Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit09c5055

Browse files
authored
feat: implement RFC 6750 Bearer token authentication (#18644)
# Add RFC 6750 Bearer Token Authentication SupportThis PR implements RFC 6750 Bearer Token authentication as an additional authentication method for Coder's API. This allows clients to authenticate using standard OAuth 2.0 Bearer tokens in two ways:1. Using the `Authorization: Bearer <token>` header2. Using the `access_token` query parameterKey changes:- Added support for extracting tokens from both Bearer headers and access_token query parameters- Implemented proper WWW-Authenticate headers for 401/403 responses with appropriate error descriptions- Added comprehensive test coverage for the new authentication methods- Updated the OAuth2 protected resource metadata endpoint to advertise Bearer token support- Enhanced the OAuth2 testing script to verify Bearer token functionalityThese authentication methods are added as fallback options, maintaining backward compatibility with Coder's existing authentication mechanisms. The existing authentication methods (cookies, session token header, etc.) still take precedence.This implementation follows the OAuth 2.0 Bearer Token specification (RFC 6750) and improves interoperability with standard OAuth 2.0 clients.
1 parenteade5b0 commit09c5055

File tree

7 files changed

+784
-7
lines changed

7 files changed

+784
-7
lines changed

‎coderd/httpmw/apikey.go‎

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,31 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
214214
returnnil,nil,false
215215
}
216216

217+
// Add WWW-Authenticate header for 401/403 responses (RFC 6750)
218+
ifcode==http.StatusUnauthorized||code==http.StatusForbidden {
219+
varwwwAuthstring
220+
221+
switchcode {
222+
casehttp.StatusUnauthorized:
223+
// Map 401 to invalid_token with specific error descriptions
224+
switch {
225+
casestrings.Contains(response.Message,"expired")||strings.Contains(response.Detail,"expired"):
226+
wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
227+
casestrings.Contains(response.Message,"audience")||strings.Contains(response.Message,"mismatch"):
228+
wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
229+
default:
230+
wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
231+
}
232+
casehttp.StatusForbidden:
233+
// Map 403 to insufficient_scope per RFC 6750
234+
wwwAuth=`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
235+
default:
236+
wwwAuth=`Bearer realm="coder"`
237+
}
238+
239+
rw.Header().Set("WWW-Authenticate",wwwAuth)
240+
}
241+
217242
httpapi.Write(ctx,rw,code,response)
218243
returnnil,nil,false
219244
}
@@ -653,9 +678,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
653678
// 1: The cookie
654679
// 2. The coder_session_token query parameter
655680
// 3. The custom auth header
681+
// 4. RFC 6750 Authorization: Bearer header
682+
// 5. RFC 6750 access_token query parameter
656683
//
657684
// API tokens for apps are read from workspaceapps/cookies.go.
658685
funcAPITokenFromRequest(r*http.Request)string {
686+
// Prioritize existing Coder custom authentication methods first
687+
// to maintain backward compatibility and existing behavior
688+
659689
cookie,err:=r.Cookie(codersdk.SessionTokenCookie)
660690
iferr==nil&&cookie.Value!="" {
661691
returncookie.Value
@@ -671,7 +701,18 @@ func APITokenFromRequest(r *http.Request) string {
671701
returnheaderValue
672702
}
673703

674-
// TODO(ThomasK33): Implement RFC 6750
704+
// RFC 6750 Bearer Token support (added as fallback methods)
705+
// Check Authorization: Bearer <token> header (case-insensitive per RFC 6750)
706+
authHeader:=r.Header.Get("Authorization")
707+
ifstrings.HasPrefix(strings.ToLower(authHeader),"bearer ") {
708+
returnauthHeader[7:]// Skip "Bearer " (7 characters)
709+
}
710+
711+
// Check access_token query parameter
712+
accessToken:=r.URL.Query().Get("access_token")
713+
ifaccessToken!="" {
714+
returnaccessToken
715+
}
675716

676717
return""
677718
}

‎coderd/httpmw/csrf.go‎

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,12 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
102102
returntrue
103103
}
104104

105+
// RFC 6750 Bearer Token authentication is exempt from CSRF
106+
// as it uses custom headers that cannot be set by malicious sites
107+
ifauthHeader:=r.Header.Get("Authorization");strings.HasPrefix(strings.ToLower(authHeader),"bearer ") {
108+
returntrue
109+
}
110+
105111
// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
106112
// This is the CSRF check.
107113
sent:=r.Header.Get("X-CSRF-TOKEN")

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp