NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitb0101aa

committed

github oauth2 device flow backend

1 parent53f0007 commitb0101aaCopy full SHA for b0101aa

File tree

6 files changed

+127

-6

lines changed

cli
- server.go
coderd
- coderd.go
- httpmw
  - oauth2.go
- userauth.go
codersdk
- deployment.go
- oauth2.go

6 files changed

+127

-6

lines changed

`‎cli/server.go‎`

Lines changed: 28 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -677,12 +677,13 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`677`	`677`	`}`
`678`	`678`	`}`
`679`	`679`
`680`		`-ifvals.OAuth2.Github.ClientSecret!="" {`
	`680`	`+ifvals.OAuth2.Github.ClientSecret!=""\|\|vals.OAuth2.Github.DeviceFlow.Value(){`
`681`	`681`	`options.GithubOAuth2Config,err=configureGithubOAuth2(`
`682`	`682`	`oauthInstrument,`
`683`	`683`	`vals.AccessURL.Value(),`
`684`	`684`	`vals.OAuth2.Github.ClientID.String(),`
`685`	`685`	`vals.OAuth2.Github.ClientSecret.String(),`
	`686`	`+vals.OAuth2.Github.DeviceFlow.Value(),`
`686`	`687`	`vals.OAuth2.Github.AllowSignups.Value(),`
`687`	`688`	`vals.OAuth2.Github.AllowEveryone.Value(),`
`688`	`689`	`vals.OAuth2.Github.AllowedOrgs,`
`@@ -1832,7 +1833,7 @@ func configureCAPool(tlsClientCAFile string, tlsConfig *tls.Config) error {`
`1832`	`1833`	`}`
`1833`	`1834`
`1834`	`1835`	`//nolint:revive // Ignore flag-parameter: parameter 'allowEveryone' seems to be a control flag, avoid control coupling (revive)`
`1835`		`-funcconfigureGithubOAuth2(instrumentpromoauth.Factory,accessURLurl.URL,clientID,clientSecretstring,allowSignups,allowEveryonebool,allowOrgs []string,rawTeams []string,enterpriseBaseURLstring) (*coderd.GithubOAuth2Config,error) {`
	`1836`	`+funcconfigureGithubOAuth2(instrumentpromoauth.Factory,accessURLurl.URL,clientID,clientSecretstring,deviceFlow,allowSignups,allowEveryonebool,allowOrgs []string,rawTeams []string,enterpriseBaseURLstring) (*coderd.GithubOAuth2Config,error) {`
`1836`	`1837`	`redirectURL,err:=accessURL.Parse("/api/v2/users/oauth2/github/callback")`
`1837`	`1838`	`iferr!=nil {`
`1838`	`1839`	`returnnil,xerrors.Errorf("parse github oauth callback url: %w",err)`
`@@ -1898,6 +1899,16 @@ func configureGithubOAuth2(instrument promoauth.Factory, accessURL url.URL, cl`
`1898`	`1899`	`returngithub.NewClient(client),nil`
`1899`	`1900`	`}`
`1900`	`1901`
	`1902`	`+createDeviceAuth:=func()*externalauth.DeviceAuth {`
	`1903`	`+return&externalauth.DeviceAuth{`
	`1904`	`+Config:instrumentedOauth,`
	`1905`	`+ClientID:clientID,`
	`1906`	`+TokenURL:endpoint.TokenURL,`
	`1907`	`+Scopes: []string{"read:user","read:org","user:email"},`
	`1908`	`+CodeURL:endpoint.DeviceAuthURL,`
	`1909`	`+}`
	`1910`	`+}`
	`1911`	`+`
`1901`	`1912`	`return&coderd.GithubOAuth2Config{`
`1902`	`1913`	`OAuth2Config:instrumentedOauth,`
`1903`	`1914`	`AllowSignups:allowSignups,`
`@@ -1941,6 +1952,21 @@ func configureGithubOAuth2(instrument promoauth.Factory, accessURL url.URL, cl`
`1941`	`1952`	`team,_,err:=api.Teams.GetTeamMembershipBySlug(ctx,org,teamSlug,username)`
`1942`	`1953`	`returnteam,err`
`1943`	`1954`	`},`
	`1955`	`+DeviceFlowEnabled:deviceFlow,`
	`1956`	`+ExchangeDeviceCode:func(ctx context.Context,deviceCodestring) (*oauth2.Token,error) {`
	`1957`	`+if!deviceFlow {`
	`1958`	`+returnnil,xerrors.New("device flow is not enabled")`
	`1959`	`+}`
	`1960`	`+deviceAuth:=createDeviceAuth()`
	`1961`	`+returndeviceAuth.ExchangeDeviceCode(ctx,deviceCode)`
	`1962`	`+},`
	`1963`	`+AuthorizeDevice:func(ctx context.Context) (*codersdk.ExternalAuthDevice,error) {`
	`1964`	`+if!deviceFlow {`
	`1965`	`+returnnil,xerrors.New("device flow is not enabled")`
	`1966`	`+}`
	`1967`	`+deviceAuth:=createDeviceAuth()`
	`1968`	`+returndeviceAuth.AuthorizeDevice(ctx)`
	`1969`	`+},`
`1944`	`1970`	`},nil`
`1945`	`1971`	`}`
`1946`	`1972`

