NotificationsYou must be signed in to change notification settings
Fork948
Star10.5k

Commitbd01a1d

committed

feat: enhance OAuth2 RFC compliance with resource metadata and CORS improvements

Change-Id: I99fc71255165133bf858268030d39d2b1a71a288Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parentf47efc6 commitbd01a1dCopy full SHA for bd01a1d

File tree

4 files changed

+114

-37

lines changed

coderd
- coderd.go
- httpmw
  - apikey.go
  - cors.go
- oauth2provider
  - authorize.go

4 files changed

+114

-37

lines changed

`‎coderd/coderd.go`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -790,6 +790,7 @@ func New(options Options) API {`
`790`	`790`	`SessionTokenFunc:nil,// Default behavior`
`791`	`791`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
`792`	`792`	`Logger:options.Logger,`
	`793`	`+AccessURL:options.AccessURL,`
`793`	`794`	`})`
`794`	`795`	`// Same as above but it redirects to the login page.`
`795`	`796`	`apiKeyMiddlewareRedirect:=httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{`
`@@ -801,6 +802,7 @@ func New(options Options) API {`
`801`	`802`	`SessionTokenFunc:nil,// Default behavior`
`802`	`803`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
`803`	`804`	`Logger:options.Logger,`
	`805`	`+AccessURL:options.AccessURL,`
`804`	`806`	`})`
`805`	`807`	`// Same as the first but it's optional.`
`806`	`808`	`apiKeyMiddlewareOptional:=httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{`
`@@ -812,6 +814,7 @@ func New(options Options) API {`
`812`	`814`	`SessionTokenFunc:nil,// Default behavior`
`813`	`815`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
`814`	`816`	`Logger:options.Logger,`
	`817`	`+AccessURL:options.AccessURL,`
`815`	`818`	`})`
`816`	`819`
`817`	`820`	`workspaceAgentInfo:=httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{`

