feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)

## Summary This PR implements critical MCP OAuth2 compliance features for Coder's authorization server, adding PKCE support, resource parameter handling, and OAuth2 server metadata discovery. This brings Coder's OAuth2 implementation significantly closer to production readiness for MCP (Model Context Protocol) integrations. ## What's Added ### OAuth2 Authorization Server Metadata (RFC 8414) - Add `/.well-known/oauth-authorization-server` endpoint for automatic client discovery - Returns standardized metadata including supported grant types, response types, and PKCE methods - Essential for MCP client compatibility and OAuth2 standards compliance ### PKCE Support (RFC 7636) - Implement Proof Key for Code Exchange with S256 challenge method - Add `code_challenge` and `code_challenge_method` parameters to authorization flow - Add `code_verifier` validation in token exchange - Provides enhanced security for public clients (mobile apps, CLIs) ### Resource Parameter Support (RFC 8707) - Add `resource` parameter to authorization and token endpoints - Store resource URI and bind tokens to specific audiences - Critical for MCP's resource-bound token model ### Enhanced OAuth2 Error Handling - Add OAuth2-compliant error responses with proper error codes - Use standard error format: `{"error": "code", "error_description": "details"}` - Improve error consistency across OAuth2 endpoints ### Authorization UI Improvements - Fix authorization flow to use POST-based consent instead of GET redirects - Remove dependency on referer headers for security decisions - Improve CSRF protection with proper state parameter validation ## Why This Matters **For MCP Integration:** MCP requires OAuth2 authorization servers to support PKCE, resource parameters, and metadata discovery. Without these features, MCP clients cannot securely authenticate with Coder. **For Security:** PKCE prevents authorization code interception attacks, especially critical for public clients. Resource binding ensures tokens are only valid for intended services. **For Standards Compliance:** These are widely adopted OAuth2 extensions that improve interoperability with modern OAuth2 clients. ## Database Changes - **Migration 000343:** Adds `code_challenge`, `code_challenge_method`, `resource_uri` to `oauth2_provider_app_codes` - **Migration 000343:** Adds `audience` field to `oauth2_provider_app_tokens` for resource binding - **Audit Updates:** New OAuth2 fields properly tracked in audit system - **Backward Compatibility:** All changes maintain compatibility with existing OAuth2 flows ## Test Coverage - Comprehensive PKCE test suite in `coderd/identityprovider/pkce_test.go` - OAuth2 metadata endpoint tests in `coderd/oauth2_metadata_test.go` - Integration tests covering PKCE + resource parameter combinations - Negative tests for invalid PKCE verifiers and malformed requests ## Testing Instructions ```bash # Run the comprehensive OAuth2 test suite ./scripts/oauth2/test-mcp-oauth2.sh Manual Testing with Interactive Server # Start Coder in development mode ./scripts/develop.sh # In another terminal, set up test app and run interactive flow eval $(./scripts/oauth2/setup-test-app.sh) ./scripts/oauth2/test-manual-flow.sh # Opens browser with OAuth2 flow, handles callback automatically # Clean up when done ./scripts/oauth2/cleanup-test-app.sh Individual Component Testing # Test metadata endpoint curl -s http://localhost:3000/.well-known/oauth-authorization-server | jq . # Test PKCE generation ./scripts/oauth2/generate-pkce.sh # Run specific test suites go test -v ./coderd/identityprovider -run TestVerifyPKCE go test -v ./coderd -run TestOAuth2AuthorizationServerMetadata ``` ### Breaking Changes None. All changes maintain backward compatibility with existing OAuth2 flows. --- Change-Id: Ifbd0d9a543d545f9f56ecaa77ff2238542ff954a Signed-off-by: Thomas Kosiewski <tk@coder.com>
2025-07-03 16:13:58 +00:00 · 2025-07-01 15:39:29 +02:00
parent dbfbef6ecb
commit 6f2834f62a
41 changed files with 2846 additions and 304 deletions
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@ -4823,7 +4823,7 @@ func (q *sqlQuerier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Con
 }

 const getOAuth2ProviderAppByID = `-- name: GetOAuth2ProviderAppByID :one
-SELECT id, created_at, updated_at, name, icon, callback_url FROM oauth2_provider_apps WHERE id = $1
+SELECT id, created_at, updated_at, name, icon, callback_url, redirect_uris, client_type, dynamically_registered FROM oauth2_provider_apps WHERE id = $1
 `