`‎coderd/coderd.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1087,6 +1087,7 @@ func New(options Options) API {`
`1087`	`1087`	`r.Post("/validate-password",api.validateUserPassword)`
`1088`	`1088`	`r.Post("/otp/change-password",api.postChangePasswordWithOneTimePasscode)`
`1089`	`1089`	`r.Route("/oauth2",func(r chi.Router) {`
	`1090`	`+r.Get("/github/device",api.userOAuth2GithubDevice)`
`1090`	`1091`	`r.Route("/github",func(r chi.Router) {`
`1091`	`1092`	`r.Use(`
`1092`	`1093`	`httpmw.ExtractOAuth2(options.GithubOAuth2Config,options.HTTPClient,nil),`

`‎coderd/httpmw/oauth2.go‎`

Lines changed: 10 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,9 +167,16 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp`
`167`	`167`
`168`	`168`	`oauthToken,err:=config.Exchange(ctx,code)`
`169`	`169`	`iferr!=nil {`
`170`		`-httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`171`		`-Message:"Internal error exchanging Oauth code.",`
`172`		`-Detail:err.Error(),`
	`170`	`+errorCode:=http.StatusInternalServerError`
	`171`	`+detail:=err.Error()`
	`172`	`+ifdetail=="authorization_pending" {`
	`173`	`+// In the device flow, the token may not be immediately`
	`174`	`+// available. This is expected, and the client will retry.`
	`175`	`+errorCode=http.StatusBadRequest`
	`176`	`+}`
	`177`	`+httpapi.Write(ctx,rw,errorCode, codersdk.Response{`
	`178`	`+Message:"Failed exchanging Oauth code.",`
	`179`	`+Detail:detail,`
`173`	`180`	`})`
`174`	`181`	`return`
`175`	`182`	`}`

