synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-06 15:41:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add OAuth2 protected resource metadata endpoint for RFC 9728 (#18643)

Browse Source 
# Add OAuth2 Protected Resource Metadata Endpoint

This PR implements the OAuth2 Protected Resource Metadata endpoint according to RFC 9728. The endpoint is available at `/.well-known/oauth-protected-resource` and provides information about Coder as an OAuth2 protected resource.

Key changes:
- Added a new endpoint at `/.well-known/oauth-protected-resource` that returns metadata about Coder as an OAuth2 protected resource
- Created a new `OAuth2ProtectedResourceMetadata` struct in the SDK
- Added tests to verify the endpoint functionality
- Updated API documentation to include the new endpoint

The implementation currently returns basic metadata including the resource identifier and authorization server URL. The `scopes_supported` field is empty until a scope system based on RBAC permissions is implemented. The `bearer_methods_supported` field is omitted as Coder uses custom authentication methods rather than standard RFC 6750 bearer tokens.

A TODO has been added to implement RFC 6750 bearer token support in the future.
This commit is contained in:
Thomas Kosiewski
2025-07-02 18:58:41 +02:00
committed by GitHub
parent 1b73b1a12f
commit 33bbf18a4b
10 changed files with 236 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
coderd/oauth2.go
View File

@ -417,3 +417,23 @@ func (api *API) oauth2AuthorizationServerMetadata(rw http.ResponseWriter, r *htt
}
httpapi.Write(ctx, rw, http.StatusOK, metadata)
}
// @Summary OAuth2 protected resource metadata.
// @ID oauth2-protected-resource-metadata
// @Produce json
// @Tags Enterprise
// @Success 200 {object} codersdk.OAuth2ProtectedResourceMetadata
// @Router /.well-known/oauth-protected-resource [get]
func (api *API) oauth2ProtectedResourceMetadata(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
metadata := codersdk.OAuth2ProtectedResourceMetadata{
Resource: api.AccessURL.String(),
AuthorizationServers: []string{api.AccessURL.String()},
// TODO: Implement scope system based on RBAC permissions
ScopesSupported: []string{},
// Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens
// TODO(ThomasK33): Implement RFC 6750
// BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support
}
httpapi.Write(ctx, rw, http.StatusOK, metadata)
}