149+
ResourceUri: arg.ResourceUri, // New field
150+
CodeChallenge: arg.CodeChallenge, // New field
151+
CodeChallengeMethod: arg.CodeChallengeMethod, // New field
152+
}
153+
```
154+
128155
##Architecture
129156

130157
###CoreComponents
@@ -209,6 +236,12 @@ When working on OAuth2 provider features:
209236
-Avoid dependency on referer headersfor security decisions
210237
-Support proper state parameter validation
211238

239+
6. **RFC8707ResourceIndicators**:
240+
-Store resource parameters in databasefor server-sidevalidation (opaque tokens)
241+
-Validate resource consistency between authorization and token requests
242+
-Support audience validation in refresh token flows
243+
-Resource parameter is optional but must be consistent when provided
244+
212245
###OAuth2ErrorHandlingPattern
213246

214247
```go
@@ -265,3 +298,6 @@ Always run the full test suite after OAuth2 changes:
265298
4. **Missing newlines** -Ensure files end with newline character
266299
5. **Tests passing locally but failing inCI** -Checkif`dbmem` implementation needs updating
267300
6. **OAuth2 endpoints returning wrongerror format** -EnsureOAuth2 endpointsreturnRFC6749 compliant errors
301+
7. **OAuth2 tests failing but scripts working** -Check in-memory database implementations in`dbmem.go`
302+
8. **Resource indicator validation failing** -Ensure database stores and retrieves resource parameters correctly
303+
9. **PKCE tests failing** -Verify both authorization code storage and token exchange handlePKCE fields

‎coderd/database/dbauthz/dbauthz.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2165,6 +2165,25 @@ func (q *querier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, appID
21652165
returnq.db.GetOAuth2ProviderAppSecretsByAppID(ctx,appID)
21662166
}
21672167

2168+
func (q*querier)GetOAuth2ProviderAppTokenByAPIKeyID(ctx context.Context,apiKeyIDstring) (database.OAuth2ProviderAppToken,error) {
2169+
token,err:=q.db.GetOAuth2ProviderAppTokenByAPIKeyID(ctx,apiKeyID)
2170+
iferr!=nil {
2171+
return database.OAuth2ProviderAppToken{},err
2172+
}
2173+
2174+
// Get the associated API key to check ownership
2175+
apiKey,err:=q.db.GetAPIKeyByID(ctx,token.APIKeyID)
2176+
iferr!=nil {
2177+
return database.OAuth2ProviderAppToken{},err
2178+
}
2179+
2180+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2AppCodeToken.WithOwner(apiKey.UserID.String()));err!=nil {
2181+
return database.OAuth2ProviderAppToken{},err
2182+
}
2183+
2184+
returntoken,nil
2185+
}
2186+
21682187
func (q*querier)GetOAuth2ProviderAppTokenByPrefix(ctx context.Context,hashPrefix []byte) (database.OAuth2ProviderAppToken,error) {
21692188
token,err:=q.db.GetOAuth2ProviderAppTokenByPrefix(ctx,hashPrefix)
21702189
iferr!=nil {

‎coderd/database/dbauthz/setup_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ var skipMethods = map[string]string{
4141
"Wrappers":"Not relevant",
4242
"AcquireLock":"Not relevant",
4343
"TryAcquireLock":"Not relevant",
44+
// New OAuth2 resource-indicator methods (RFC 8707); tests to be added
45+
"GetOAuth2ProviderAppTokenByAPIKeyID":"Not relevant",
4446
}
4547

4648
// TestMethodTestSuite runs MethodTestSuite.

‎coderd/database/dbmem/dbmem.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4050,6 +4050,19 @@ func (q *FakeQuerier) GetOAuth2ProviderAppSecretsByAppID(_ context.Context, appI
40504050
return []database.OAuth2ProviderAppSecret{},sql.ErrNoRows
40514051
}
40524052

4053+
func (q*FakeQuerier)GetOAuth2ProviderAppTokenByAPIKeyID(_ context.Context,apiKeyIDstring) (database.OAuth2ProviderAppToken,error) {
4054+
q.mutex.Lock()
4055+
deferq.mutex.Unlock()
4056+
4057+
for_,token:=rangeq.oauth2ProviderAppTokens {
4058+
iftoken.APIKeyID==apiKeyID {
4059+
returntoken,nil
4060+
}
4061+
}
4062+
4063+
return database.OAuth2ProviderAppToken{},sql.ErrNoRows
4064+
}
4065+
40534066
func (q*FakeQuerier)GetOAuth2ProviderAppTokenByPrefix(_ context.Context,hashPrefix []byte) (database.OAuth2ProviderAppToken,error) {
40544067
q.mutex.Lock()
40554068
deferq.mutex.Unlock()