 func (q *sqlQuerier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (OAuth2ProviderApp, error) {
@ -4836,12 +4836,15 @@ func (q *sqlQuerier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID)
 		&i.Name,
 		&i.Icon,
 		&i.CallbackURL,
+		pq.Array(&i.RedirectUris),
+		&i.ClientType,
+		&i.DynamicallyRegistered,
 	)
 	return i, err
 }

 const getOAuth2ProviderAppCodeByID = `-- name: GetOAuth2ProviderAppCodeByID :one
-SELECT id, created_at, expires_at, secret_prefix, hashed_secret, user_id, app_id FROM oauth2_provider_app_codes WHERE id = $1
+SELECT id, created_at, expires_at, secret_prefix, hashed_secret, user_id, app_id, resource_uri, code_challenge, code_challenge_method FROM oauth2_provider_app_codes WHERE id = $1
 `

 func (q *sqlQuerier) GetOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.UUID) (OAuth2ProviderAppCode, error) {
@ -4855,12 +4858,15 @@ func (q *sqlQuerier) GetOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.U
 		&i.HashedSecret,
 		&i.UserID,
 		&i.AppID,
+		&i.ResourceUri,
+		&i.CodeChallenge,
+		&i.CodeChallengeMethod,
 	)
 	return i, err
 }

 const getOAuth2ProviderAppCodeByPrefix = `-- name: GetOAuth2ProviderAppCodeByPrefix :one
-SELECT id, created_at, expires_at, secret_prefix, hashed_secret, user_id, app_id FROM oauth2_provider_app_codes WHERE secret_prefix = $1
+SELECT id, created_at, expires_at, secret_prefix, hashed_secret, user_id, app_id, resource_uri, code_challenge, code_challenge_method FROM oauth2_provider_app_codes WHERE secret_prefix = $1
 `

 func (q *sqlQuerier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (OAuth2ProviderAppCode, error) {
@ -4874,6 +4880,9 @@ func (q *sqlQuerier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secre
 		&i.HashedSecret,
 		&i.UserID,
 		&i.AppID,
+		&i.ResourceUri,
+		&i.CodeChallenge,
+		&i.CodeChallengeMethod,
 	)
 	return i, err
 }
@ -4952,7 +4961,7 @@ func (q *sqlQuerier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, app
 }

 const getOAuth2ProviderAppTokenByPrefix = `-- name: GetOAuth2ProviderAppTokenByPrefix :one
-SELECT id, created_at, expires_at, hash_prefix, refresh_hash, app_secret_id, api_key_id FROM oauth2_provider_app_tokens WHERE hash_prefix = $1
+SELECT id, created_at, expires_at, hash_prefix, refresh_hash, app_secret_id, api_key_id, audience FROM oauth2_provider_app_tokens WHERE hash_prefix = $1
 `

 func (q *sqlQuerier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPrefix []byte) (OAuth2ProviderAppToken, error) {
@ -4966,12 +4975,13 @@ func (q *sqlQuerier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hash
 		&i.RefreshHash,
 		&i.AppSecretID,
 		&i.APIKeyID,
+		&i.Audience,
 	)
 	return i, err
 }

 const getOAuth2ProviderApps = `-- name: GetOAuth2ProviderApps :many
-SELECT id, created_at, updated_at, name, icon, callback_url FROM oauth2_provider_apps ORDER BY (name, id) ASC
+SELECT id, created_at, updated_at, name, icon, callback_url, redirect_uris, client_type, dynamically_registered FROM oauth2_provider_apps ORDER BY (name, id) ASC
 `

