NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit2d32123

committed

feat(oauth2): add RFC 8707 resource indicators and audience validation

Implements RFC 8707 Resource Indicators for OAuth2 provider to enable properaudience validation and token binding for multi-tenant scenarios.Key changes:- Add resource parameter support to authorization and token endpoints- Implement server-side audience validation for opaque tokens- Add database fields: ResourceUri (codes) and Audience (tokens)- Add comprehensive resource parameter validation logic- Add cross-resource audience validation in API middleware- Add extensive test coverage for RFC 8707 scenarios- Enhance PKCE implementation with timing attack protectionThis enables OAuth2 clients to specify target resource servers and preventstoken abuse across different Coder deployments through proper audience binding.Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1bSigned-off-by: Thomas Kosiewski <tk@coder.com>

1 parente6243ce commit2d32123Copy full SHA for 2d32123

File tree

15 files changed

+1177

-7

lines changed

CLAUDE.md
coderd
- coderd.go
- database
  - dbauthz
    - dbauthz.go
    - dbauthz_test.go
  - dbmem
    - dbmem.go
  - dbmetrics
    - querymetrics.go
  - dbmock
    - dbmock.go
  - querier.go
  - queries.sql.go
  - queries
    - oauth2.sql
- httpmw
  - apikey.go
  - apikey_test.go
- identityprovider
  - authorize.go
  - tokens.go
- oauth2_test.go

15 files changed

+1177

-7

lines changed

`‎CLAUDE.md‎`

Lines changed: 36 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,10 @@ Read [cursor rules](.cursorrules).`
`89`	`89`	- Format:`{number}_{description}.{up\|down}.sql`
`90`	`90`	`- Number must be unique and sequential`
`91`	`91`	`- Always include both up and down migrations`
	`92`	`+-Use helper scripts:`
	`93`	+-`./coderd/database/migrations/create_migration.sh "migration name"` - Creates new migration files
	`94`	+-`./coderd/database/migrations/fix_migration_numbers.sh` - Renumbers migrations to avoid conflicts
	`95`	+-`./coderd/database/migrations/create_fixture.sh "fixture name"` - Creates test fixtures for migrations
`92`	`96`
`93`	`97`	`2.Update database queries:`
`94`	`98`	- MUST DO! Any changes to database - adding queries, modifying queries should be done in the`coderd/database/queries/*.sql` files
`@@ -125,6 +129,29 @@ Read [cursor rules](.cursorrules).`
`125`	`129`	4.Run`make gen` again
`126`	`130`	5.Run`make lint` to catch any remaining issues
`127`	`131`
	`132`	`+###In-MemoryDatabaseTesting`
	`133`	`+`
	`134`	`+When adding new database fields:`
	`135`	`+`
	`136`	+- CRITICAL:Update`coderd/database/dbmem/dbmem.go` in-memory implementations
	`137`	+-The`Insert*` functions must includeALL new fields, not just basic ones
	`138`	`+-Common issue:Tests pass with real database but fail with in-memory database due to missing field mappings`
	`139`	`+-Always verify in-memory database functions match the real database schema after migrations`
	`140`	`+`
	`141`	`+Example pattern:`
	`142`	`+`
	`143`	+```go
	`144`	`+// In dbmem.go - ensure ALL fields are included`
	`145`	`+code := database.OAuth2ProviderAppCode{`
	`146`	`+ ID: arg.ID,`
	`147`	`+ CreatedAt: arg.CreatedAt,`
	`148`	`+ // ... existing fields ...`
	`149`	`+ ResourceUri: arg.ResourceUri, // New field`
	`150`	`+ CodeChallenge: arg.CodeChallenge, // New field`
	`151`	`+ CodeChallengeMethod: arg.CodeChallengeMethod, // New field`
	`152`	`+}`
	`153`	+```
	`154`	`+`
`128`	`155`	`##Architecture`
`129`	`156`
`130`	`157`	`###CoreComponents`
`@@ -209,6 +236,12 @@ When working on OAuth2 provider features:`
`209`	`236`	`-Avoid dependency on referer headersfor security decisions`
`210`	`237`	`-Support proper state parameter validation`
`211`	`238`
	`239`	`+6. RFC8707ResourceIndicators:`
	`240`	`+ -Store resource parameters in databasefor server-sidevalidation (opaque tokens)`
	`241`	`+ -Validate resource consistency between authorization and token requests`
	`242`	`+ -Support audience validation in refresh token flows`
	`243`	`+ -Resource parameter is optional but must be consistent when provided`
	`244`	`+`
`212`	`245`	`###OAuth2ErrorHandlingPattern`
`213`	`246`
`214`	`247`	```go
`@@ -265,3 +298,6 @@ Always run the full test suite after OAuth2 changes:`
`265`	`298`	`4. Missing newlines -Ensure files end with newline character`
`266`	`299`	5. Tests passing locally but failing inCI -Checkif`dbmem` implementation needs updating
`267`	`300`	`6. OAuth2 endpoints returning wrongerror format -EnsureOAuth2 endpointsreturnRFC6749 compliant errors`
	`301`	+7. OAuth2 tests failing but scripts working -Check in-memory database implementations in`dbmem.go`
	`302`	`+8. Resource indicator validation failing -Ensure database stores and retrieves resource parameters correctly`
	`303`	`+9. PKCE tests failing -Verify both authorization code storage and token exchange handlePKCE fields`

