Skip to content

Commit 1a9400e

Browse files
ThomasK33ThomasK33
committed
feat(oauth2): implement RFC 6750 Bearer Token Support for MCP compliance
- Add RFC 6750 bearer token extraction to APITokenFromRequest as fallback methods - Support Authorization: Bearer <token> header and access_token query parameter - Maintain backward compatibility by prioritizing existing custom methods first - Add WWW-Authenticate headers to 401/403 responses per RFC 6750 - Update Protected Resource Metadata to advertise bearer_methods_supported - Add comprehensive test suite for RFC 6750 compliance in rfc6750_test.go - Update MCP test scripts with bearer token authentication tests - Enhance CLAUDE.md with improved Go LSP tool usage guidelines Implements RFC 6750 Section 2.1 (Authorization Request Header Field) and 2.3 (URI Query Parameter). Maintains full backward compatibility with existing Coder authentication methods. Completes major MCP OAuth2 compliance milestone. Change-Id: Ic9c9057153b40728ad91b377d753a7ffd566add7 Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent c68a923 commit 1a9400e

File tree

6 files changed

+1004
-7
lines changed

6 files changed

+1004
-7
lines changed

coderd/httpmw/apikey.go

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,26 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
210210
return nil, nil, false
211211
}
212212

213+
// Add WWW-Authenticate header for 401/403 responses (RFC 6750)
214+
if code == http.StatusUnauthorized || code == http.StatusForbidden {
215+
// Basic Bearer challenge with realm
216+
wwwAuth := `Bearer realm="coder"`
217+
218+
// Add error details based on the type of error
219+
switch {
220+
case strings.Contains(response.Message, "invalid") || strings.Contains(response.Detail, "invalid"):
221+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
222+
case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"):
223+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
224+
case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"):
225+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
226+
case code == http.StatusForbidden:
227+
wwwAuth = `Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
228+
}
229+
230+
rw.Header().Set("WWW-Authenticate", wwwAuth)
231+
}
232+
213233
httpapi.Write(ctx, rw, code, response)
214234
return nil, nil, false
215235
}
@@ -536,9 +556,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
536556
// 1: The cookie
537557
// 2. The coder_session_token query parameter
538558
// 3. The custom auth header
559+
// 4. RFC 6750 Authorization: Bearer header
560+
// 5. RFC 6750 access_token query parameter
539561
//
540562
// API tokens for apps are read from workspaceapps/cookies.go.
541563
func APITokenFromRequest(r *http.Request) string {
564+
// Prioritize existing Coder custom authentication methods first
565+
// to maintain backward compatibility and existing behavior
566+
542567
cookie, err := r.Cookie(codersdk.SessionTokenCookie)
543568
if err == nil && cookie.Value != "" {
544569
return cookie.Value
@@ -554,7 +579,18 @@ func APITokenFromRequest(r *http.Request) string {
554579
return headerValue
555580
}
556581

557-
// TODO(ThomasK33): Implement RFC 6750
582+
// RFC 6750 Bearer Token support (added as fallback methods)
583+
// Check Authorization: Bearer <token> header
584+
authHeader := r.Header.Get("Authorization")
585+
if strings.HasPrefix(authHeader, "Bearer ") {
586+
return strings.TrimPrefix(authHeader, "Bearer ")
587+
}
588+
589+
// Check access_token query parameter
590+
accessToken := r.URL.Query().Get("access_token")
591+
if accessToken != "" {
592+
return accessToken
593+
}
558594

559595
return ""
560596
}

0 commit comments

Comments
 (0)