Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

feat: oauth2 - add RFC 8707 resource indicators and audience validation#18575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation

ThomasK33
Copy link
Member

@ThomasK33ThomasK33 commentedJun 25, 2025
edited
Loading

This pull request implements RFC 8707, Resource Indicators for OAuth 2.0 (https://datatracker.ietf.org/doc/html/rfc8707), to enhance the security of our OAuth 2.0 provider.

This change enables proper audience validation and binds access tokens to their intended resource, which is crucial
for preventing token misuse in multi-tenant environments or deployments with multiple resource servers.

Key Changes:

  • Resource Parameter Support: Adds support for the resource parameter in both the authorization (/oauth2/authorize) and token (/oauth2/token) endpoints, allowing clients to specify the intended resource server.
  • Audience Validation: Implements server-side validation to ensure that the resource parameter provided during the token exchange matches the one from the authorization request.
  • API Middleware Enforcement: Introduces a new validation step in the API authentication middleware (coderd/httpmw/apikey.go) to verify that the audience of the access token matches the resource server being accessed.
  • Database Schema Updates:
    • Adds aresource_uri column to theoauth2_provider_app_codes table to store the resource requested during authorization.
    • Adds anaudience column to theoauth2_provider_app_tokens table to bind the issued token to a specific audience.
  • Enhanced PKCE: Includes a minor enhancement to the PKCE implementation to protect against timing attacks.
  • Comprehensive Testing: Adds extensive new tests tocoderd/oauth2_test.go to cover various RFC 8707 scenarios, including valid flows, mismatched resources, and refresh token validation.

How it Works:

  1. An OAuth2 client specifies the target resource (e.g.,https://coder.example.com) using the resource parameter in the authorization request.
  2. The authorization server stores this resource URI with the authorization code.
  3. During the token exchange, the server validates that the client provides the same resource parameter.
  4. The server issues an access token with an audience claim set to the validated resource URI.
  5. When the client uses the access token to call an API endpoint, the middleware verifies that the token's audience matches the URL of the Coder deployment, rejecting any tokens intended for a different resource.

This ensures that a token issued for one Coder deployment cannot be used to access another, significantly strengthening our authentication security.


Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1b
Signed-off-by: Thomas Kosiewskitk@coder.com

@ThomasK33Graphite App
Copy link
MemberAuthor

ThomasK33 commentedJun 25, 2025
edited
Loading

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch from018694a to3daa2abCompareJune 25, 2025 14:06
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromfb90065 tod14c08eCompareJune 25, 2025 14:06
@ThomasK33ThomasK33 changed the titlefeat(oauth2): add RFC 8707 resource indicators and audience validationfeat: oauth2 - add RFC 8707 resource indicators and audience validationJun 25, 2025
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch 3 times, most recently fromf4fbe1d toc8d2599CompareJune 25, 2025 16:27
@ThomasK33ThomasK33 marked this pull request as ready for reviewJune 25, 2025 17:56
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch from3daa2ab tob50e322CompareJune 25, 2025 18:16
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromc8d2599 to4130e42CompareJune 25, 2025 18:16
func validateOAuth2ProviderAppTokenAudience(ctx context.Context, db database.Store, key database.APIKey, r *http.Request) error {
// Get the OAuth2 provider app token to check its audience
//nolint:gocritic // System needs to access token for audience validation
token, err := db.GetOAuth2ProviderAppTokenByAPIKeyID(dbauthz.AsSystemRestricted(ctx), key.ID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

review: This is a legitimate use ofdbauthz.SystemRestricted.

Emyrk reacted with thumbs up emoji
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from4130e42 toe525b11CompareJune 26, 2025 14:28
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch fromb50e322 to3dd6c7eCompareJune 26, 2025 14:28
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch frome525b11 toaec4923CompareJune 26, 2025 15:45
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch from3dd6c7e to224784aCompareJune 26, 2025 15:45
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromaec4923 to819ce2eCompareJune 26, 2025 16:20
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch from224784a toc2d85d9CompareJune 26, 2025 16:20
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch fromc2d85d9 to69eb5c8CompareJune 26, 2025 16:23
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from819ce2e to002ffdfCompareJune 26, 2025 16:23
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch from69eb5c8 to80c695bCompareJune 26, 2025 16:24
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from002ffdf to0b43477CompareJune 26, 2025 16:24
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch 2 times, most recently from03c4724 to870e5ebCompareJune 26, 2025 16:34
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch 2 times, most recently from058cbe7 to495ceccCompareJune 26, 2025 16:40
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from6cf3ccb tod32fe24CompareJune 30, 2025 17:21
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch froma9550d8 toec5c703CompareJuly 1, 2025 09:27
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromd32fe24 tob663230CompareJuly 1, 2025 09:27
@ThomasK33ThomasK33force-pushed thethomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support branch fromec5c703 toe6243ceCompareJuly 1, 2025 13:23
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch fromb663230 to2d32123CompareJuly 1, 2025 13:23
@ThomasK33ThomasK33 changed the base branch fromthomask33/06-24-feat_oauth2_add_authorization_server_metadata_endpoint_and_pkce_support tographite-base/18575July 1, 2025 13:39
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from2d32123 to758de4dCompareJuly 1, 2025 13:39
@graphite-appgraphite-appbot changed the base branch fromgraphite-base/18575 tomainJuly 1, 2025 13:40
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from758de4d to655c391CompareJuly 1, 2025 13:40
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch 4 times, most recently from505c46c to55811a8CompareJuly 1, 2025 20:14
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from55811a8 to10db833CompareJuly 2, 2025 12:08
@ThomasK33ThomasK33 requested a review fromjohnstcnJuly 2, 2025 12:09
Implements RFC 8707 Resource Indicators for OAuth2 provider to enable properaudience validation and token binding for multi-tenant scenarios.Key changes:- Add resource parameter support to authorization and token endpoints- Implement server-side audience validation for opaque tokens- Add database fields: ResourceUri (codes) and Audience (tokens)- Add comprehensive resource parameter validation logic- Add cross-resource audience validation in API middleware- Add extensive test coverage for RFC 8707 scenarios- Enhance PKCE implementation with timing attack protectionThis enables OAuth2 clients to specify target resource servers and preventstoken abuse across different Coder deployments through proper audience binding.Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1bSigned-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33ThomasK33force-pushed thethomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branch from10db833 toa63b9fdCompareJuly 2, 2025 12:25
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Would like a second pair of eyes, but I don't have any further blocking comments here.

@ThomasK33ThomasK33 merged commitf0c9c4d intomainJul 2, 2025
36 checks passed
@ThomasK33Graphite App
Copy link
MemberAuthor

Merge activity

@ThomasK33ThomasK33 deleted the thomask33/06-25-feat_oauth2_add_rfc_8707_resource_indicators_and_audience_validation branchJuly 2, 2025 15:49
johnstcn added a commit that referenced this pull requestJul 2, 2025
Fixes duplicate migration introduced by#18575
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@EmyrkEmyrkEmyrk left review comments

@johnstcnjohnstcnjohnstcn approved these changes

Assignees

@ThomasK33ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@ThomasK33@johnstcn@Emyrk

[8]ページ先頭

©2009-2025 Movatter.jp