NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit5be6c6a

committed

feat(oauth2): implement RFC 9728 Protected Resource Metadata endpoint

- Add OAuth2ProtectedResourceMetadata struct in codersdk/oauth2.go- Implement /.well-known/oauth-protected-resource endpoint handler- Register route in coderd.go for Protected Resource Metadata discovery- Add comprehensive test coverage in oauth2_metadata_test.go- Update OpenAPI documentation and generated API types- Correctly omit bearer_methods_supported field (Coder uses custom auth)- Support MCP OAuth2 compliance requirement for resource server metadataThis implements RFC 9728 OAuth 2.0 Protected Resource Metadata to enableMCP clients to discover resource server capabilities and authorization servers.Change-Id: I089232ae755acf13eb0a7be46944c9eeaaafb75bSigned-off-by: Thomas Kosiewski <tk@coder.com>

1 parent1e2bc51 commit5be6c6aCopy full SHA for 5be6c6a

File tree

10 files changed

+223

-0

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- coderd.go
- httpmw
  - apikey.go
- oauth2.go
- oauth2_metadata_test.go
codersdk
- oauth2.go
docs/reference/api
- enterprise.md
- schemas.md
site/src/api
- typesGenerated.ts

10 files changed

+223

-0

lines changed

Original file line number	Diff line number	Diff line change
`@@ -911,6 +911,8 @@ func New(options Options) API {`
`911`	`911`
`912`	`912`	`// OAuth2 metadata endpoint for RFC 8414 discovery`
`913`	`913`	`r.Get("/.well-known/oauth-authorization-server",api.oauth2AuthorizationServerMetadata)`
	`914`	`+// OAuth2 protected resource metadata endpoint for RFC 9728 discovery`
	`915`	`+r.Get("/.well-known/oauth-protected-resource",api.oauth2ProtectedResourceMetadata)`
`914`	`916`
`915`	`917`	`// OAuth2 linking routes do not make sense under the /api/v2 path. These are`
`916`	`918`	`// for an external application to use Coder as an OAuth2 provider, not for`

`‎coderd/httpmw/apikey.go`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -552,6 +552,8 @@ func APITokenFromRequest(r *http.Request) string {`
`552`	`552`	`returnheaderValue`
`553`	`553`	`}`
`554`	`554`
	`555`	`+// TODO(ThomasK33): Implement RFC 6750`
	`556`	`+`
`555`	`557`	`return""`
`556`	`558`	`}`
`557`	`559`

`‎coderd/oauth2.go`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -417,3 +417,23 @@ func (api API) oauth2AuthorizationServerMetadata(rw http.ResponseWriter, r htt`
`417`	`417`	`}`
`418`	`418`	`httpapi.Write(ctx,rw,http.StatusOK,metadata)`
`419`	`419`	`}`
	`420`	`+`
	`421`	`+// @Summary OAuth2 protected resource metadata.`
	`422`	`+// @ID oauth2-protected-resource-metadata`
	`423`	`+// @Produce json`
	`424`	`+// @Tags Enterprise`
	`425`	`+// @Success 200 {object} codersdk.OAuth2ProtectedResourceMetadata`
	`426`	`+// @Router /.well-known/oauth-protected-resource [get]`
	`427`	`+func (apiAPI)oauth2ProtectedResourceMetadata(rw http.ResponseWriter,rhttp.Request) {`
	`428`	`+ctx:=r.Context()`
	`429`	`+metadata:= codersdk.OAuth2ProtectedResourceMetadata{`
	`430`	`+Resource:api.AccessURL.String(),`
	`431`	`+AuthorizationServers: []string{api.AccessURL.String()},`
	`432`	`+// TODO: Implement scope system based on RBAC permissions`
	`433`	`+ScopesSupported: []string{},`
	`434`	`+// Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens`
	`435`	`+// TODO(ThomasK33): Implement RFC 6750`
	`436`	`+// BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support`
	`437`	`+}`
	`438`	`+httpapi.Write(ctx,rw,http.StatusOK,metadata)`
	`439`	`+}`

`‎coderd/oauth2_metadata_test.go`

Lines changed: 32 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -41,3 +41,35 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {`
`41`	`41`	`require.Contains(t,metadata.GrantTypesSupported,"refresh_token")`
`42`	`42`	`require.Contains(t,metadata.CodeChallengeMethodsSupported,"S256")`
`43`	`43`	`}`
	`44`	`+`
	`45`	`+funcTestOAuth2ProtectedResourceMetadata(t*testing.T) {`
	`46`	`+t.Parallel()`
	`47`	`+`
	`48`	`+client:=coderdtest.New(t,nil)`
	`49`	`+`
	`50`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`51`	`+defercancel()`
	`52`	`+`
	`53`	`+// Get the protected resource metadata`
	`54`	`+resp,err:=client.Request(ctx,http.MethodGet,"/.well-known/oauth-protected-resource",nil)`
	`55`	`+require.NoError(t,err)`
	`56`	`+deferresp.Body.Close()`
	`57`	`+`
	`58`	`+require.Equal(t,http.StatusOK,resp.StatusCode)`
	`59`	`+`
	`60`	`+varmetadata codersdk.OAuth2ProtectedResourceMetadata`
	`61`	`+err=json.NewDecoder(resp.Body).Decode(&metadata)`
	`62`	`+require.NoError(t,err)`
	`63`	`+`
	`64`	`+// Verify the metadata`
	`65`	`+require.NotEmpty(t,metadata.Resource)`
	`66`	`+require.NotEmpty(t,metadata.AuthorizationServers)`
	`67`	`+require.Len(t,metadata.AuthorizationServers,1)`
	`68`	`+require.Equal(t,metadata.Resource,metadata.AuthorizationServers[0])`
	`69`	`+// BearerMethodsSupported is omitted since Coder uses custom authentication methods`
	`70`	`+// Standard RFC 6750 bearer tokens are not supported`
	`71`	`+require.True(t,len(metadata.BearerMethodsSupported)==0)`
	`72`	`+// ScopesSupported can be empty until scope system is implemented`
	`73`	`+// Empty slice is marshaled as empty array, but can be nil when unmarshaled`
	`74`	`+require.True(t,len(metadata.ScopesSupported)==0)`
	`75`	`+}`

`‎codersdk/oauth2.go`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -244,3 +244,11 @@ type OAuth2AuthorizationServerMetadata struct {`
`244`	`244`	ScopesSupported []string`json:"scopes_supported,omitempty"`
`245`	`245`	TokenEndpointAuthMethodsSupported []string`json:"token_endpoint_auth_methods_supported,omitempty"`
`246`	`246`	`}`
	`247`	`+`
	`248`	`+// OAuth2ProtectedResourceMetadata represents RFC 9728 OAuth 2.0 Protected Resource Metadata`
	`249`	`+typeOAuth2ProtectedResourceMetadatastruct {`
	`250`	+Resourcestring`json:"resource"`
	`251`	+AuthorizationServers []string`json:"authorization_servers"`
	`252`	+ScopesSupported []string`json:"scopes_supported,omitempty"`
	`253`	+BearerMethodsSupported []string`json:"bearer_methods_supported,omitempty"`
	`254`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5be6c6a

File tree

10 files changed

10 files changed

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/coderd.go`

`‎coderd/httpmw/apikey.go`

`‎coderd/oauth2.go`

`‎coderd/oauth2_metadata_test.go`

`‎codersdk/oauth2.go`

`‎docs/reference/api/enterprise.md`

`‎docs/reference/api/schemas.md`

`‎site/src/api/typesGenerated.ts`

0 commit comments