Jul 2, 2025 · Jun 27, 2025 · Jul 2, 2025
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go

 // OAuth2 metadata endpoint for RFC 8414 discovery
 r.Get("/.well-known/oauth-authorization-server", api.oauth2AuthorizationServerMetadata)
 // OAuth2 protected resource metadata endpoint for RFC 9728 discovery
 r.Get("/.well-known/oauth-protected-resource", api.oauth2ProtectedResourceMetadata)

 // OAuth2 linking routes do not make sense under the /api/v2 path.  These are
 // for an external application to use Coder as an OAuth2 provider, not for
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
 return headerValue
 }

 // TODO(ThomasK33): Implement RFC 6750

 return ""
 }

diff --git a/coderd/oauth2.go b/coderd/oauth2.go
 }
 httpapi.Write(ctx, rw, http.StatusOK, metadata)
 }

 // @Summary OAuth2 protected resource metadata.
 // @ID oauth2-protected-resource-metadata
 // @Produce json
 // @Tags Enterprise
 // @Success 200 {object} codersdk.OAuth2ProtectedResourceMetadata
 // @Router /.well-known/oauth-protected-resource [get]
 func (api *API) oauth2ProtectedResourceMetadata(rw http.ResponseWriter, r *http.Request) {
 ctx := r.Context()
 metadata := codersdk.OAuth2ProtectedResourceMetadata{
 Resource:             api.AccessURL.String(),
 AuthorizationServers: []string{api.AccessURL.String()},
 // TODO: Implement scope system based on RBAC permissions
 ScopesSupported: []string{},
 // Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens
 // TODO(ThomasK33): Implement RFC 6750
 // BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support
 }
 httpapi.Write(ctx, rw, http.StatusOK, metadata)
 }
diff --git a/coderd/oauth2_metadata_test.go b/coderd/oauth2_metadata_test.go
 "context"
 "encoding/json"
 "net/http"
 "net/url"
 "testing"

 "github.com/stretchr/testify/require"
 t.Parallel()

 client := coderdtest.New(t, nil)
 serverURL := client.URL

 ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 defer cancel()

 // Get the metadata
 resp, err := client.Request(ctx, http.MethodGet, "/.well-known/oauth-authorization-server", nil)
 // Use a plain HTTP client since this endpoint doesn't require authentication
 endpoint := serverURL.ResolveReference(&url.URL{Path: "/.well-known/oauth-authorization-server"}).String()
 req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
 require.NoError(t, err)

 resp, err := http.DefaultClient.Do(req)
 require.NoError(t, err)
 defer resp.Body.Close()

 require.Contains(t, metadata.GrantTypesSupported, "refresh_token")
 require.Contains(t, metadata.CodeChallengeMethodsSupported, "S256")
 }

 func TestOAuth2ProtectedResourceMetadata(t *testing.T) {
 t.Parallel()

 client := coderdtest.New(t, nil)
 serverURL := client.URL

 ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 defer cancel()

 // Use a plain HTTP client since this endpoint doesn't require authentication
 endpoint := serverURL.ResolveReference(&url.URL{Path: "/.well-known/oauth-protected-resource"}).String()
 req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
 require.NoError(t, err)

 resp, err := http.DefaultClient.Do(req)
 require.NoError(t, err)
 defer resp.Body.Close()

 require.Equal(t, http.StatusOK, resp.StatusCode)

 var metadata codersdk.OAuth2ProtectedResourceMetadata
 err = json.NewDecoder(resp.Body).Decode(&metadata)
 require.NoError(t, err)

 // Verify the metadata
 require.NotEmpty(t, metadata.Resource)
 require.NotEmpty(t, metadata.AuthorizationServers)
 require.Len(t, metadata.AuthorizationServers, 1)
 require.Equal(t, metadata.Resource, metadata.AuthorizationServers[0])
 // BearerMethodsSupported is omitted since Coder uses custom authentication methods
 // Standard RFC 6750 bearer tokens are not supported
 require.True(t, len(metadata.BearerMethodsSupported) == 0)
 // ScopesSupported can be empty until scope system is implemented
 // Empty slice is marshaled as empty array, but can be nil when unmarshaled
 require.True(t, len(metadata.ScopesSupported) == 0)
 }
diff --git a/codersdk/oauth2.go b/codersdk/oauth2.go
 ScopesSupported                   []string `json:"scopes_supported,omitempty"`
 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
 }

 // OAuth2ProtectedResourceMetadata represents RFC 9728 OAuth 2.0 Protected Resource Metadata
 type OAuth2ProtectedResourceMetadata struct {
 Resource               string   `json:"resource"`
 AuthorizationServers   []string `json:"authorization_servers"`
 ScopesSupported        []string `json:"scopes_supported,omitempty"`
 BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
 }
diff --git a/docs/reference/api/enterprise.md b/docs/reference/api/enterprise.md
diff --git a/docs/reference/api/schemas.md b/docs/reference/api/schemas.md
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
Original file line number	Diff line number	Diff line change
Expand Up		@@ -914,6 +914,8 @@ func New(options Options) API {

