- Notifications
You must be signed in to change notification settings - Fork926
feat: oauth2 - add RFC 8707 resource indicators and audience validation#18575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Open
ThomasK33 wants to merge1 commit intothomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_supportChoose a base branch
base:thomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
+560 −14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
This stack of pull requests is managed byGraphite. Learn more aboutstacking. |
018694a to3daa2abComparefb90065 tod14c08eComparef4fbe1d toc8d2599CompareImplements RFC 8707 Resource Indicators for OAuth2 provider to enable properaudience validation and token binding for multi-tenant scenarios.Key changes:- Add resource parameter support to authorization and token endpoints- Implement server-side audience validation for opaque tokens- Add database fields: ResourceUri (codes) and Audience (tokens)- Add comprehensive resource parameter validation logic- Add cross-resource audience validation in API middleware- Add extensive test coverage for RFC 8707 scenarios- Enhance PKCE implementation with timing attack protectionThis enables OAuth2 clients to specify target resource servers and preventstoken abuse across different Coder deployments through proper audience binding.Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1bSigned-off-by: Thomas Kosiewski <tk@coder.com>
3daa2ab tob50e322Comparec8d2599 to4130e42CompareSign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
This pull request implements RFC 8707, Resource Indicators for OAuth 2.0 (https://datatracker.ietf.org/doc/html/rfc8707), to enhance the security of our OAuth 2.0 provider.
This change enables proper audience validation and binds access tokens to their intended resource, which is crucial
for preventing token misuse in multi-tenant environments or deployments with multiple resource servers.
Key Changes:
/oauth2/authorize) and token (/oauth2/token) endpoints, allowing clients to specify the intended resource server.coderd/httpmw/apikey.go) to verify that the audience of the access token matches the resource server being accessed.resource_uricolumn to theoauth2_provider_app_codestable to store the resource requested during authorization.audiencecolumn to theoauth2_provider_app_tokenstable to bind the issued token to a specific audience.coderd/oauth2_test.goto cover various RFC 8707 scenarios, including valid flows, mismatched resources, and refresh token validation.How it Works:
This ensures that a token issued for one Coder deployment cannot be used to access another, significantly strengthening our authentication security.
Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1b
Signed-off-by: Thomas Kosiewskitk@coder.com