feat: make OAuth2 provider not enterprise-only (#12732)

2025-07-03 16:13:58 +00:00 · 2024-03-25 11:52:22 -08:00
parent 60f335113c
commit 40e5ad5499
14 changed files with 92 additions and 168 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -689,6 +689,34 @@ func New(options *Options) *API {
 		})
 	}

+	// OAuth2 linking routes do not make sense under the /api/v2 path.  These are
+	// for an external application to use Coder as an OAuth2 provider, not for
+	// logging into Coder with an external OAuth2 provider.
+	r.Route("/oauth2", func(r chi.Router) {
+		r.Use(
+			api.oAuth2ProviderMiddleware,
+			// Fetch the app as system because in the /tokens route there will be no
+			// authenticated user.
+			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+		)
+		r.Route("/authorize", func(r chi.Router) {
+			r.Use(apiKeyMiddlewareRedirect)
+			r.Get("/", api.getOAuth2ProviderAppAuthorize())
+		})
+		r.Route("/tokens", func(r chi.Router) {
+			r.Group(func(r chi.Router) {
+				r.Use(apiKeyMiddleware)
+				// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
+				// route used to revoke permissions from an application.  It is here for
+				// parity with POST on /tokens.
+				r.Delete("/", api.deleteOAuth2ProviderAppTokens())
+			})
+			// The POST /tokens endpoint will be called from an unauthorized client so
+			// we cannot require an API key.
+			r.Post("/", api.postOAuth2ProviderAppToken())
+		})
+	})
+
 	r.Route("/api/v2", func(r chi.Router) {
 		api.APIHandler = r

@ -1098,6 +1126,34 @@ func New(options *Options) *API {
 			}
 			r.Method("GET", "/expvar", expvar.Handler()) // contains DERP metrics as well as cmdline and memstats
 		})
+		// Manage OAuth2 applications that can use Coder as an OAuth2 provider.
+		r.Route("/oauth2-provider", func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				api.oAuth2ProviderMiddleware,
+			)
+			r.Route("/apps", func(r chi.Router) {
+				r.Get("/", api.oAuth2ProviderApps)
+				r.Post("/", api.postOAuth2ProviderApp)
+
+				r.Route("/{app}", func(r chi.Router) {
+					r.Use(httpmw.ExtractOAuth2ProviderApp(options.Database))
+					r.Get("/", api.oAuth2ProviderApp)
+					r.Put("/", api.putOAuth2ProviderApp)
+					r.Delete("/", api.deleteOAuth2ProviderApp)
+
+					r.Route("/secrets", func(r chi.Router) {
+						r.Get("/", api.oAuth2ProviderAppSecrets)
+						r.Post("/", api.postOAuth2ProviderAppSecret)
+
+						r.Route("/{secretID}", func(r chi.Router) {
+							r.Use(httpmw.ExtractOAuth2ProviderAppSecret(options.Database))
+							r.Delete("/", api.deleteOAuth2ProviderAppSecret)
+						})
+					})
+				})
+			})
+		})
 	})

 	if options.SwaggerEndpoint {