synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-09 11:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a099a8a25c78444448c2aee3b40109c5fd73f8c8
coder/scripts/oauth2
History
Thomas Kosiewski 09c50559f3 feat: implement RFC 6750 Bearer token authentication (#18644) 
# Add RFC 6750 Bearer Token Authentication Support

This PR implements RFC 6750 Bearer Token authentication as an additional authentication method for Coder's API. This allows clients to authenticate using standard OAuth 2.0 Bearer tokens in two ways:

1. Using the `Authorization: Bearer <token>` header
2. Using the `access_token` query parameter

Key changes:

- Added support for extracting tokens from both Bearer headers and access_token query parameters
- Implemented proper WWW-Authenticate headers for 401/403 responses with appropriate error descriptions
- Added comprehensive test coverage for the new authentication methods
- Updated the OAuth2 protected resource metadata endpoint to advertise Bearer token support
- Enhanced the OAuth2 testing script to verify Bearer token functionality

These authentication methods are added as fallback options, maintaining backward compatibility with Coder's existing authentication mechanisms. The existing authentication methods (cookies, session token header, etc.) still take precedence.

This implementation follows the OAuth 2.0 Bearer Token specification (RFC 6750) and improves interoperability with standard OAuth 2.0 clients.
2025-07-02 19:14:54 +02:00
..
cleanup-test-app.sh
feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
2025-07-01 15:39:29 +02:00
generate-pkce.sh
feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
2025-07-01 15:39:29 +02:00
oauth2-test-server.go
feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
2025-07-01 15:39:29 +02:00
README.md
feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
2025-07-01 15:39:29 +02:00
setup-test-app.sh
feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
2025-07-01 15:39:29 +02:00
test-manual-flow.sh
feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548)
2025-07-01 15:39:29 +02:00
test-mcp-oauth2.sh
feat: implement RFC 6750 Bearer token authentication (#18644)
2025-07-02 19:14:54 +02:00

README.md

OAuth2 Test Scripts

This directory contains test scripts for the MCP OAuth2 implementation in Coder.

Prerequisites

  1. Start Coder in development mode:

    ./scripts/develop.sh

  2. Login to get a session token:

    ./scripts/coder-dev.sh login

Scripts

test-mcp-oauth2.sh

Complete automated test suite that verifies all OAuth2 functionality:

  • Metadata endpoint
  • PKCE flow
  • Resource parameter support
  • Token refresh
  • Error handling

Usage:

chmod +x ./scripts/oauth2/test-mcp-oauth2.sh
./scripts/oauth2/test-mcp-oauth2.sh

setup-test-app.sh

Creates a test OAuth2 application and outputs environment variables.

Usage:

eval $(./scripts/oauth2/setup-test-app.sh)
echo "Client ID: $CLIENT_ID"

cleanup-test-app.sh

Deletes a test OAuth2 application.

Usage:

./scripts/oauth2/cleanup-test-app.sh $CLIENT_ID
# Or if CLIENT_ID is set as environment variable:
./scripts/oauth2/cleanup-test-app.sh

generate-pkce.sh

Generates PKCE code verifier and challenge for manual testing.

Usage:

./scripts/oauth2/generate-pkce.sh

test-manual-flow.sh

Launches a local Go web server to test the OAuth2 flow interactively. The server automatically handles the OAuth2 callback and token exchange, providing a user-friendly web interface with results.

Usage:

# First set up an app
eval $(./scripts/oauth2/setup-test-app.sh)

# Then run the test server
./scripts/oauth2/test-manual-flow.sh

Features:

  • Starts a local web server on port 9876
  • Automatically captures the authorization code
  • Performs token exchange without manual intervention
  • Displays results in a clean web interface
  • Shows example API calls you can make with the token

oauth2-test-server.go

A Go web server that handles OAuth2 callbacks and token exchange. Used internally by test-manual-flow.sh but can also be run standalone:

export CLIENT_ID="your-client-id"
export CLIENT_SECRET="your-client-secret"
export CODE_VERIFIER="your-code-verifier"
export STATE="your-state"
go run ./scripts/oauth2/oauth2-test-server.go

Example Workflow

  1. Run automated tests:

    ./scripts/oauth2/test-mcp-oauth2.sh

  2. Interactive browser testing:

    # Create app
eval $(./scripts/oauth2/setup-test-app.sh)

# Run the test server (opens in browser automatically)
./scripts/oauth2/test-manual-flow.sh
# - Opens authorization URL in terminal
# - Handles callback automatically
# - Shows token exchange results

# Clean up when done
./scripts/oauth2/cleanup-test-app.sh

  3. Generate PKCE for custom testing:

    ./scripts/oauth2/generate-pkce.sh
# Use the generated values in your own curl commands

Environment Variables

All scripts respect these environment variables:

  • SESSION_TOKEN: Coder session token (auto-read from .coderv2/session)
  • BASE_URL: Coder server URL (default: http://localhost:3000)
  • CLIENT_ID: OAuth2 client ID
  • CLIENT_SECRET: OAuth2 client secret

OAuth2 Endpoints

  • Metadata: GET /.well-known/oauth-authorization-server
  • Authorization: GET/POST /oauth2/authorize
  • Token: POST /oauth2/tokens
  • Apps API: /api/v2/oauth2-provider/apps