`‎coderd/httpmw/apikey.go`

Lines changed: 58 additions & 33 deletions

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,10 @@ type ExtractAPIKeyConfig struct {`
`113`	`113`	`// a user is authenticated to prevent additional CLI invocations.`
`114`	`114`	`PostAuthAdditionalHeadersFuncfunc(a rbac.Subject,header http.Header)`
`115`	`115`
	`116`	`+// AccessURL is the configured access URL for this Coder deployment.`
	`117`	`+// Used for generating OAuth2 resource metadata URLs in WWW-Authenticate headers.`
	`118`	`+AccessURL*url.URL`
	`119`	`+`
`116`	`120`	`// Logger is used for logging middleware operations.`
`117`	`121`	`Logger slog.Logger`
`118`	`122`	`}`
`@@ -214,29 +218,9 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon`
`214`	`218`	`returnnil,nil,false`
`215`	`219`	`}`
`216`	`220`
`217`		`-// Add WWW-Authenticate header for 401/403 responses (RFC 6750)`
	`221`	`+// Add WWW-Authenticate header for 401/403 responses (RFC 6750 + RFC 9728)`
`218`	`222`	`ifcode==http.StatusUnauthorized\|\|code==http.StatusForbidden {`
`219`		`-varwwwAuthstring`
`220`		`-`
`221`		`-switchcode {`
`222`		`-casehttp.StatusUnauthorized:`
`223`		`-// Map 401 to invalid_token with specific error descriptions`
`224`		`-switch {`
`225`		`-casestrings.Contains(response.Message,"expired")\|\|strings.Contains(response.Detail,"expired"):`
`226`		-wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
`227`		`-casestrings.Contains(response.Message,"audience")\|\|strings.Contains(response.Message,"mismatch"):`
`228`		-wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
`229`		`-default:`
`230`		-wwwAuth=`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
`231`		`-}`
`232`		`-casehttp.StatusForbidden:`
`233`		`-// Map 403 to insufficient_scope per RFC 6750`
`234`		-wwwAuth=`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
`235`		`-default:`
`236`		-wwwAuth=`Bearer realm="coder"`
`237`		`-}`
`238`		`-`
`239`		`-rw.Header().Set("WWW-Authenticate",wwwAuth)`
	`223`	`+rw.Header().Set("WWW-Authenticate",buildWWWAuthenticateHeader(cfg.AccessURL,r,code,response))`
`240`	`224`	`}`
`241`	`225`
`242`	`226`	`httpapi.Write(ctx,rw,code,response)`
`@@ -272,7 +256,7 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon`
`272`	`256`
`273`	`257`	`// Validate OAuth2 provider app token audience (RFC 8707) if applicable`
`274`	`258`	`ifkey.LoginType==database.LoginTypeOAuth2ProviderApp {`
`275`		`-iferr:=validateOAuth2ProviderAppTokenAudience(ctx,cfg.DB,*key,r);err!=nil {`
	`259`	`+iferr:=validateOAuth2ProviderAppTokenAudience(ctx,cfg.DB,*key,cfg.AccessURL,r);err!=nil {`
`276`	`260`	`// Log the detailed error for debugging but don't expose it to the client`
`277`	`261`	`cfg.Logger.Debug(ctx,"oauth2 token audience validation failed",slog.Error(err))`
`278`	`262`	`returnoptionalWrite(http.StatusForbidden, codersdk.Response{`
`@@ -489,7 +473,7 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon`
`489`	`473`
`490`	`474`	`// validateOAuth2ProviderAppTokenAudience validates that an OAuth2 provider app token`
`491`	`475`	`// is being used with the correct audience/resource server (RFC 8707).`
`492`		`-funcvalidateOAuth2ProviderAppTokenAudience(ctx context.Context,db database.Store,key database.APIKey,r*http.Request)error {`
	`476`	`+funcvalidateOAuth2ProviderAppTokenAudience(ctx context.Context,db database.Store,key database.APIKey,accessURLurl.URL,rhttp.Request)error {`
`493`	`477`	`// Get the OAuth2 provider app token to check its audience`
`494`	`478`	`//nolint:gocritic // System needs to access token for audience validation`
`495`	`479`	`token,err:=db.GetOAuth2ProviderAppTokenByAPIKeyID(dbauthz.AsSystemRestricted(ctx),key.ID)`
