feat: implement OAuth2 dynamic client registration (RFC 7591/7592) (#18645)

# Implement OAuth2 Dynamic Client Registration (RFC 7591/7592)

This PR implements OAuth2 Dynamic Client Registration according to RFC 7591 and Client Configuration Management according to RFC 7592. These standards allow OAuth2 clients to register themselves programmatically with Coder as an authorization server.

Key changes include:

1. Added database schema extensions to support RFC 7591/7592 fields in the `oauth2_provider_apps` table
2. Implemented `/oauth2/register` endpoint for dynamic client registration (RFC 7591)
3. Added client configuration management endpoints (RFC 7592):
   - GET/PUT/DELETE `/oauth2/clients/{client_id}`
   - Registration access token validation middleware

4. Added comprehensive validation for OAuth2 client metadata:
   - URI validation with support for custom schemes for native apps
   - Grant type and response type validation
   - Token endpoint authentication method validation

5. Enhanced developer documentation with:
   - RFC compliance guidelines
   - Testing best practices to avoid race conditions
   - Systematic debugging approaches for OAuth2 implementations

The implementation follows security best practices from the RFCs, including proper token handling, secure defaults, and appropriate error responses. This enables third-party applications to integrate with Coder's OAuth2 provider capabilities programmatically.

coderd/database/queries/oauth2.sql

@@ -14,7 +14,24 @@ INSERT INTO oauth2_provider_apps (
     callback_url,
     redirect_uris,
     client_type,
-    dynamically_registered
+    dynamically_registered,
+    client_id_issued_at,
+    client_secret_expires_at,
+    grant_types,
+    response_types,
+    token_endpoint_auth_method,
+    scope,
+    contacts,
+    client_uri,
+    logo_uri,
+    tos_uri,
+    policy_uri,
+    jwks_uri,
+    jwks,
+    software_id,
+    software_version,
+    registration_access_token,
+    registration_client_uri
 ) VALUES(
     $1,
     $2,
@@ -24,7 +41,24 @@ INSERT INTO oauth2_provider_apps (
     $6,
     $7,
     $8,
-    $9
+    $9,
+    $10,
+    $11,
+    $12,
+    $13,
+    $14,
+    $15,
+    $16,
+    $17,
+    $18,
+    $19,
+    $20,
+    $21,
+    $22,
+    $23,
+    $24,
+    $25,
+    $26
 ) RETURNING *;
 
 -- name: UpdateOAuth2ProviderAppByID :one
@@ -35,7 +69,21 @@ UPDATE oauth2_provider_apps SET
     callback_url = $5,
     redirect_uris = $6,
     client_type = $7,
-    dynamically_registered = $8
+    dynamically_registered = $8,
+    client_secret_expires_at = $9,
+    grant_types = $10,
+    response_types = $11,
+    token_endpoint_auth_method = $12,
+    scope = $13,
+    contacts = $14,
+    client_uri = $15,
+    logo_uri = $16,
+    tos_uri = $17,
+    policy_uri = $18,
+    jwks_uri = $19,
+    jwks = $20,
+    software_id = $21,
+    software_version = $22
 WHERE id = $1 RETURNING *;
 
 -- name: DeleteOAuth2ProviderAppByID :exec
@@ -164,3 +212,38 @@ WHERE
   oauth2_provider_app_secrets.id = oauth2_provider_app_tokens.app_secret_id
   AND oauth2_provider_app_secrets.app_id = $1
   AND oauth2_provider_app_tokens.user_id = $2;
+
+-- RFC 7591/7592 Dynamic Client Registration queries
+
+-- name: GetOAuth2ProviderAppByClientID :one
+SELECT * FROM oauth2_provider_apps WHERE id = $1;
+
+-- name: UpdateOAuth2ProviderAppByClientID :one
+UPDATE oauth2_provider_apps SET
+    updated_at = $2,
+    name = $3,
+    icon = $4,
+    callback_url = $5,
+    redirect_uris = $6,
+    client_type = $7,
+    client_secret_expires_at = $8,
+    grant_types = $9,
+    response_types = $10,
+    token_endpoint_auth_method = $11,
+    scope = $12,
+    contacts = $13,
+    client_uri = $14,
+    logo_uri = $15,
+    tos_uri = $16,
+    policy_uri = $17,
+    jwks_uri = $18,
+    jwks = $19,
+    software_id = $20,
+    software_version = $21
+WHERE id = $1 RETURNING *;
+
+-- name: DeleteOAuth2ProviderAppByClientID :exec
+DELETE FROM oauth2_provider_apps WHERE id = $1;
+
+-- name: GetOAuth2ProviderAppByRegistrationToken :one
+SELECT * FROM oauth2_provider_apps WHERE registration_access_token = $1;