- Notifications
You must be signed in to change notification settings - Fork936
feat: oauth2 - add RFC 8707 resource indicators and audience validation#18575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
feat: oauth2 - add RFC 8707 resource indicators and audience validation#18575
Uh oh!
There was an error while loading.Please reload this page.
Conversation
ThomasK33 commentedJun 25, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
018694a
to3daa2ab
Comparefb90065
tod14c08e
Comparef4fbe1d
toc8d2599
Compare3daa2ab
tob50e322
Comparec8d2599
to4130e42
CompareUh oh!
There was an error while loading.Please reload this page.
func validateOAuth2ProviderAppTokenAudience(ctx context.Context, db database.Store, key database.APIKey, r *http.Request) error { | ||
// Get the OAuth2 provider app token to check its audience | ||
//nolint:gocritic // System needs to access token for audience validation | ||
token, err := db.GetOAuth2ProviderAppTokenByAPIKeyID(dbauthz.AsSystemRestricted(ctx), key.ID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
review: This is a legitimate use ofdbauthz.SystemRestricted
.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
4130e42
toe525b11
Compareb50e322
to3dd6c7e
Comparee525b11
toaec4923
Compare3dd6c7e
to224784a
Compareaec4923
to819ce2e
Compare224784a
toc2d85d9
Comparec2d85d9
to69eb5c8
Compare819ce2e
to002ffdf
Compare69eb5c8
to80c695b
Compare002ffdf
to0b43477
Compare03c4724
to870e5eb
Compare058cbe7
to495cecc
Compare6cf3ccb
tod32fe24
Comparea9550d8
toec5c703
Compared32fe24
tob663230
Compareec5c703
toe6243ce
Compareb663230
to2d32123
Compare2d32123
to758de4d
Compare758de4d
to655c391
CompareUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
505c46c
to55811a8
CompareUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
55811a8
to10db833
CompareImplements RFC 8707 Resource Indicators for OAuth2 provider to enable properaudience validation and token binding for multi-tenant scenarios.Key changes:- Add resource parameter support to authorization and token endpoints- Implement server-side audience validation for opaque tokens- Add database fields: ResourceUri (codes) and Audience (tokens)- Add comprehensive resource parameter validation logic- Add cross-resource audience validation in API middleware- Add extensive test coverage for RFC 8707 scenarios- Enhance PKCE implementation with timing attack protectionThis enables OAuth2 clients to specify target resource servers and preventstoken abuse across different Coder deployments through proper audience binding.Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1bSigned-off-by: Thomas Kosiewski <tk@coder.com>
10db833
toa63b9fd
CompareThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Would like a second pair of eyes, but I don't have any further blocking comments here.
f0c9c4d
intomainUh oh!
There was an error while loading.Please reload this page.
Merge activity
|
Fixes duplicate migration introduced by#18575
Uh oh!
There was an error while loading.Please reload this page.
This pull request implements RFC 8707, Resource Indicators for OAuth 2.0 (https://datatracker.ietf.org/doc/html/rfc8707), to enhance the security of our OAuth 2.0 provider.
This change enables proper audience validation and binds access tokens to their intended resource, which is crucial
for preventing token misuse in multi-tenant environments or deployments with multiple resource servers.
Key Changes:
/oauth2/authorize
) and token (/oauth2/token
) endpoints, allowing clients to specify the intended resource server.coderd/httpmw/apikey.go
) to verify that the audience of the access token matches the resource server being accessed.resource_uri
column to theoauth2_provider_app_codes
table to store the resource requested during authorization.audience
column to theoauth2_provider_app_tokens
table to bind the issued token to a specific audience.coderd/oauth2_test.go
to cover various RFC 8707 scenarios, including valid flows, mismatched resources, and refresh token validation.How it Works:
This ensures that a token issued for one Coder deployment cannot be used to access another, significantly strengthening our authentication security.
Change-Id: I3924cb2139e837e3ac0b0bd40a5aeb59637ebc1b
Signed-off-by: Thomas Kosiewskitk@coder.com