`@@ -502,8 +486,8 @@ func validateOAuth2ProviderAppTokenAudience(ctx context.Context, db database.Sto`
`502`	`486`	`returnnil`
`503`	`487`	`}`
`504`	`488`
`505`		`-// Extract the expected audience from therequest`
`506`		`-expectedAudience:=extractExpectedAudience(r)`
	`489`	`+// Extract the expected audience from theaccess URL`
	`490`	`+expectedAudience:=extractExpectedAudience(accessURL,r)`
`507`	`491`
`508`	`492`	`// Normalize both audience values for RFC 3986 compliant comparison`
`509`	`493`	`normalizedTokenAudience:=normalizeAudienceURI(token.Audience.String)`
`@@ -624,18 +608,59 @@ func normalizePathSegments(path string) string {`
`624`	`608`
`625`	`609`	`// Test export functions for testing package access`
`626`	`610`
	`611`	`+// buildWWWAuthenticateHeader constructs RFC 6750 + RFC 9728 compliant WWW-Authenticate header`
	`612`	`+funcbuildWWWAuthenticateHeader(accessURLurl.URL,rhttp.Request,codeint,response codersdk.Response)string {`
	`613`	`+// Use the configured access URL for resource metadata`
	`614`	`+ifaccessURL==nil {`
	`615`	`+scheme:="https"`
	`616`	`+ifr.TLS==nil {`
	`617`	`+scheme="http"`
	`618`	`+}`
	`619`	`+`
	`620`	`+// Use the Host header to construct the canonical audience URI`
	`621`	`+accessURL=&url.URL{`
	`622`	`+Scheme:scheme,`
	`623`	`+Host:r.Host,`
	`624`	`+}`
	`625`	`+}`
	`626`	`+`
	`627`	`+resourceMetadata:=accessURL.JoinPath("/.well-known/oauth-protected-resource").String()`
	`628`	`+`
	`629`	`+switchcode {`
	`630`	`+casehttp.StatusUnauthorized:`
	`631`	`+switch {`
	`632`	`+casestrings.Contains(response.Message,"expired")\|\|strings.Contains(response.Detail,"expired"):`
	`633`	+returnfmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token has expired", resource_metadata="%s"`,resourceMetadata)
	`634`	`+casestrings.Contains(response.Message,"audience")\|\|strings.Contains(response.Message,"mismatch"):`
	`635`	+returnfmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource", resource_metadata="%s"`,resourceMetadata)
	`636`	`+default:`
	`637`	+returnfmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid", resource_metadata="%s"`,resourceMetadata)
	`638`	`+}`
	`639`	`+casehttp.StatusForbidden:`
	`640`	+returnfmt.Sprintf(`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token", resource_metadata="%s"`,resourceMetadata)
	`641`	`+default:`
	`642`	+returnfmt.Sprintf(`Bearer realm="coder", resource_metadata="%s"`,resourceMetadata)
	`643`	`+}`
	`644`	`+}`
	`645`	`+`
`627`	`646`	`// extractExpectedAudience determines the expected audience for the current request.`
`628`	`647`	`// This should match the resource parameter used during authorization.`
`629`		`-funcextractExpectedAudience(r*http.Request)string {`
	`648`	`+funcextractExpectedAudience(accessURLurl.URL,rhttp.Request)string {`
`630`	`649`	`// For MCP compliance, the audience should be the canonical URI of the resource server`
`631`	`650`	`// This typically matches the access URL of the Coder deployment`
`632`		`-scheme:="https"`
`633`		`-ifr.TLS==nil {`
`634`		`-scheme="http"`
`635`		`-}`
	`651`	`+varaudiencestring`
	`652`	`+`
	`653`	`+ifaccessURL!=nil {`
	`654`	`+audience=accessURL.String()`
	`655`	`+}else {`
	`656`	`+scheme:="https"`
	`657`	`+ifr.TLS==nil {`
	`658`	`+scheme="http"`
	`659`	`+}`
`636`	`660`
`637`		`-// Use the Host header to construct the canonical audience URI`
`638`		`-audience:=fmt.Sprintf("%s://%s",scheme,r.Host)`
	`661`	`+// Use the Host header to construct the canonical audience URI`
	`662`	`+audience=fmt.Sprintf("%s://%s",scheme,r.Host)`
	`663`	`+}`
`639`	`664`
`640`	`665`	`// Normalize the URI according to RFC 3986 for consistent comparison`
`641`	`666`	`returnnormalizeAudienceURI(audience)`

