Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: oauth2 - add RFC 8707 resource indicators and audience validation#18575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
ThomasK33 wants to merge1 commit intothomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support
base:thomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support
Choose a base branch
Loading
fromthomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation

Conversation

ThomasK33
Copy link
Member

@ThomasK33ThomasK33 commentedJun 25, 2025
edited
Loading

This pull request implements RFC 8707, Resource Indicators for OAuth 2.0 (https://datatracker.ietf.org/doc/html/rfc8707), to enhance the security of our OAuth 2.0 provider.

This change enables proper audience validation and binds access tokens to their intended resource, which is crucial
for preventing token misuse in multi-tenant environments or deployments with multiple resource servers.

Key Changes:

  • Resource Parameter Support: Adds support for the resource parameter in both the authorization (/oauth2/authorize) and token (/oauth2/token) endpoints, allowing clients to specify the intended resource server.
  • Audience Validation: Implements server-side validation to ensure that the resource parameter provided during the token exchange matches the one from the authorization request.
  • API Middleware Enforcement: Introduces a new validation step in the API authentication middleware (coderd/httpmw/apikey.go) to verify that the audience of the access token matches the resource server being accessed.
  • Database Schema Updates:
    • Adds aresource_uri column to theoauth2_provider_app_codes table to store the resource requested during authorization.
    • Adds anaudience column to theoauth2_provider_app_tokens table to bind the issued token to a specific audience.
  • Enhanced PKCE: Includes a minor enhancement to the PKCE implementation to protect against timing attacks.
  • Comprehensive Testing: Adds extensive new tests tocoderd/oauth2_test.go to cover various RFC 8707 scenarios, including valid flows, mismatched resources, and refresh token validation.

How it Works:

  1. An OAuth2 client specifies the target resource (e.g.,https://coder.example.com) using the resource parameter in the authorization request.
  2. The authorization server stores this resource URI with the authorization code.
  3. During the token exchange, the server validates that the client provides the same resource parameter.
  4. The server issues an access token with an audience claim set to the validated resource URI.
  5. When the client uses the access token to call an API endpoint, the middleware verifies that the token's audience matches the URL of the Coder deployment, rejecting any tokens intended for a different resource.

This ensures that a token issued for one Coder deployment cannot be used to access another, significantly strengthening our authentication security.

Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1b
Signed-off-by: Thomas Kosiewskitk@coder.com

@ThomasK33Graphite App
Copy link
MemberAuthor

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
Learn more

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch from018694a to3daa2abCompareJune 25, 2025 14:06
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromfb90065 tod14c08eCompareJune 25, 2025 14:06
@ThomasK33ThomasK33 changed the titlefeat(oauth2): add RFC 8707 resource indicators and audience validationfeat: oauth2 - add RFC 8707 resource indicators and audience validationJun 25, 2025
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch 2 times, most recently from7b6f80c tof4fbe1dCompareJune 25, 2025 15:27
Implements RFC 8707 Resource Indicators for OAuth2 provider to enable properaudience validation and token binding for multi-tenant scenarios.Key changes:- Add resource parameter support to authorization and token endpoints- Implement server-side audience validation for opaque tokens- Add database fields: ResourceUri (codes) and Audience (tokens)- Add comprehensive resource parameter validation logic- Add cross-resource audience validation in API middleware- Add extensive test coverage for RFC 8707 scenarios- Enhance PKCE implementation with timing attack protectionThis enables OAuth2 clients to specify target resource servers and preventstoken abuse across different Coder deployments through proper audience binding.Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1bSigned-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromf4fbe1d toc8d2599CompareJune 25, 2025 16:27
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers
No reviews
Assignees

@ThomasK33ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 participant
@ThomasK33
[8]ページ先頭
©2009-2025 Movatter.jp