`‎coderd/coderd.go‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -781,6 +781,7 @@ func New(options Options) API {`
`781`	`781`	`Optional:false,`
`782`	`782`	`SessionTokenFunc:nil,// Default behavior`
`783`	`783`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
	`784`	`+Logger:options.Logger,`
`784`	`785`	`})`
`785`	`786`	`// Same as above but it redirects to the login page.`
`786`	`787`	`apiKeyMiddlewareRedirect:=httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{`
`@@ -791,6 +792,7 @@ func New(options Options) API {`
`791`	`792`	`Optional:false,`
`792`	`793`	`SessionTokenFunc:nil,// Default behavior`
`793`	`794`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
	`795`	`+Logger:options.Logger,`
`794`	`796`	`})`
`795`	`797`	`// Same as the first but it's optional.`
`796`	`798`	`apiKeyMiddlewareOptional:=httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{`
`@@ -801,6 +803,7 @@ func New(options Options) API {`
`801`	`803`	`Optional:true,`
`802`	`804`	`SessionTokenFunc:nil,// Default behavior`
`803`	`805`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
	`806`	`+Logger:options.Logger,`
`804`	`807`	`})`
`805`	`808`
`806`	`809`	`workspaceAgentInfo:=httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2181,6 +2181,25 @@ func (q *querier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, appID`
`2181`	`2181`	`returnq.db.GetOAuth2ProviderAppSecretsByAppID(ctx,appID)`
`2182`	`2182`	`}`
`2183`	`2183`
	`2184`	`+func (q*querier)GetOAuth2ProviderAppTokenByAPIKeyID(ctx context.Context,apiKeyIDstring) (database.OAuth2ProviderAppToken,error) {`
	`2185`	`+token,err:=q.db.GetOAuth2ProviderAppTokenByAPIKeyID(ctx,apiKeyID)`
	`2186`	`+iferr!=nil {`
	`2187`	`+return database.OAuth2ProviderAppToken{},err`
	`2188`	`+}`
	`2189`	`+`
	`2190`	`+// Get the associated API key to check ownership`
	`2191`	`+apiKey,err:=q.db.GetAPIKeyByID(ctx,token.APIKeyID)`
	`2192`	`+iferr!=nil {`
	`2193`	`+return database.OAuth2ProviderAppToken{},err`
	`2194`	`+}`
	`2195`	`+`
	`2196`	`+iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2AppCodeToken.WithOwner(apiKey.UserID.String()));err!=nil {`
	`2197`	`+return database.OAuth2ProviderAppToken{},err`
	`2198`	`+}`
	`2199`	`+`
	`2200`	`+returntoken,nil`
	`2201`	`+}`
	`2202`	`+`
`2184`	`2203`	`func (q*querier)GetOAuth2ProviderAppTokenByPrefix(ctx context.Context,hashPrefix []byte) (database.OAuth2ProviderAppToken,error) {`
`2185`	`2204`	`token,err:=q.db.GetOAuth2ProviderAppTokenByPrefix(ctx,hashPrefix)`
`2186`	`2205`	`iferr!=nil {`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5380,6 +5380,21 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {`
`5380`	`5380`	`})`
`5381`	`5381`	`check.Args(token.HashPrefix).Asserts(rbac.ResourceOauth2AppCodeToken.WithOwner(user.ID.String()),policy.ActionRead)`
`5382`	`5382`	`}))`
	`5383`	`+s.Run("GetOAuth2ProviderAppTokenByAPIKeyID",s.Subtest(func(db database.Store,check*expects) {`
	`5384`	`+user:=dbgen.User(s.T(),db, database.User{})`
	`5385`	`+key,_:=dbgen.APIKey(s.T(),db, database.APIKey{`
	`5386`	`+UserID:user.ID,`
	`5387`	`+})`
	`5388`	`+app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})`
	`5389`	`+secret:=dbgen.OAuth2ProviderAppSecret(s.T(),db, database.OAuth2ProviderAppSecret{`
	`5390`	`+AppID:app.ID,`
	`5391`	`+})`
	`5392`	`+token:=dbgen.OAuth2ProviderAppToken(s.T(),db, database.OAuth2ProviderAppToken{`
	`5393`	`+AppSecretID:secret.ID,`
	`5394`	`+APIKeyID:key.ID,`
	`5395`	`+})`
	`5396`	`+check.Args(token.APIKeyID).Asserts(rbac.ResourceOauth2AppCodeToken.WithOwner(user.ID.String()),policy.ActionRead).Returns(token)`
	`5397`	`+}))`
`5383`	`5398`	`s.Run("DeleteOAuth2ProviderAppTokensByAppAndUserID",s.Subtest(func(db database.Store,check*expects) {`
`5384`	`5399`	`dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`
`5385`	`5400`	`user:=dbgen.User(s.T(),db, database.User{})`