 func (q *sqlQuerier) GetOAuth2ProviderApps(ctx context.Context) ([]OAuth2ProviderApp, error) {
@ -4990,6 +5000,9 @@ func (q *sqlQuerier) GetOAuth2ProviderApps(ctx context.Context) ([]OAuth2Provide
 			&i.Name,
 			&i.Icon,
 			&i.CallbackURL,
+			pq.Array(&i.RedirectUris),
+			&i.ClientType,
+			&i.DynamicallyRegistered,
 		); err != nil {
 			return nil, err
 		}
@ -5007,7 +5020,7 @@ func (q *sqlQuerier) GetOAuth2ProviderApps(ctx context.Context) ([]OAuth2Provide
 const getOAuth2ProviderAppsByUserID = `-- name: GetOAuth2ProviderAppsByUserID :many
 SELECT
  COUNT(DISTINCT oauth2_provider_app_tokens.id) as token_count,
-  oauth2_provider_apps.id, oauth2_provider_apps.created_at, oauth2_provider_apps.updated_at, oauth2_provider_apps.name, oauth2_provider_apps.icon, oauth2_provider_apps.callback_url
+  oauth2_provider_apps.id, oauth2_provider_apps.created_at, oauth2_provider_apps.updated_at, oauth2_provider_apps.name, oauth2_provider_apps.icon, oauth2_provider_apps.callback_url, oauth2_provider_apps.redirect_uris, oauth2_provider_apps.client_type, oauth2_provider_apps.dynamically_registered
 FROM oauth2_provider_app_tokens
  INNER JOIN oauth2_provider_app_secrets
    ON oauth2_provider_app_secrets.id = oauth2_provider_app_tokens.app_secret_id
@ -5043,6 +5056,9 @@ func (q *sqlQuerier) GetOAuth2ProviderAppsByUserID(ctx context.Context, userID u
 			&i.OAuth2ProviderApp.Name,
 			&i.OAuth2ProviderApp.Icon,
 			&i.OAuth2ProviderApp.CallbackURL,
+			pq.Array(&i.OAuth2ProviderApp.RedirectUris),
+			&i.OAuth2ProviderApp.ClientType,
+			&i.OAuth2ProviderApp.DynamicallyRegistered,
 		); err != nil {
 			return nil, err
 		}
@ -5064,24 +5080,33 @@ INSERT INTO oauth2_provider_apps (
    updated_at,
    name,
    icon,
-    callback_url
+    callback_url,
+    redirect_uris,
+    client_type,
+    dynamically_registered
 ) VALUES(
    $1,
    $2,
    $3,
    $4,
    $5,
-    $6
-) RETURNING id, created_at, updated_at, name, icon, callback_url
+    $6,
+    $7,
+    $8,
+    $9
+) RETURNING id, created_at, updated_at, name, icon, callback_url, redirect_uris, client_type, dynamically_registered
 `

 type InsertOAuth2ProviderAppParams struct {
-	ID          uuid.UUID `db:"id" json:"id"`
-	CreatedAt   time.Time `db:"created_at" json:"created_at"`
-	UpdatedAt   time.Time `db:"updated_at" json:"updated_at"`
-	Name        string    `db:"name" json:"name"`
-	Icon        string    `db:"icon" json:"icon"`
-	CallbackURL string    `db:"callback_url" json:"callback_url"`
+	ID                    uuid.UUID      `db:"id" json:"id"`
+	CreatedAt             time.Time      `db:"created_at" json:"created_at"`
+	UpdatedAt             time.Time      `db:"updated_at" json:"updated_at"`
+	Name                  string         `db:"name" json:"name"`
+	Icon                  string         `db:"icon" json:"icon"`
+	CallbackURL           string         `db:"callback_url" json:"callback_url"`
+	RedirectUris          []string       `db:"redirect_uris" json:"redirect_uris"`
+	ClientType            sql.NullString `db:"client_type" json:"client_type"`
+	DynamicallyRegistered sql.NullBool   `db:"dynamically_registered" json:"dynamically_registered"`
 }

 func (q *sqlQuerier) InsertOAuth2ProviderApp(ctx context.Context, arg InsertOAuth2ProviderAppParams) (OAuth2ProviderApp, error) {
@ -5092,6 +5117,9 @@ func (q *sqlQuerier) InsertOAuth2ProviderApp(ctx context.Context, arg InsertOAut
 		arg.Name,
 		arg.Icon,
 		arg.CallbackURL,
+		pq.Array(arg.RedirectUris),
+		arg.ClientType,
+		arg.DynamicallyRegistered,
 	)
 	var i OAuth2ProviderApp
 	err := row.Scan(
@ -5101,6 +5129,9 @@ func (q *sqlQuerier) InsertOAuth2ProviderApp(ctx context.Context, arg InsertOAut
 		&i.Name,
 		&i.Icon,
 		&i.CallbackURL,
+		pq.Array(&i.RedirectUris),
+		&i.ClientType,
+		&i.DynamicallyRegistered,
 	)
 	return i, err
 }
@ -5113,7 +5144,10 @@ INSERT INTO oauth2_provider_app_codes (
    secret_prefix,
    hashed_secret,
    app_id,
-    user_id
+    user_id,
+    resource_uri,
+    code_challenge,
+    code_challenge_method
 ) VALUES(
    $1,
    $2,
@ -5121,18 +5155,24 @@ INSERT INTO oauth2_provider_app_codes (
    $4,
    $5,
    $6,
-    $7
-) RETURNING id, created_at, expires_at, secret_prefix, hashed_secret, user_id, app_id
+    $7,
+    $8,
+    $9,
+    $10
+) RETURNING id, created_at, expires_at, secret_prefix, hashed_secret, user_id, app_id, resource_uri, code_challenge, code_challenge_method
 `

