synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-09 11:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a099a8a25c78444448c2aee3b40109c5fd73f8c8
coder/scripts/oauth2/oauth2-test-server.go
Thomas Kosiewski 6f2834f62a feat: oauth2 - add authorization server metadata endpoint and PKCE support (#18548) 
## Summary

  This PR implements critical MCP OAuth2 compliance features for Coder's authorization server, adding PKCE support, resource parameter handling, and OAuth2 server metadata discovery. This brings Coder's OAuth2 implementation significantly closer to production readiness for MCP (Model Context Protocol)
  integrations.

  ## What's Added

  ### OAuth2 Authorization Server Metadata (RFC 8414)
  - Add `/.well-known/oauth-authorization-server` endpoint for automatic client discovery
  - Returns standardized metadata including supported grant types, response types, and PKCE methods
  - Essential for MCP client compatibility and OAuth2 standards compliance

  ### PKCE Support (RFC 7636)
  - Implement Proof Key for Code Exchange with S256 challenge method
  - Add `code_challenge` and `code_challenge_method` parameters to authorization flow
  - Add `code_verifier` validation in token exchange
  - Provides enhanced security for public clients (mobile apps, CLIs)

  ### Resource Parameter Support (RFC 8707)
  - Add `resource` parameter to authorization and token endpoints
  - Store resource URI and bind tokens to specific audiences
  - Critical for MCP's resource-bound token model

  ### Enhanced OAuth2 Error Handling
  - Add OAuth2-compliant error responses with proper error codes
  - Use standard error format: `{"error": "code", "error_description": "details"}`
  - Improve error consistency across OAuth2 endpoints

  ### Authorization UI Improvements
  - Fix authorization flow to use POST-based consent instead of GET redirects
  - Remove dependency on referer headers for security decisions
  - Improve CSRF protection with proper state parameter validation

  ## Why This Matters

  **For MCP Integration:** MCP requires OAuth2 authorization servers to support PKCE, resource parameters, and metadata discovery. Without these features, MCP clients cannot securely authenticate with Coder.

  **For Security:** PKCE prevents authorization code interception attacks, especially critical for public clients. Resource binding ensures tokens are only valid for intended services.

  **For Standards Compliance:** These are widely adopted OAuth2 extensions that improve interoperability with modern OAuth2 clients.

  ## Database Changes

  - **Migration 000343:** Adds `code_challenge`, `code_challenge_method`, `resource_uri` to `oauth2_provider_app_codes`
  - **Migration 000343:** Adds `audience` field to `oauth2_provider_app_tokens` for resource binding
  - **Audit Updates:** New OAuth2 fields properly tracked in audit system
  - **Backward Compatibility:** All changes maintain compatibility with existing OAuth2 flows

  ## Test Coverage

  - Comprehensive PKCE test suite in `coderd/identityprovider/pkce_test.go`
  - OAuth2 metadata endpoint tests in `coderd/oauth2_metadata_test.go`
  - Integration tests covering PKCE + resource parameter combinations
  - Negative tests for invalid PKCE verifiers and malformed requests

  ## Testing Instructions

  ```bash
  # Run the comprehensive OAuth2 test suite
  ./scripts/oauth2/test-mcp-oauth2.sh

  Manual Testing with Interactive Server

  # Start Coder in development mode
  ./scripts/develop.sh

  # In another terminal, set up test app and run interactive flow
  eval $(./scripts/oauth2/setup-test-app.sh)
  ./scripts/oauth2/test-manual-flow.sh
  # Opens browser with OAuth2 flow, handles callback automatically

  # Clean up when done
  ./scripts/oauth2/cleanup-test-app.sh

  Individual Component Testing

  # Test metadata endpoint
  curl -s http://localhost:3000/.well-known/oauth-authorization-server | jq .

  # Test PKCE generation
  ./scripts/oauth2/generate-pkce.sh

  # Run specific test suites
  go test -v ./coderd/identityprovider -run TestVerifyPKCE
  go test -v ./coderd -run TestOAuth2AuthorizationServerMetadata
```

  ### Breaking Changes

  None. All changes maintain backward compatibility with existing OAuth2 flows.