`‎coderd/httpmw/cors.go`

Lines changed: 49 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import (`
`4`	`4`	`"net/http"`
`5`	`5`	`"net/url"`
`6`	`6`	`"regexp"`
	`7`	`+"strings"`
`7`	`8`
`8`	`9`	`"github.com/go-chi/cors"`
`9`	`10`
`@@ -28,20 +29,66 @@ const (`
`28`	`29`	`funcCors(allowAllbool,origins...string)func(next http.Handler) http.Handler {`
`29`	`30`	`iflen(origins)==0 {`
`30`	`31`	`// The default behavior is '*', so putting the empty string defaults to`
`31`		`-// the secure behavior of blockingCORs requests.`
	`32`	`+// the secure behavior of blockingCORS requests.`
`32`	`33`	`origins= []string{""}`
`33`	`34`	`}`
`34`	`35`	`ifallowAll {`
`35`	`36`	`origins= []string{"*"}`
`36`	`37`	`}`
`37`		`-returncors.Handler(cors.Options{`
	`38`	`+`
	`39`	`+// Standard CORS for most endpoints`
	`40`	`+standardCors:=cors.Handler(cors.Options{`
`38`	`41`	`AllowedOrigins:origins,`
`39`	`42`	`// We only need GET for latency requests`
`40`	`43`	`AllowedMethods: []string{http.MethodOptions,http.MethodGet},`
`41`	`44`	`AllowedHeaders: []string{"Accept","Content-Type","X-LATENCY-CHECK","X-CSRF-TOKEN"},`
`42`	`45`	`// Do not send any cookies`
`43`	`46`	`AllowCredentials:false,`
`44`	`47`	`})`
	`48`	`+`
	`49`	`+// Permissive CORS for OAuth2 and MCP endpoints`
	`50`	`+permissiveCors:=cors.Handler(cors.Options{`
	`51`	`+AllowedOrigins: []string{"*"},`
	`52`	`+AllowedMethods: []string{`
	`53`	`+http.MethodGet,`
	`54`	`+http.MethodPost,`
	`55`	`+http.MethodDelete,`
	`56`	`+http.MethodOptions,`
	`57`	`+},`
	`58`	`+AllowedHeaders: []string{`
	`59`	`+"Content-Type",`
	`60`	`+"Accept",`
	`61`	`+"Authorization",`
	`62`	`+"x-api-key",`
	`63`	`+"Mcp-Session-Id",`
	`64`	`+"MCP-Protocol-Version",`
	`65`	`+"Last-Event-ID",`
	`66`	`+},`
	`67`	`+ExposedHeaders: []string{`
	`68`	`+"Content-Type",`
	`69`	`+"Authorization",`
	`70`	`+"x-api-key",`
	`71`	`+"Mcp-Session-Id",`
	`72`	`+"MCP-Protocol-Version",`
	`73`	`+},`
	`74`	`+MaxAge:86400,// 24 hours in seconds`
	`75`	`+AllowCredentials:false,`
	`76`	`+})`
	`77`	`+`
	`78`	`+returnfunc(next http.Handler) http.Handler {`
	`79`	`+returnhttp.HandlerFunc(func(w http.ResponseWriter,r*http.Request) {`
	`80`	`+// Use permissive CORS for OAuth2, MCP, and well-known endpoints`
	`81`	`+ifstrings.HasPrefix(r.URL.Path,"/oauth2/")\|\|`
	`82`	`+strings.HasPrefix(r.URL.Path,"/api/experimental/mcp/")\|\|`
	`83`	`+strings.HasPrefix(r.URL.Path,"/.well-known/oauth-") {`
	`84`	`+permissiveCors(next).ServeHTTP(w,r)`
	`85`	`+return`
	`86`	`+}`
	`87`	`+`
	`88`	`+// Use standard CORS for all other endpoints`
	`89`	`+standardCors(next).ServeHTTP(w,r)`
	`90`	`+})`
	`91`	`+}`
`45`	`92`	`}`
`46`	`93`
`47`	`94`	`funcWorkspaceAppCors(regex*regexp.Regexp,app appurl.ApplicationURL)func(next http.Handler) http.Handler {`

`‎coderd/oauth2provider/authorize.go`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func extractAuthorizeParams(r http.Request, callbackURL url.URL) (authorizePar`
`33`	`33`	`p:=httpapi.NewQueryParamParser()`
`34`	`34`	`vals:=r.URL.Query()`
`35`	`35`
`36`		`-p.RequiredNotEmpty("state","response_type","client_id")`
	`36`	`+p.RequiredNotEmpty("response_type","client_id")`
`37`	`37`
`38`	`38`	`params:=authorizeParams{`
`39`	`39`	`clientID:p.String(vals,"","client_id"),`
`@@ -154,7 +154,9 @@ func ProcessAuthorize(db database.Store, accessURL *url.URL) http.HandlerFunc {`
`154`	`154`
`155`	`155`	`newQuery:=params.redirectURL.Query()`
`156`	`156`	`newQuery.Add("code",code.Formatted)`
`157`		`-newQuery.Add("state",params.state)`
	`157`	`+ifparams.state!="" {`
	`158`	`+newQuery.Add("state",params.state)`
	`159`	`+}`
`158`	`160`	`params.redirectURL.RawQuery=newQuery.Encode()`
`159`	`161`
`160`	`162`	`http.Redirect(rw,r,params.redirectURL.String(),http.StatusTemporaryRedirect)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbd01a1d

File tree

4 files changed

4 files changed

`‎coderd/coderd.go`

`‎coderd/httpmw/apikey.go`

`‎coderd/httpmw/cors.go`

`‎coderd/oauth2provider/authorize.go`

0 commit comments