Skip to content

Commit 1858134

Browse files
ThomasK33ThomasK33
committed
feat(oauth2): implement RFC 9728 Protected Resource Metadata endpoint
- Add OAuth2ProtectedResourceMetadata struct in codersdk/oauth2.go - Implement /.well-known/oauth-protected-resource endpoint handler - Register route in coderd.go for Protected Resource Metadata discovery - Add comprehensive test coverage in oauth2_metadata_test.go - Update OpenAPI documentation and generated API types - Correctly omit bearer_methods_supported field (Coder uses custom auth) - Support MCP OAuth2 compliance requirement for resource server metadata This implements RFC 9728 OAuth 2.0 Protected Resource Metadata to enable MCP clients to discover resource server capabilities and authorization servers. Change-Id: I089232ae755acf13eb0a7be46944c9eeaaafb75b Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent 2621adf commit 1858134

File tree

10 files changed

+233
-2
lines changed

10 files changed

+233
-2
lines changed

coderd/apidoc/docs.go

Lines changed: 46 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 42 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/coderd.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -914,6 +914,8 @@ func New(options *Options) *API {
914914

915915
// OAuth2 metadata endpoint for RFC 8414 discovery
916916
r.Get("/.well-known/oauth-authorization-server", api.oauth2AuthorizationServerMetadata)
917+
// OAuth2 protected resource metadata endpoint for RFC 9728 discovery
918+
r.Get("/.well-known/oauth-protected-resource", api.oauth2ProtectedResourceMetadata)
917919

918920
// OAuth2 linking routes do not make sense under the /api/v2 path. These are
919921
// for an external application to use Coder as an OAuth2 provider, not for

coderd/httpmw/apikey.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -738,6 +738,8 @@ func APITokenFromRequest(r *http.Request) string {
738738
return headerValue
739739
}
740740

741+
// TODO(ThomasK33): Implement RFC 6750
742+
741743
return ""
742744
}
743745

coderd/oauth2.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -417,3 +417,23 @@ func (api *API) oauth2AuthorizationServerMetadata(rw http.ResponseWriter, r *htt
417417
}
418418
httpapi.Write(ctx, rw, http.StatusOK, metadata)
419419
}
420+
421+
// @Summary OAuth2 protected resource metadata.
422+
// @ID oauth2-protected-resource-metadata
423+
// @Produce json
424+
// @Tags Enterprise
425+
// @Success 200 {object} codersdk.OAuth2ProtectedResourceMetadata
426+
// @Router /.well-known/oauth-protected-resource [get]
427+
func (api *API) oauth2ProtectedResourceMetadata(rw http.ResponseWriter, r *http.Request) {
428+
ctx := r.Context()
429+
metadata := codersdk.OAuth2ProtectedResourceMetadata{
430+
Resource: api.AccessURL.String(),
431+
AuthorizationServers: []string{api.AccessURL.String()},
432+
// TODO: Implement scope system based on RBAC permissions
433+
ScopesSupported: []string{},
434+
// Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens
435+
// TODO(ThomasK33): Implement RFC 6750
436+
// BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support
437+
}
438+
httpapi.Write(ctx, rw, http.StatusOK, metadata)
439+
}

coderd/oauth2_metadata_test.go

Lines changed: 42 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,16 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
1717
t.Parallel()
1818

1919
client := coderdtest.New(t, nil)
20+
serverURL := client.URL
2021

2122
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
2223
defer cancel()
2324

24-
// Get the metadata
25-
resp, err := client.Request(ctx, http.MethodGet, "/.well-known/oauth-authorization-server", nil)
25+
// Use a plain HTTP client since this endpoint doesn't require authentication
26+
req, err := http.NewRequestWithContext(ctx, http.MethodGet, serverURL.String()+"/.well-known/oauth-authorization-server", nil)
27+
require.NoError(t, err)
28+
29+
resp, err := http.DefaultClient.Do(req)
2630
require.NoError(t, err)
2731
defer resp.Body.Close()
2832

@@ -41,3 +45,39 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
4145
require.Contains(t, metadata.GrantTypesSupported, "refresh_token")
4246
require.Contains(t, metadata.CodeChallengeMethodsSupported, "S256")
4347
}
48+
49+
func TestOAuth2ProtectedResourceMetadata(t *testing.T) {
50+
t.Parallel()
51+
52+
client := coderdtest.New(t, nil)
53+
serverURL := client.URL
54+
55+
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
56+
defer cancel()
57+
58+
// Use a plain HTTP client since this endpoint doesn't require authentication
59+
req, err := http.NewRequestWithContext(ctx, http.MethodGet, serverURL.String()+"/.well-known/oauth-protected-resource", nil)
60+
require.NoError(t, err)
61+
62+
resp, err := http.DefaultClient.Do(req)
63+
require.NoError(t, err)
64+
defer resp.Body.Close()
65+
66+
require.Equal(t, http.StatusOK, resp.StatusCode)
67+
68+
var metadata codersdk.OAuth2ProtectedResourceMetadata
69+
err = json.NewDecoder(resp.Body).Decode(&metadata)
70+
require.NoError(t, err)
71+
72+
// Verify the metadata
73+
require.NotEmpty(t, metadata.Resource)
74+
require.NotEmpty(t, metadata.AuthorizationServers)
75+
require.Len(t, metadata.AuthorizationServers, 1)
76+
require.Equal(t, metadata.Resource, metadata.AuthorizationServers[0])
77+
// BearerMethodsSupported is omitted since Coder uses custom authentication methods
78+
// Standard RFC 6750 bearer tokens are not supported
79+
require.True(t, len(metadata.BearerMethodsSupported) == 0)
80+
// ScopesSupported can be empty until scope system is implemented
81+
// Empty slice is marshaled as empty array, but can be nil when unmarshaled
82+
require.True(t, len(metadata.ScopesSupported) == 0)
83+
}

codersdk/oauth2.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -244,3 +244,11 @@ type OAuth2AuthorizationServerMetadata struct {
244244
ScopesSupported []string `json:"scopes_supported,omitempty"`
245245
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
246246
}
247+
248+
// OAuth2ProtectedResourceMetadata represents RFC 9728 OAuth 2.0 Protected Resource Metadata
249+
type OAuth2ProtectedResourceMetadata struct {
250+
Resource string `json:"resource"`
251+
AuthorizationServers []string `json:"authorization_servers"`
252+
ScopesSupported []string `json:"scopes_supported,omitempty"`
253+
BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
254+
}

docs/reference/api/enterprise.md

Lines changed: 37 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/schemas.md

Lines changed: 26 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

site/src/api/typesGenerated.ts

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)