‎coderd/database/dbmetrics/querymetrics.go

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/dbmock/dbmock.go

Lines changed: 15 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/querier.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/queries.sql.go

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/queries/oauth2.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,9 @@ INSERT INTO oauth2_provider_app_tokens (
136136
-- name: GetOAuth2ProviderAppTokenByPrefix :one
137137
SELECT*FROM oauth2_provider_app_tokensWHERE hash_prefix= $1;
138138

139+
-- name: GetOAuth2ProviderAppTokenByAPIKeyID :one
140+
SELECT*FROM oauth2_provider_app_tokensWHERE api_key_id= $1;
141+
139142
-- name: GetOAuth2ProviderAppsByUserID :many
140143
SELECT
141144
COUNT(DISTINCToauth2_provider_app_tokens.id)as token_count,

‎coderd/httpmw/apikey.go

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,16 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
240240
})
241241
}
242242

243+
// Validate OAuth2 provider app token audience (RFC 8707) if applicable
244+
ifkey.LoginType==database.LoginTypeOAuth2ProviderApp {
245+
iferr:=validateOAuth2ProviderAppTokenAudience(ctx,cfg.DB,*key,r);err!=nil {
246+
returnoptionalWrite(http.StatusForbidden, codersdk.Response{
247+
Message:"Token audience mismatch",
248+
Detail:err.Error(),
249+
})
250+
}
251+
}
252+
243253
// We only check OIDC stuff if we have a valid APIKey. An expired key means we don't trust the requestor
244254
// really is the user whose key they have, and so we shouldn't be doing anything on their behalf including possibly
245255
// refreshing the OIDC token.
@@ -446,6 +456,47 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
446456
returnkey,&actor,true
447457
}
448458

459+
// validateOAuth2ProviderAppTokenAudience validates that an OAuth2 provider app token
460+
// is being used with the correct audience/resource server (RFC 8707).
461+
funcvalidateOAuth2ProviderAppTokenAudience(ctx context.Context,db database.Store,key database.APIKey,r*http.Request)error {
462+
// Get the OAuth2 provider app token to check its audience
463+
//nolint:gocritic // System needs to access token for audience validation
464+
token,err:=db.GetOAuth2ProviderAppTokenByAPIKeyID(dbauthz.AsSystemRestricted(ctx),key.ID)
465+
iferr!=nil {
466+
returnxerrors.Errorf("failed to get OAuth2 token: %w",err)
467+
}
468+
469+
// If no audience is set, allow the request (for backward compatibility)
470+
if!token.Audience.Valid||token.Audience.String=="" {
471+
returnnil
472+
}
473+
474+
// Extract the expected audience from the request
475+
expectedAudience:=extractExpectedAudience(r)
476+
477+
// Validate that the token's audience matches the expected audience
478+
iftoken.Audience.String!=expectedAudience {
479+
returnxerrors.Errorf("token audience %q does not match expected audience %q",
480+
token.Audience.String,expectedAudience)
481+
}
482+
483+
returnnil
484+
}
485+
486+
// extractExpectedAudience determines the expected audience for the current request.
487+
// This should match the resource parameter used during authorization.
488+
funcextractExpectedAudience(r*http.Request)string {
489+
// For MCP compliance, the audience should be the canonical URI of the resource server
490+
// This typically matches the access URL of the Coder deployment
491+
scheme:="https"
492+
ifr.TLS==nil {
493+
scheme="http"
494+
}
495+
496+
// Use the Host header to construct the canonical audience URI
497+
returnfmt.Sprintf("%s://%s",scheme,r.Host)
498+
}
499+
449500
// UserRBACSubject fetches a user's rbac.Subject from the database. It pulls all roles from both
450501
// site and organization scopes. It also pulls the groups, and the user's status.
451502
funcUserRBACSubject(ctx context.Context,db database.Store,userID uuid.UUID,scope rbac.ExpandableScope) (rbac.Subject, database.UserStatus,error) {