---

Change-Id: Ifbd0d9a543d545f9f56ecaa77ff2238542ff954a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
2025-07-01 15:39:29 +02:00

293 lines
7.9 KiB
Go
Raw Blame History

package main
import (
"cmp"
"context"
"encoding/json"
"flag"
"fmt"
"log"
"net/http"
"net/url"
"os"
"strings"
"time"
"golang.org/x/xerrors"
)
type TokenResponse struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
RefreshToken string `json:"refresh_token,omitempty"`
Error string `json:"error,omitempty"`
ErrorDesc string `json:"error_description,omitempty"`
}
type Config struct {
ClientID string
ClientSecret string
CodeVerifier string
State string
BaseURL string
RedirectURI string
}
type ServerOptions struct {
KeepRunning bool
}
func main() {
var serverOpts ServerOptions
flag.BoolVar(&serverOpts.KeepRunning, "keep-running", false, "Keep server running after successful authorization")
flag.Parse()
config := &Config{
ClientID: os.Getenv("CLIENT_ID"),
ClientSecret: os.Getenv("CLIENT_SECRET"),
CodeVerifier: os.Getenv("CODE_VERIFIER"),
State: os.Getenv("STATE"),
BaseURL: cmp.Or(os.Getenv("BASE_URL"), "http://localhost:3000"),
RedirectURI: "http://localhost:9876/callback",
}
if config.ClientID == "" || config.ClientSecret == "" {
log.Fatal("CLIENT_ID and CLIENT_SECRET must be set. Run: eval $(./setup-test-app.sh) first")
}
if config.CodeVerifier == "" || config.State == "" {
log.Fatal("CODE_VERIFIER and STATE must be set. Run test-manual-flow.sh to get these values")
}
var server *http.Server
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, _ *http.Request) {
html := fmt.Sprintf(`
<!DOCTYPE html>
<html>
<head>
<title>OAuth2 Test Server</title>
<style>
body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
.status { padding: 20px; margin: 20px 0; border-radius: 5px; }
.waiting { background: #fff3cd; color: #856404; }
.success { background: #d4edda; color: #155724; }
.error { background: #f8d7da; color: #721c24; }
pre { background: #f5f5f5; padding: 15px; overflow-x: auto; }
a { color: #0066cc; }
</style>
</head>
<body>
<h1>OAuth2 Test Server</h1>
<div class="status waiting">
<h2>Waiting for OAuth2 callback...</h2>
<p>Please authorize the application in your browser.</p>
<p>Listening on: <code>%s</code></p>
</div>
</body>
</html>`, config.RedirectURI)
w.Header().Set("Content-Type", "text/html")
_, _ = fmt.Fprint(w, html)
})
mux.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
code := r.URL.Query().Get("code")
state := r.URL.Query().Get("state")
errorParam := r.URL.Query().Get("error")
errorDesc := r.URL.Query().Get("error_description")
if errorParam != "" {
showError(w, fmt.Sprintf("Authorization failed: %s - %s", errorParam, errorDesc))
return
}
if code == "" {
showError(w, "No authorization code received")
return
}
if state != config.State {
showError(w, fmt.Sprintf("State mismatch. Expected: %s, Got: %s", config.State, state))
return
}
log.Printf("Received authorization code: %s", code)
log.Printf("Exchanging code for token...")
tokenResp, err := exchangeToken(config, code)
if err != nil {
showError(w, fmt.Sprintf("Token exchange failed: %v", err))
return
}
showSuccess(w, code, tokenResp, serverOpts)
if !serverOpts.KeepRunning {
// Schedule graceful shutdown after giving time for the response to be sent
go func() {
time.Sleep(2 * time.Second)
cancel()
}()
}
})
server = &http.Server{
Addr: ":9876",
Handler: mux,
ReadTimeout: 5 * time.Second,
WriteTimeout: 10 * time.Second,
}
log.Printf("Starting OAuth2 test server on http://localhost:9876")
log.Printf("Waiting for callback at %s", config.RedirectURI)
if !serverOpts.KeepRunning {
log.Printf("Server will shut down automatically after successful authorization")
}
// Start server in a goroutine
go func() {