		// OAuth2 metadata endpoint for RFC 8414 discovery
		r.Get("/.well-known/oauth-authorization-server", api.oauth2AuthorizationServerMetadata)
		// OAuth2 protected resource metadata endpoint for RFC 9728 discovery
		r.Get("/.well-known/oauth-protected-resource", api.oauth2ProtectedResourceMetadata)

		// OAuth2 linking routes do not make sense under the /api/v2 path. These are
		// for an external application to use Coder as an OAuth2 provider, not for
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -671,6 +671,8 @@ func APITokenFromRequest(r *http.Request) string {
		return headerValue
		}

		// TODO(ThomasK33): Implement RFC 6750

		return ""
		}

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -417,3 +417,23 @@ func (api API) oauth2AuthorizationServerMetadata(rw http.ResponseWriter, r htt
		}
		httpapi.Write(ctx, rw, http.StatusOK, metadata)
		}

		// @Summary OAuth2 protected resource metadata.
		// @ID oauth2-protected-resource-metadata
		// @Produce json
		// @Tags Enterprise
		// @Success 200 {object} codersdk.OAuth2ProtectedResourceMetadata
		// @Router /.well-known/oauth-protected-resource [get]
		func (api API) oauth2ProtectedResourceMetadata(rw http.ResponseWriter, r http.Request) {
		ctx := r.Context()
		metadata := codersdk.OAuth2ProtectedResourceMetadata{
		Resource: api.AccessURL.String(),
		AuthorizationServers: []string{api.AccessURL.String()},
		// TODO: Implement scope system based on RBAC permissions
		ScopesSupported: []string{},
		// Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens
		// TODO(ThomasK33): Implement RFC 6750
		// BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support
		}
		httpapi.Write(ctx, rw, http.StatusOK, metadata)
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,6 +4,7 @@ import (
		"context"
		"encoding/json"
		"net/http"
		"net/url"
		"testing"

		"github.com/stretchr/testify/require"
Expand All		@@ -17,12 +18,17 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
		t.Parallel()

		client := coderdtest.New(t, nil)
		serverURL := client.URL

		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
		defer cancel()

		// Get the metadata
		resp, err := client.Request(ctx, http.MethodGet, "/.well-known/oauth-authorization-server", nil)
		// Use a plain HTTP client since this endpoint doesn't require authentication
		endpoint := serverURL.ResolveReference(&url.URL{Path: "/.well-known/oauth-authorization-server"}).String()
		req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
		require.NoError(t, err)

		resp, err := http.DefaultClient.Do(req)
		require.NoError(t, err)
		defer resp.Body.Close()

Expand All		@@ -41,3 +47,40 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
		require.Contains(t, metadata.GrantTypesSupported, "refresh_token")
		require.Contains(t, metadata.CodeChallengeMethodsSupported, "S256")
		}

		func TestOAuth2ProtectedResourceMetadata(t *testing.T) {
		t.Parallel()

		client := coderdtest.New(t, nil)
		serverURL := client.URL

		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
		defer cancel()

		// Use a plain HTTP client since this endpoint doesn't require authentication
		endpoint := serverURL.ResolveReference(&url.URL{Path: "/.well-known/oauth-protected-resource"}).String()
		req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
		require.NoError(t, err)

		resp, err := http.DefaultClient.Do(req)
		require.NoError(t, err)
		defer resp.Body.Close()

		require.Equal(t, http.StatusOK, resp.StatusCode)

		var metadata codersdk.OAuth2ProtectedResourceMetadata
		err = json.NewDecoder(resp.Body).Decode(&metadata)
		require.NoError(t, err)

		// Verify the metadata
		require.NotEmpty(t, metadata.Resource)
		require.NotEmpty(t, metadata.AuthorizationServers)
		require.Len(t, metadata.AuthorizationServers, 1)
		require.Equal(t, metadata.Resource, metadata.AuthorizationServers[0])
		// BearerMethodsSupported is omitted since Coder uses custom authentication methods
		// Standard RFC 6750 bearer tokens are not supported
		require.True(t, len(metadata.BearerMethodsSupported) == 0)
		// ScopesSupported can be empty until scope system is implemented
		// Empty slice is marshaled as empty array, but can be nil when unmarshaled
		require.True(t, len(metadata.ScopesSupported) == 0)
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -244,3 +244,11 @@ type OAuth2AuthorizationServerMetadata struct {
		ScopesSupported []string `json:"scopes_supported,omitempty"`
		TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
		}

		// OAuth2ProtectedResourceMetadata represents RFC 9728 OAuth 2.0 Protected Resource Metadata
		type OAuth2ProtectedResourceMetadata struct {
		Resource string `json:"resource"`
		AuthorizationServers []string `json:"authorization_servers"`
		ScopesSupported []string `json:"scopes_supported,omitempty"`
		BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
		}