NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit1a9400e

committed

feat(oauth2): implement RFC 6750 Bearer Token Support for MCP compliance

- Add RFC 6750 bearer token extraction to APITokenFromRequest as fallback methods- Support Authorization: Bearer <token> header and access_token query parameter- Maintain backward compatibility by prioritizing existing custom methods first- Add WWW-Authenticate headers to 401/403 responses per RFC 6750- Update Protected Resource Metadata to advertise bearer_methods_supported- Add comprehensive test suite for RFC 6750 compliance in rfc6750_test.go- Update MCP test scripts with bearer token authentication tests- Enhance CLAUDE.md with improved Go LSP tool usage guidelinesImplements RFC 6750 Section 2.1 (Authorization Request Header Field) and 2.3 (URI Query Parameter).Maintains full backward compatibility with existing Coder authentication methods.Completes major MCP OAuth2 compliance milestone.Change-Id: Ic9c9057153b40728ad91b377d753a7ffd566add7Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parentc68a923 commit1a9400eCopy full SHA for 1a9400e

File tree

6 files changed

+1004

-7

lines changed

coderd
scripts/oauth2
- test-mcp-oauth2.sh

6 files changed

+1004

-7

lines changed

`‎coderd/httpmw/apikey.go‎`

Lines changed: 37 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,26 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon`
`210`	`210`	`returnnil,nil,false`
`211`	`211`	`}`
`212`	`212`
	`213`	`+// Add WWW-Authenticate header for 401/403 responses (RFC 6750)`
	`214`	`+ifcode==http.StatusUnauthorized\|\|code==http.StatusForbidden {`
	`215`	`+// Basic Bearer challenge with realm`
	`216`	+wwwAuth:=`Bearer realm="coder"`
	`217`	`+`
	`218`	`+// Add error details based on the type of error`
	`219`	`+switch {`
	`220`	`+casestrings.Contains(response.Message,"invalid")\|\|strings.Contains(response.Detail,"invalid"):`
	`221`	+wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
	`222`	`+casestrings.Contains(response.Message,"expired")\|\|strings.Contains(response.Detail,"expired"):`
	`223`	+wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
	`224`	`+casestrings.Contains(response.Message,"audience")\|\|strings.Contains(response.Message,"mismatch"):`
	`225`	+wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
	`226`	`+casecode==http.StatusForbidden:`
	`227`	+wwwAuth=`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
	`228`	`+}`
	`229`	`+`
	`230`	`+rw.Header().Set("WWW-Authenticate",wwwAuth)`
	`231`	`+}`
	`232`	`+`
`213`	`233`	`httpapi.Write(ctx,rw,code,response)`
`214`	`234`	`returnnil,nil,false`
`215`	`235`	`}`
`@@ -536,9 +556,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s`
`536`	`556`	`// 1: The cookie`
`537`	`557`	`// 2. The coder_session_token query parameter`
`538`	`558`	`// 3. The custom auth header`
	`559`	`+// 4. RFC 6750 Authorization: Bearer header`
	`560`	`+// 5. RFC 6750 access_token query parameter`
`539`	`561`	`//`
`540`	`562`	`// API tokens for apps are read from workspaceapps/cookies.go.`
`541`	`563`	`funcAPITokenFromRequest(r*http.Request)string {`
	`564`	`+// Prioritize existing Coder custom authentication methods first`
	`565`	`+// to maintain backward compatibility and existing behavior`
	`566`	`+`
`542`	`567`	`cookie,err:=r.Cookie(codersdk.SessionTokenCookie)`
`543`	`568`	`iferr==nil&&cookie.Value!="" {`
`544`	`569`	`returncookie.Value`
`@@ -554,7 +579,18 @@ func APITokenFromRequest(r *http.Request) string {`
`554`	`579`	`returnheaderValue`
`555`	`580`	`}`
`556`	`581`
`557`		`-// TODO(ThomasK33): Implement RFC 6750`
	`582`	`+// RFC 6750 Bearer Token support (added as fallback methods)`
	`583`	`+// Check Authorization: Bearer <token> header`
	`584`	`+authHeader:=r.Header.Get("Authorization")`
	`585`	`+ifstrings.HasPrefix(authHeader,"Bearer ") {`
	`586`	`+returnstrings.TrimPrefix(authHeader,"Bearer ")`
	`587`	`+}`
	`588`	`+`
	`589`	`+// Check access_token query parameter`
	`590`	`+accessToken:=r.URL.Query().Get("access_token")`
	`591`	`+ifaccessToken!="" {`
	`592`	`+returnaccessToken`
	`593`	`+}`
`558`	`594`
`559`	`595`	`return""`
`560`	`596`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1a9400e

File tree

6 files changed

6 files changed

`‎coderd/httpmw/apikey.go‎`

0 commit comments