 type InsertOAuth2ProviderAppCodeParams struct {
-	ID           uuid.UUID `db:"id" json:"id"`
-	CreatedAt    time.Time `db:"created_at" json:"created_at"`
-	ExpiresAt    time.Time `db:"expires_at" json:"expires_at"`
-	SecretPrefix []byte    `db:"secret_prefix" json:"secret_prefix"`
-	HashedSecret []byte    `db:"hashed_secret" json:"hashed_secret"`
-	AppID        uuid.UUID `db:"app_id" json:"app_id"`
-	UserID       uuid.UUID `db:"user_id" json:"user_id"`
+	ID                  uuid.UUID      `db:"id" json:"id"`
+	CreatedAt           time.Time      `db:"created_at" json:"created_at"`
+	ExpiresAt           time.Time      `db:"expires_at" json:"expires_at"`
+	SecretPrefix        []byte         `db:"secret_prefix" json:"secret_prefix"`
+	HashedSecret        []byte         `db:"hashed_secret" json:"hashed_secret"`
+	AppID               uuid.UUID      `db:"app_id" json:"app_id"`
+	UserID              uuid.UUID      `db:"user_id" json:"user_id"`
+	ResourceUri         sql.NullString `db:"resource_uri" json:"resource_uri"`
+	CodeChallenge       sql.NullString `db:"code_challenge" json:"code_challenge"`
+	CodeChallengeMethod sql.NullString `db:"code_challenge_method" json:"code_challenge_method"`
 }

 func (q *sqlQuerier) InsertOAuth2ProviderAppCode(ctx context.Context, arg InsertOAuth2ProviderAppCodeParams) (OAuth2ProviderAppCode, error) {
@ -5144,6 +5184,9 @@ func (q *sqlQuerier) InsertOAuth2ProviderAppCode(ctx context.Context, arg Insert
 		arg.HashedSecret,
 		arg.AppID,
 		arg.UserID,
+		arg.ResourceUri,
+		arg.CodeChallenge,
+		arg.CodeChallengeMethod,
 	)
 	var i OAuth2ProviderAppCode
 	err := row.Scan(
@ -5154,6 +5197,9 @@ func (q *sqlQuerier) InsertOAuth2ProviderAppCode(ctx context.Context, arg Insert
 		&i.HashedSecret,
 		&i.UserID,
 		&i.AppID,
+		&i.ResourceUri,
+		&i.CodeChallenge,
+		&i.CodeChallengeMethod,
 	)
 	return i, err
 }
@ -5215,7 +5261,8 @@ INSERT INTO oauth2_provider_app_tokens (
    hash_prefix,
    refresh_hash,
    app_secret_id,
-    api_key_id
+    api_key_id,
+    audience
 ) VALUES(
    $1,
    $2,
@ -5223,18 +5270,20 @@ INSERT INTO oauth2_provider_app_tokens (
    $4,
    $5,
    $6,
-    $7
-) RETURNING id, created_at, expires_at, hash_prefix, refresh_hash, app_secret_id, api_key_id
+    $7,
+    $8
+) RETURNING id, created_at, expires_at, hash_prefix, refresh_hash, app_secret_id, api_key_id, audience
 `