‎coderd/identityprovider/authorize.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,15 @@ func extractAuthorizeParams(r *http.Request, callbackURL *url.URL) (authorizePar
4444
codeChallenge:p.String(vals,"","code_challenge"),
4545
codeChallengeMethod:p.String(vals,"","code_challenge_method"),
4646
}
47+
// Validate resource indicator syntax (RFC 8707): must be absolute URI without fragment
48+
ifparams.resource!="" {
49+
ifu,err:=url.Parse(params.resource);err!=nil||u.Scheme==""||u.Fragment!="" {
50+
p.Errors=append(p.Errors, codersdk.ValidationError{
51+
Field:"resource",
52+
Detail:"must be an absolute URI without fragment",
53+
})
54+
}
55+
}
4756

4857
p.ErrorExcessParams(vals)
4958
iflen(p.Errors)>0 {

‎coderd/identityprovider/tokens.go

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ var (
3333
errBadToken=xerrors.New("Invalid token")
3434
// errInvalidPKCE means the PKCE verification failed.
3535
errInvalidPKCE=xerrors.New("invalid code_verifier")
36+
// errInvalidResource means the resource parameter validation failed.
37+
errInvalidResource=xerrors.New("invalid resource parameter")
3638
)
3739

3840
// OAuth2Error represents an OAuth2-compliant error response.
@@ -87,6 +89,15 @@ func extractTokenParams(r *http.Request, callbackURL *url.URL) (tokenParams, []c
8789
codeVerifier:p.String(vals,"","code_verifier"),
8890
resource:p.String(vals,"","resource"),
8991
}
92+
// Validate resource parameter syntax (RFC 8707): must be absolute URI without fragment
93+
ifparams.resource!="" {
94+
ifu,err:=url.Parse(params.resource);err!=nil||u.Scheme==""||u.Fragment!="" {
95+
p.Errors=append(p.Errors, codersdk.ValidationError{
96+
Field:"resource",
97+
Detail:"must be an absolute URI without fragment",
98+
})
99+
}
100+
}
90101

91102
p.ErrorExcessParams(vals)
92103
iflen(p.Errors)>0 {
@@ -158,6 +169,10 @@ func Tokens(db database.Store, lifetimes codersdk.SessionLifetime) http.HandlerF
158169
writeOAuth2Error(ctx,rw,http.StatusBadRequest,"invalid_grant","The PKCE code verifier is invalid")
159170
return
160171
}
172+
iferrors.Is(err,errInvalidResource) {
173+
writeOAuth2Error(ctx,rw,http.StatusBadRequest,"invalid_target","The resource parameter is invalid")
174+
return
175+
}
161176
iferrors.Is(err,errBadToken) {
162177
writeOAuth2Error(ctx,rw,http.StatusBadRequest,"invalid_grant","The refresh token is invalid or expired")
163178
return
@@ -234,6 +249,20 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
234249
}
235250
}
236251

252+
// Verify resource parameter consistency (RFC 8707)
253+
ifdbCode.ResourceUri.Valid&&dbCode.ResourceUri.String!="" {
254+
// Resource was specified during authorization - it must match in token request
255+
ifparams.resource=="" {
256+
return oauth2.Token{},errInvalidResource
257+
}
258+
ifparams.resource!=dbCode.ResourceUri.String {
259+
return oauth2.Token{},errInvalidResource
260+
}
261+
}elseifparams.resource!="" {
262+
// Resource was not specified during authorization but is now provided
263+
return oauth2.Token{},errInvalidResource
264+
}
265+
237266
// Generate a refresh token.
238267
refreshToken,err:=GenerateSecret()
239268
iferr!=nil {
@@ -340,6 +369,14 @@ func refreshTokenGrant(ctx context.Context, db database.Store, app database.OAut
340369
return oauth2.Token{},errBadToken
341370
}
342371

372+
// Verify resource parameter consistency for refresh tokens (RFC 8707)
373+
ifparams.resource!="" {
374+
// If resource is provided in refresh request, it must match the original token's audience
375+
if!dbToken.Audience.Valid||dbToken.Audience.String!=params.resource {
376+
return oauth2.Token{},errInvalidResource
377+
}
378+
}
379+
343380
// Grab the user roles so we can perform the refresh as the user.
344381
//nolint:gocritic // There is no user yet so we must use the system.
345382
prevKey,err:=db.GetAPIKeyByID(dbauthz.AsSystemRestricted(ctx),dbToken.APIKeyID)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp