Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: standardize OAuth2 endpoints and implement token revocation#18809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
ThomasK33 wants to merge2 commits intomain
base:main
Choose a base branch
Loading
fromthomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation

Conversation

ThomasK33
Copy link
Member

@ThomasK33ThomasK33 commentedJul 9, 2025
edited
Loading

feat: standardize OAuth2 endpoints and add token revocation

  • Change /oauth2/tokens → /oauth2/token per RFC 6749
  • Move token deletion to POST /oauth2/revoke per RFC 7009
  • Update all endpoint URLs and documentation
  • Maintain backward compatibility in client libraries

feat: implement OAuth2 Device Authorization Grant (RFC 8628)

  • Add device authorization endpoint /oauth2/device
  • Add device verification UI at /oauth2/device/verify
  • Support device_code grant type in token endpoint
  • Add database table for device codes with expiration
  • Implement polling interval and user authorization flow
  • Add comprehensive test coverage for device flow

chore: add OAuth2 device flow test scripts

Change-Id: Ic232851727e683ab3d8b7ce970c505588da2f827
Change-Id: I7a7eebeb23a4f28718ebed2994d01dc21b49315b
Signed-off-by: Thomas Kosiewskitk@coder.com

@ThomasK33Graphite App
Copy link
MemberAuthor

ThomasK33 commentedJul 9, 2025
edited
Loading

@ThomasK33ThomasK33 changed the titlefeat: standardize OAuth2 endpoints and add token revocationfeat: standardize OAuth2 endpoints and implement token revocationJul 9, 2025
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch 7 times, most recently frombc44107 toab73979CompareJuly 9, 2025 22:15
@ThomasK33ThomasK33 marked this pull request as ready for reviewJuly 10, 2025 09:20
@ThomasK33ThomasK33 requested a review fromjohnstcnJuly 10, 2025 09:24
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch fromab73979 tob89c367CompareJuly 12, 2025 12:55
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch fromb89c367 tob73b71dCompareJuly 14, 2025 12:43
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch 2 times, most recently from514f744 to386d77dCompareJuly 14, 2025 16:13
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch 3 times, most recently from01f48f3 to9393060CompareJuly 15, 2025 16:30
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch from9393060 to2c31819CompareJuly 17, 2025 14:38
Copy link
Member

@aslilacaslilac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't think we need to duplicate the styles and svg in each html file like this. we could just put a css file next to them in the static folder and reference it, and we already have icons in there.

ThomasK33 reacted with thumbs up emoji
  - Change /oauth2/tokens → /oauth2/token per RFC 6749  - Move token deletion to POST /oauth2/revoke per RFC 7009  - Update all endpoint URLs and documentation  - Maintain backward compatibility in client librariesfeat: implement OAuth2 Device Authorization Grant (RFC 8628)  - Add device authorization endpoint /oauth2/device/authorize  - Add device verification UI at /oauth2/device  - Support device_code grant type in token endpoint  - Add database table for device codes with expiration  - Implement polling interval and user authorization flow  - Add comprehensive test coverage for device flowChange-Id: I7a7eebeb23a4f28718ebed2994d01dc21b49315bSigned-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch from2c31819 to212e8ebCompareJuly 21, 2025 12:15
@ThomasK33ThomasK33 requested a review fromaslilacJuly 21, 2025 12:18
Change-Id: Ic232851727e683ab3d8b7ce970c505588da2f827Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch from212e8eb to165e7dcCompareJuly 21, 2025 12:23
// Fetch the device code first to check authorization
deviceCode,err:=q.db.GetOAuth2ProviderDeviceCodeByID(ctx,id)
iferr!=nil {
returnerr
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Wrap these errs please.

@@ -1275,6 +1275,25 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
returntoken
}

funcOAuth2ProviderDeviceCode(t testing.TB,db database.Store,seed database.OAuth2ProviderDeviceCode) database.OAuth2ProviderDeviceCode {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Should probably be marked as at.Helper(), no?

ResourceUri:seed.ResourceUri,
PollingInterval:takeFirst(seed.PollingInterval,5),
})
require.NoError(t,err,"insert oauth2 device code")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Probably safer as anassert in case this is called from a goroutine.
BTW both comments here could apply to the other helper funcs in this file, so my suggestions are optional if consistency is what we want, but the others are likely wrong.

device_code_hashbyteaNOT NULL UNIQUE,
device_code_prefixtextNOT NULL UNIQUECHECK (length(device_code_prefix)=8),

-- User code (human-readable, 6-8 chars)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Do we need aCHECK for this?
Can we documentwhy these lengths are specified?

@@ -129,6 +129,11 @@ SELECT * FROM oauth2_provider_app_codes WHERE id = $1;
-- name: GetOAuth2ProviderAppCodeByPrefix :one
SELECT*FROM oauth2_provider_app_codesWHERE secret_prefix= $1;

-- name: ConsumeOAuth2ProviderAppCodeByPrefix :one
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Since you're only expecting one row back, you should add aLIMIT 1 just to be safe.


// Verify ownership
// nolint:gocritic // Using AsSystemRestricted is necessary for OAuth2 public token revocation endpoint
appSecret,err:=db.GetOAuth2ProviderAppSecretByID(dbauthz.AsSystemRestricted(ctx),dbToken.AppSecretID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Really feels like we need a new role instead of overloading the system one.

// nolint:gocritic // Using AsSystemRestricted is necessary for OAuth2 public token revocation endpoint
err=db.DeleteAPIKeyByID(dbauthz.AsSystemRestricted(ctx),dbToken.APIKeyID)
iferr!=nil&&!errors.Is(err,sql.ErrNoRows) {
returnerr
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Wrap errors please.


funcrevokeAPIKey(ctx context.Context,db database.Store,tokenstring,appID uuid.UUID)error {
// Parse the API key ID from the token (format: <id>-<secret>)
parts:=strings.SplitN(token,"-",2)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nit: I'd prefer a key encoder/decoder pattern.

Comment on lines +41 to +43
errBadDeviceCode=xerrors.New("Invalid device code")
// errAuthorizationPending means the user hasn't authorized the device yet.
errAuthorizationPending=xerrors.New("authorization pending")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nit: use consistent capitalisation.

@@ -0,0 +1,44 @@
#!/bin/bash
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

👏👏👏👏

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@dannykoppingdannykoppingdannykopping left review comments

@johnstcnjohnstcnAwaiting requested review from johnstcn

@EmyrkEmyrkAwaiting requested review from Emyrk

@mafredrimafredriAwaiting requested review from mafredri

@aslilacaslilacAwaiting requested review from aslilacaslilac is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@ThomasK33ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@ThomasK33@dannykopping@aslilac
[8]ページ先頭
©2009-2025 Movatter.jp