`‎coderd/userauth.go‎`

Lines changed: 73 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -748,12 +748,30 @@ type GithubOAuth2Config struct {`
`748`	`748`	`ListOrganizationMembershipsfunc(ctx context.Context,clienthttp.Client) ([]github.Membership,error)`
`749`	`749`	`TeamMembershipfunc(ctx context.Context,clienthttp.Client,org,team,usernamestring) (github.Membership,error)`
`750`	`750`
	`751`	`+DeviceFlowEnabledbool`
	`752`	`+ExchangeDeviceCodefunc(ctx context.Context,deviceCodestring) (*oauth2.Token,error)`
	`753`	`+AuthorizeDevicefunc(ctx context.Context) (*codersdk.ExternalAuthDevice,error)`
	`754`	`+`
`751`	`755`	`AllowSignupsbool`
`752`	`756`	`AllowEveryonebool`
`753`	`757`	`AllowOrganizations []string`
`754`	`758`	`AllowTeams []GithubOAuth2Team`
`755`	`759`	`}`
`756`	`760`
	`761`	`+func (cGithubOAuth2Config)Exchange(ctx context.Context,codestring,opts...oauth2.AuthCodeOption) (oauth2.Token,error) {`
	`762`	`+if!c.DeviceFlowEnabled {`
	`763`	`+returnc.OAuth2Config.Exchange(ctx,code,opts...)`
	`764`	`+}`
	`765`	`+returnc.ExchangeDeviceCode(ctx,code)`
	`766`	`+}`
	`767`	`+`
	`768`	`+func (c*GithubOAuth2Config)AuthCodeURL(statestring,opts...oauth2.AuthCodeOption)string {`
	`769`	`+if!c.DeviceFlowEnabled {`
	`770`	`+returnc.OAuth2Config.AuthCodeURL(state,opts...)`
	`771`	`+}`
	`772`	`+return"/login/device?state="+state`
	`773`	`+}`
	`774`	`+`
`757`	`775`	`// @Summary Get authentication methods`
`758`	`776`	`// @ID get-authentication-methods`
`759`	`777`	`// @Security CoderSessionToken`
`@@ -786,6 +804,53 @@ func (api API) userAuthMethods(rw http.ResponseWriter, r http.Request) {`
`786`	`804`	`})`
`787`	`805`	`}`
`788`	`806`
	`807`	`+// @Summary Get Github device auth.`
	`808`	`+// @ID get-github-device-auth`
	`809`	`+// @Security CoderSessionToken`
	`810`	`+// @Produce json`
	`811`	`+// @Tags Users`
	`812`	`+// @Success 200 {object} codersdk.ExternalAuthDevice`
	`813`	`+// @Router /users/oauth2/github/device [get]`
	`814`	`+func (apiAPI)userOAuth2GithubDevice(rw http.ResponseWriter,rhttp.Request) {`
	`815`	`+var (`
	`816`	`+ctx=r.Context()`
	`817`	`+auditor=api.Auditor.Load()`
	`818`	`+aReq,commitAudit=audit.InitRequest[database.APIKey](rw,&audit.RequestParams{`
	`819`	`+Audit:*auditor,`
	`820`	`+Log:api.Logger,`
	`821`	`+Request:r,`
	`822`	`+Action:database.AuditActionLogin,`
	`823`	`+})`
	`824`	`+)`
	`825`	`+aReq.Old= database.APIKey{}`
	`826`	`+defercommitAudit()`
	`827`	`+`
	`828`	`+ifapi.GithubOAuth2Config==nil {`
	`829`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`830`	`+Message:"Github OAuth2 is not enabled.",`
	`831`	`+})`
	`832`	`+return`
	`833`	`+}`
	`834`	`+`
	`835`	`+if!api.GithubOAuth2Config.DeviceFlowEnabled {`
	`836`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`837`	`+Message:"Device flow is not enabled for Github OAuth2.",`
	`838`	`+})`
	`839`	`+return`
	`840`	`+}`
	`841`	`+`
	`842`	`+deviceAuth,err:=api.GithubOAuth2Config.AuthorizeDevice(ctx)`
	`843`	`+iferr!=nil {`
	`844`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`845`	`+Message:"Failed to authorize device.",`
	`846`	`+Detail:err.Error(),`
	`847`	`+})`
	`848`	`+return`
	`849`	`+}`
	`850`	`+`
	`851`	`+httpapi.Write(ctx,rw,http.StatusOK,deviceAuth)`
	`852`	`+}`
	`853`	`+`
`789`	`854`	`// @Summary OAuth 2.0 GitHub Callback`
`790`	`855`	`// @ID oauth-20-github-callback`
`791`	`856`	`// @Security CoderSessionToken`
`@@ -1016,7 +1081,14 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`1016`	`1081`	`}`
`1017`	`1082`
`1018`	`1083`	`redirect=uriFromURL(redirect)`
`1019`		`-http.Redirect(rw,r,redirect,http.StatusTemporaryRedirect)`
	`1084`	`+ifapi.GithubOAuth2Config.DeviceFlowEnabled {`
	`1085`	`+// In the device flow, the redirect is handled client-side.`
	`1086`	`+httpapi.Write(ctx,rw,http.StatusOK, codersdk.OAuth2DeviceFlowCallbackResponse{`
	`1087`	`+RedirectURL:redirect,`
	`1088`	`+})`
	`1089`	`+}else {`
	`1090`	`+http.Redirect(rw,r,redirect,http.StatusTemporaryRedirect)`
	`1091`	`+}`
`1020`	`1092`	`}`
`1021`	`1093`
`1022`	`1094`	`typeOIDCConfigstruct {`