`‎coderd/database/dbmem/dbmem.go‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4054,6 +4054,19 @@ func (q *FakeQuerier) GetOAuth2ProviderAppSecretsByAppID(_ context.Context, appI`
`4054`	`4054`	`return []database.OAuth2ProviderAppSecret{},sql.ErrNoRows`
`4055`	`4055`	`}`
`4056`	`4056`
	`4057`	`+func (q*FakeQuerier)GetOAuth2ProviderAppTokenByAPIKeyID(_ context.Context,apiKeyIDstring) (database.OAuth2ProviderAppToken,error) {`
	`4058`	`+q.mutex.Lock()`
	`4059`	`+deferq.mutex.Unlock()`
	`4060`	`+`
	`4061`	`+for_,token:=rangeq.oauth2ProviderAppTokens {`
	`4062`	`+iftoken.APIKeyID==apiKeyID {`
	`4063`	`+returntoken,nil`
	`4064`	`+}`
	`4065`	`+}`
	`4066`	`+`
	`4067`	`+return database.OAuth2ProviderAppToken{},sql.ErrNoRows`
	`4068`	`+}`
	`4069`	`+`
`4057`	`4070`	`func (q*FakeQuerier)GetOAuth2ProviderAppTokenByPrefix(_ context.Context,hashPrefix []byte) (database.OAuth2ProviderAppToken,error) {`
`4058`	`4071`	`q.mutex.Lock()`
`4059`	`4072`	`deferq.mutex.Unlock()`

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,9 @@ INSERT INTO oauth2_provider_app_tokens (`
`136`	`136`	`-- name: GetOAuth2ProviderAppTokenByPrefix :one`
`137`	`137`	`SELECT*FROM oauth2_provider_app_tokensWHERE hash_prefix= $1;`
`138`	`138`
	`139`	`+-- name: GetOAuth2ProviderAppTokenByAPIKeyID :one`
	`140`	`+SELECT*FROM oauth2_provider_app_tokensWHERE api_key_id= $1;`
	`141`	`+`
`139`	`142`	`-- name: GetOAuth2ProviderAppsByUserID :many`
`140`	`143`	`SELECT`
`141`	`144`	`COUNT(DISTINCToauth2_provider_app_tokens.id)as token_count,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2d32123

File tree

15 files changed

15 files changed

`‎CLAUDE.md‎`

`‎coderd/coderd.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbmem/dbmem.go‎`

`‎coderd/database/dbmetrics/querymetrics.go‎`

`‎coderd/database/dbmock/dbmock.go‎`

`‎coderd/database/querier.go‎`

`‎coderd/database/queries.sql.go‎`

`‎coderd/database/queries/oauth2.sql‎`

0 commit comments