synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-06 15:41:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement OAuth2 dynamic client registration (RFC 7591/7592) (#18645)

Browse Source 
# Implement OAuth2 Dynamic Client Registration (RFC 7591/7592)

This PR implements OAuth2 Dynamic Client Registration according to RFC 7591 and Client Configuration Management according to RFC 7592. These standards allow OAuth2 clients to register themselves programmatically with Coder as an authorization server.

Key changes include:

1. Added database schema extensions to support RFC 7591/7592 fields in the `oauth2_provider_apps` table
2. Implemented `/oauth2/register` endpoint for dynamic client registration (RFC 7591)
3. Added client configuration management endpoints (RFC 7592):
   - GET/PUT/DELETE `/oauth2/clients/{client_id}`
   - Registration access token validation middleware

4. Added comprehensive validation for OAuth2 client metadata:
   - URI validation with support for custom schemes for native apps
   - Grant type and response type validation
   - Token endpoint authentication method validation

5. Enhanced developer documentation with:
   - RFC compliance guidelines
   - Testing best practices to avoid race conditions
   - Systematic debugging approaches for OAuth2 implementations

The implementation follows security best practices from the RFCs, including proper token handling, secure defaults, and appropriate error responses. This enables third-party applications to integrate with Coder's OAuth2 provider capabilities programmatically.
This commit is contained in:
Thomas Kosiewski
2025-07-03 18:33:47 +02:00
committed by GitHub
parent 699dd8e554
commit 74e1d5c4b6
30 changed files with 5802 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
coderd/coderd.go
View File

@ -950,6 +950,20 @@ func New(options *Options) *API {
// we cannot require an API key.
r.Post("/", api.postOAuth2ProviderAppToken())
})
// RFC 7591 Dynamic Client Registration - Public endpoint
r.Post("/register", api.postOAuth2ClientRegistration)
// RFC 7592 Client Configuration Management - Protected by registration access token
r.Route("/clients/{client_id}", func(r chi.Router) {
r.Use(
// Middleware to validate registration access token
api.requireRegistrationAccessToken,
)
r.Get("/", api.oauth2ClientConfiguration) // Read client configuration
r.Put("/", api.putOAuth2ClientConfiguration) // Update client configuration
r.Delete("/", api.deleteOAuth2ClientConfiguration) // Delete client
})
})
// Experimental routes are not guaranteed to be stable and may change at any time.