if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
log.Fatalf("Server failed: %v", err)
}
}()
// Wait for context cancellation
<-ctx.Done()
// Graceful shutdown
log.Printf("Shutting down server...")
shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
defer shutdownCancel()
if err := server.Shutdown(shutdownCtx); err != nil {
log.Printf("Server shutdown error: %v", err)
}
log.Printf("Server stopped successfully")
}
func exchangeToken(config *Config, code string) (*TokenResponse, error) {
data := url.Values{}
data.Set("grant_type", "authorization_code")
data.Set("code", code)
data.Set("client_id", config.ClientID)
data.Set("client_secret", config.ClientSecret)
data.Set("code_verifier", config.CodeVerifier)
data.Set("redirect_uri", config.RedirectURI)
ctx := context.Background()
req, err := http.NewRequestWithContext(ctx, "POST", config.BaseURL+"/oauth2/tokens", strings.NewReader(data.Encode()))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
client := &http.Client{Timeout: 10 * time.Second}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
var tokenResp TokenResponse
if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
return nil, xerrors.Errorf("failed to decode response: %w", err)
}
if tokenResp.Error != "" {
return nil, xerrors.Errorf("token error: %s - %s", tokenResp.Error, tokenResp.ErrorDesc)
}
return &tokenResp, nil
}
func showError(w http.ResponseWriter, message string) {
log.Printf("ERROR: %s", message)
html := fmt.Sprintf(`
<!DOCTYPE html>
<html>
<head>
<title>OAuth2 Test - Error</title>
<style>
body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
.status { padding: 20px; margin: 20px 0; border-radius: 5px; }
.error { background: #f8d7da; color: #721c24; }
pre { background: #f5f5f5; padding: 15px; overflow-x: auto; }
</style>
</head>
<body>
<h1>OAuth2 Test Server - Error</h1>
<div class="status error">
<h2>❌ Error</h2>
<p>%s</p>
</div>
<p>Check the server logs for more details.</p>
</body>
</html>`, message)
w.Header().Set("Content-Type", "text/html")
w.WriteHeader(http.StatusBadRequest)
_, _ = fmt.Fprint(w, html)
}
func showSuccess(w http.ResponseWriter, code string, tokenResp *TokenResponse, opts ServerOptions) {
log.Printf("SUCCESS: Token exchange completed")
tokenJSON, _ := json.MarshalIndent(tokenResp, "", " ")
serverNote := "The server will shut down automatically in a few seconds."
if opts.KeepRunning {
serverNote = "The server will continue running. Press Ctrl+C in the terminal to stop it."
}
html := fmt.Sprintf(`
<!DOCTYPE html>
<html>
<head>
<title>OAuth2 Test - Success</title>
<style>
body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
.status { padding: 20px; margin: 20px 0; border-radius: 5px; }
.success { background: #d4edda; color: #155724; }
pre { background: #f5f5f5; padding: 15px; overflow-x: auto; }
.section { margin: 20px 0; }
code { background: #e9ecef; padding: 2px 4px; border-radius: 3px; }
</style>
</head>
<body>
<h1>OAuth2 Test Server - Success</h1>
<div class="status success">
<h2>Authorization Successful!</h2>
<p>Successfully exchanged authorization code for tokens.</p>
</div>
<div class="section">
<h3>Authorization Code</h3>
<pre>%s</pre>
</div>
<div class="section">
<h3>Token Response</h3>
<pre>%s</pre>
</div>
<div class="section">
<h3>Next Steps</h3>
<p>You can now use the access token to make API requests:</p>
<pre>curl -H "Coder-Session-Token: %s" %s/api/v2/users/me | jq .</pre>
</div>
<div class="section">
<p><strong>Note:</strong> %s</p>
</div>
</body>
</html>`, code, string(tokenJSON), tokenResp.AccessToken, cmp.Or(os.Getenv("BASE_URL"), "http://localhost:3000"), serverNote)
w.Header().Set("Content-Type", "text/html")
_, _ = fmt.Fprint(w, html)
}
Reference in New Issue View Git Blame Copy Permalink