NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit5c1b9f6

committed

feat(oauth2): implement RFC 6750 Bearer Token Support for MCP compliance

- Add RFC 6750 bearer token extraction to APITokenFromRequest as fallback methods- Support Authorization: Bearer <token> header and access_token query parameter- Maintain backward compatibility by prioritizing existing custom methods first- Add WWW-Authenticate headers to 401/403 responses per RFC 6750- Update Protected Resource Metadata to advertise bearer_methods_supported- Add comprehensive test suite for RFC 6750 compliance in rfc6750_test.go- Update MCP test scripts with bearer token authentication tests- Enhance CLAUDE.md with improved Go LSP tool usage guidelinesImplements RFC 6750 Section 2.1 (Authorization Request Header Field) and 2.3 (URI Query Parameter).Maintains full backward compatibility with existing Coder authentication methods.Completes major MCP OAuth2 compliance milestone.Change-Id: Ic9c9057153b40728ad91b377d753a7ffd566add7Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent33bbf18 commit5c1b9f6Copy full SHA for 5c1b9f6

File tree

7 files changed

+784

-7

lines changed

coderd
scripts/oauth2
- test-mcp-oauth2.sh

7 files changed

+784

-7

lines changed

`‎coderd/httpmw/apikey.go‎`

Lines changed: 42 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,31 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon`
`214`	`214`	`returnnil,nil,false`
`215`	`215`	`}`
`216`	`216`
	`217`	`+// Add WWW-Authenticate header for 401/403 responses (RFC 6750)`
	`218`	`+ifcode==http.StatusUnauthorized\|\|code==http.StatusForbidden {`
	`219`	`+varwwwAuthstring`
	`220`	`+`
	`221`	`+switchcode {`
	`222`	`+casehttp.StatusUnauthorized:`
	`223`	`+// Map 401 to invalid_token with specific error descriptions`
	`224`	`+switch {`
	`225`	`+casestrings.Contains(response.Message,"expired")\|\|strings.Contains(response.Detail,"expired"):`
	`226`	+wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
	`227`	`+casestrings.Contains(response.Message,"audience")\|\|strings.Contains(response.Message,"mismatch"):`
	`228`	+wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
	`229`	`+default:`
	`230`	+wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
	`231`	`+}`
	`232`	`+casehttp.StatusForbidden:`
	`233`	`+// Map 403 to insufficient_scope per RFC 6750`
	`234`	+wwwAuth=`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
	`235`	`+default:`
	`236`	+wwwAuth=`Bearer realm="coder"`
	`237`	`+}`
	`238`	`+`
	`239`	`+rw.Header().Set("WWW-Authenticate",wwwAuth)`
	`240`	`+}`
	`241`	`+`
`217`	`242`	`httpapi.Write(ctx,rw,code,response)`
`218`	`243`	`returnnil,nil,false`
`219`	`244`	`}`
`@@ -653,9 +678,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s`
`653`	`678`	`// 1: The cookie`
`654`	`679`	`// 2. The coder_session_token query parameter`
`655`	`680`	`// 3. The custom auth header`
	`681`	`+// 4. RFC 6750 Authorization: Bearer header`
	`682`	`+// 5. RFC 6750 access_token query parameter`
`656`	`683`	`//`
`657`	`684`	`// API tokens for apps are read from workspaceapps/cookies.go.`
`658`	`685`	`funcAPITokenFromRequest(r*http.Request)string {`
	`686`	`+// Prioritize existing Coder custom authentication methods first`
	`687`	`+// to maintain backward compatibility and existing behavior`
	`688`	`+`
`659`	`689`	`cookie,err:=r.Cookie(codersdk.SessionTokenCookie)`
`660`	`690`	`iferr==nil&&cookie.Value!="" {`
`661`	`691`	`returncookie.Value`
`@@ -671,7 +701,18 @@ func APITokenFromRequest(r *http.Request) string {`
`671`	`701`	`returnheaderValue`
`672`	`702`	`}`
`673`	`703`
`674`		`-// TODO(ThomasK33): Implement RFC 6750`
	`704`	`+// RFC 6750 Bearer Token support (added as fallback methods)`
	`705`	`+// Check Authorization: Bearer <token> header (case-insensitive per RFC 6750)`
	`706`	`+authHeader:=r.Header.Get("Authorization")`
	`707`	`+ifstrings.HasPrefix(strings.ToLower(authHeader),"bearer ") {`
	`708`	`+returnauthHeader[7:]// Skip "Bearer " (7 characters)`
	`709`	`+}`
	`710`	`+`
	`711`	`+// Check access_token query parameter`
	`712`	`+accessToken:=r.URL.Query().Get("access_token")`
	`713`	`+ifaccessToken!="" {`
	`714`	`+returnaccessToken`
	`715`	`+}`
`675`	`716`
`676`	`717`	`return""`
`677`	`718`	`}`

`‎coderd/httpmw/csrf.go‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,12 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand`
`102`	`102`	`returntrue`
`103`	`103`	`}`
`104`	`104`
	`105`	`+// RFC 6750 Bearer Token authentication is exempt from CSRF`
	`106`	`+// as it uses custom headers that cannot be set by malicious sites`
	`107`	`+ifauthHeader:=r.Header.Get("Authorization");strings.HasPrefix(strings.ToLower(authHeader),"bearer ") {`
	`108`	`+returntrue`
	`109`	`+}`
	`110`	`+`
`105`	`111`	`// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.`
`106`	`112`	`// This is the CSRF check.`
`107`	`113`	`sent:=r.Header.Get("X-CSRF-TOKEN")`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5c1b9f6

File tree

7 files changed

7 files changed

`‎coderd/httpmw/apikey.go‎`

`‎coderd/httpmw/csrf.go‎`

0 commit comments