`‎codersdk/deployment.go‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -505,6 +505,7 @@ type OAuth2Config struct {`
`505`	`505`	`typeOAuth2GithubConfigstruct {`
`506`	`506`	ClientID serpent.String`json:"client_id" typescript:",notnull"`
`507`	`507`	ClientSecret serpent.String`json:"client_secret" typescript:",notnull"`
	`508`	+DeviceFlow serpent.Bool`json:"device_flow" typescript:",notnull"`
`508`	`509`	AllowedOrgs serpent.StringArray`json:"allowed_orgs" typescript:",notnull"`
`509`	`510`	AllowedTeams serpent.StringArray`json:"allowed_teams" typescript:",notnull"`
`510`	`511`	AllowSignups serpent.Bool`json:"allow_signups" typescript:",notnull"`
`@@ -1572,6 +1573,16 @@ func (c *DeploymentValues) Options() serpent.OptionSet {`
`1572`	`1573`	`Annotations: serpent.Annotations{}.Mark(annotationSecretKey,"true"),`
`1573`	`1574`	`Group:&deploymentGroupOAuth2GitHub,`
`1574`	`1575`	`},`
	`1576`	`+{`
	`1577`	`+Name:"OAuth2 GitHub Device Flow",`
	`1578`	`+Description:"Enable device flow for Login with GitHub.",`
	`1579`	`+Flag:"oauth2-github-device-flow",`
	`1580`	`+Env:"CODER_OAUTH2_GITHUB_DEVICE_FLOW",`
	`1581`	`+Value:&c.OAuth2.Github.DeviceFlow,`
	`1582`	`+Group:&deploymentGroupOAuth2GitHub,`
	`1583`	`+YAML:"deviceFlow",`
	`1584`	`+Default:"false",`
	`1585`	`+},`
`1575`	`1586`	`{`
`1576`	`1587`	`Name:"OAuth2 GitHub Allowed Orgs",`
`1577`	`1588`	`Description:"Organizations the user must be a member of to Login with GitHub.",`

`‎codersdk/oauth2.go‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -227,3 +227,7 @@ func (c *Client) RevokeOAuth2ProviderApp(ctx context.Context, appID uuid.UUID) e`
`227`	`227`	`}`
`228`	`228`	`returnnil`
`229`	`229`	`}`
	`230`	`+`
	`231`	`+typeOAuth2DeviceFlowCallbackResponsestruct {`
	`232`	+RedirectURLstring`json:"redirect_url"`
	`233`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb0101aa

File tree

6 files changed

6 files changed

`‎cli/server.go‎`

`‎coderd/coderd.go‎`

`‎coderd/httpmw/oauth2.go‎`

`‎coderd/userauth.go‎`

`‎codersdk/deployment.go‎`

`‎codersdk/oauth2.go‎`

0 commit comments