 type InsertOAuth2ProviderAppTokenParams struct {
-	ID          uuid.UUID `db:"id" json:"id"`
-	CreatedAt   time.Time `db:"created_at" json:"created_at"`
-	ExpiresAt   time.Time `db:"expires_at" json:"expires_at"`
-	HashPrefix  []byte    `db:"hash_prefix" json:"hash_prefix"`
-	RefreshHash []byte    `db:"refresh_hash" json:"refresh_hash"`
-	AppSecretID uuid.UUID `db:"app_secret_id" json:"app_secret_id"`
-	APIKeyID    string    `db:"api_key_id" json:"api_key_id"`
+	ID          uuid.UUID      `db:"id" json:"id"`
+	CreatedAt   time.Time      `db:"created_at" json:"created_at"`
+	ExpiresAt   time.Time      `db:"expires_at" json:"expires_at"`
+	HashPrefix  []byte         `db:"hash_prefix" json:"hash_prefix"`
+	RefreshHash []byte         `db:"refresh_hash" json:"refresh_hash"`
+	AppSecretID uuid.UUID      `db:"app_secret_id" json:"app_secret_id"`
+	APIKeyID    string         `db:"api_key_id" json:"api_key_id"`
+	Audience    sql.NullString `db:"audience" json:"audience"`
 }

 func (q *sqlQuerier) InsertOAuth2ProviderAppToken(ctx context.Context, arg InsertOAuth2ProviderAppTokenParams) (OAuth2ProviderAppToken, error) {
@ -5246,6 +5295,7 @@ func (q *sqlQuerier) InsertOAuth2ProviderAppToken(ctx context.Context, arg Inser
 		arg.RefreshHash,
 		arg.AppSecretID,
 		arg.APIKeyID,
+		arg.Audience,
 	)
 	var i OAuth2ProviderAppToken
 	err := row.Scan(
@ -5256,6 +5306,7 @@ func (q *sqlQuerier) InsertOAuth2ProviderAppToken(ctx context.Context, arg Inser
 		&i.RefreshHash,
 		&i.AppSecretID,
 		&i.APIKeyID,
+		&i.Audience,
 	)
 	return i, err
 }
@ -5265,16 +5316,22 @@ UPDATE oauth2_provider_apps SET
    updated_at = $2,
    name = $3,
    icon = $4,
-    callback_url = $5
-WHERE id = $1 RETURNING id, created_at, updated_at, name, icon, callback_url
+    callback_url = $5,
+    redirect_uris = $6,
+    client_type = $7,
+    dynamically_registered = $8
+WHERE id = $1 RETURNING id, created_at, updated_at, name, icon, callback_url, redirect_uris, client_type, dynamically_registered
 `

 type UpdateOAuth2ProviderAppByIDParams struct {
-	ID          uuid.UUID `db:"id" json:"id"`
-	UpdatedAt   time.Time `db:"updated_at" json:"updated_at"`
-	Name        string    `db:"name" json:"name"`
-	Icon        string    `db:"icon" json:"icon"`
-	CallbackURL string    `db:"callback_url" json:"callback_url"`
+	ID                    uuid.UUID      `db:"id" json:"id"`
+	UpdatedAt             time.Time      `db:"updated_at" json:"updated_at"`
+	Name                  string         `db:"name" json:"name"`
+	Icon                  string         `db:"icon" json:"icon"`
+	CallbackURL           string         `db:"callback_url" json:"callback_url"`
+	RedirectUris          []string       `db:"redirect_uris" json:"redirect_uris"`
+	ClientType            sql.NullString `db:"client_type" json:"client_type"`
+	DynamicallyRegistered sql.NullBool   `db:"dynamically_registered" json:"dynamically_registered"`
 }

 func (q *sqlQuerier) UpdateOAuth2ProviderAppByID(ctx context.Context, arg UpdateOAuth2ProviderAppByIDParams) (OAuth2ProviderApp, error) {
@ -5284,6 +5341,9 @@ func (q *sqlQuerier) UpdateOAuth2ProviderAppByID(ctx context.Context, arg Update
 		arg.Name,
 		arg.Icon,
 		arg.CallbackURL,
+		pq.Array(arg.RedirectUris),
+		arg.ClientType,
+		arg.DynamicallyRegistered,
 	)
 	var i OAuth2ProviderApp
 	err := row.Scan(
@ -5293,6 +5353,9 @@ func (q *sqlQuerier) UpdateOAuth2ProviderAppByID(ctx context.Context, arg Update
 		&i.Name,
 		&i.Icon,
 		&i.CallbackURL,
+		pq.Array(&i.RedirectUris),
+		&i.ClientType,
+		&i.DynamicallyRegistered,
 	)
 	return i, err
 }