Summary

This PR implements critical MCP OAuth2 compliance features for Coder's authorization server, adding PKCE support, resource parameter handling, and OAuth2 server metadata discovery. This brings Coder's OAuth2 implementation significantly closer to production readiness for MCP (Model Context Protocol)
integrations.

What's Added

OAuth2 Authorization Server Metadata (RFC 8414)

• Add/.well-known/oauth-authorization-server endpoint for automatic client discovery
• Returns standardized metadata including supported grant types, response types, and PKCE methods
• Essential for MCP client compatibility and OAuth2 standards compliance

PKCE Support (RFC 7636)

• Implement Proof Key for Code Exchange with S256 challenge method
• Addcode_challenge andcode_challenge_method parameters to authorization flow
• Addcode_verifier validation in token exchange
• Provides enhanced security for public clients (mobile apps, CLIs)

Resource Parameter Support (RFC 8707)

• Addresource parameter to authorization and token endpoints
• Store resource URI and bind tokens to specific audiences
• Critical for MCP's resource-bound token model

Enhanced OAuth2 Error Handling

• Add OAuth2-compliant error responses with proper error codes
• Use standard error format:{"error": "code", "error_description": "details"}
• Improve error consistency across OAuth2 endpoints

Authorization UI Improvements

• Fix authorization flow to use POST-based consent instead of GET redirects
• Remove dependency on referer headers for security decisions
• Improve CSRF protection with proper state parameter validation

Why This Matters

For MCP Integration: MCP requires OAuth2 authorization servers to support PKCE, resource parameters, and metadata discovery. Without these features, MCP clients cannot securely authenticate with Coder.

For Security: PKCE prevents authorization code interception attacks, especially critical for public clients. Resource binding ensures tokens are only valid for intended services.

For Standards Compliance: These are widely adopted OAuth2 extensions that improve interoperability with modern OAuth2 clients.

Database Changes

• Migration 000343: Addscode_challenge,code_challenge_method,resource_uri tooauth2_provider_app_codes
• Migration 000343: Addsaudience field tooauth2_provider_app_tokens for resource binding
• Audit Updates: New OAuth2 fields properly tracked in audit system
• Backward Compatibility: All changes maintain compatibility with existing OAuth2 flows

Test Coverage

• Comprehensive PKCE test suite incoderd/identityprovider/pkce_test.go
• OAuth2 metadata endpoint tests incoderd/oauth2_metadata_test.go
• Integration tests covering PKCE + resource parameter combinations
• Negative tests for invalid PKCE verifiers and malformed requests

Testing Instructions

# Run the comprehensive OAuth2 test suite./scripts/oauth2/test-mcp-oauth2.shManual Testing with Interactive Server# Start Coder in development mode./scripts/develop.sh# In another terminal, set up test app and run interactive floweval$(./scripts/oauth2/setup-test-app.sh)./scripts/oauth2/test-manual-flow.sh# Opens browser with OAuth2 flow, handles callback automatically# Clean up when done./scripts/oauth2/cleanup-test-app.shIndividual Component Testing# Test metadata endpointcurl -s http://localhost:3000/.well-known/oauth-authorization-server| jq.# Test PKCE generation./scripts/oauth2/generate-pkce.sh# Run specific test suitesgotest -v ./coderd/identityprovider -run TestVerifyPKCEgotest -v ./coderd -run TestOAuth2AuthorizationServerMetadata

Breaking Changes

None. All changes maintain backward compatibility with existing OAuth2 flows.

Change-Id: Ifbd0d9a543d545f9f56ecaa77ff2238542ff954a
Signed-off-by: Thomas Kosiewskitk@coder.com