coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 46 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 46 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 42 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 42 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 2 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/httpmw/apikey.go
Lines changed: 2 additions & 0 deletions b/‎coderd/httpmw/apikey.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/oauth2.go
Lines changed: 20 additions & 0 deletions b/‎coderd/oauth2.go
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/oauth2_metadata_test.go
Lines changed: 32 additions & 0 deletions b/‎coderd/oauth2_metadata_test.go
Lines changed: 32 additions & 0 deletions
diff --git a/‎codersdk/oauth2.go
Lines changed: 8 additions & 0 deletions b/‎codersdk/oauth2.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎docs/reference/api/enterprise.md
Lines changed: 37 additions & 0 deletions b/‎docs/reference/api/enterprise.md
Lines changed: 37 additions & 0 deletions
diff --git a/‎docs/reference/api/schemas.md
Lines changed: 26 additions & 0 deletions b/‎docs/reference/api/schemas.md
Lines changed: 26 additions & 0 deletions
diff --git a/‎site/src/api/typesGenerated.ts
Lines changed: 8 additions & 0 deletions b/‎site/src/api/typesGenerated.ts
Lines changed: 8 additions & 0 deletions
@@ -914,6 +914,8 @@ func New(options *Options) *API {
 
 	// OAuth2 metadata endpoint for RFC 8414 discovery
 	r.Get("/.well-known/oauth-authorization-server", api.oauth2AuthorizationServerMetadata)
+	// OAuth2 protected resource metadata endpoint for RFC 9728 discovery
+	r.Get("/.well-known/oauth-protected-resource", api.oauth2ProtectedResourceMetadata)
 
 	// OAuth2 linking routes do not make sense under the /api/v2 path.  These are
 	// for an external application to use Coder as an OAuth2 provider, not for
 
@@ -625,6 +625,8 @@ func APITokenFromRequest(r *http.Request) string {
 		return headerValue
 	}
 
+	// TODO(ThomasK33): Implement RFC 6750
+
 	return ""
 }
 
 
@@ -417,3 +417,23 @@ func (api *API) oauth2AuthorizationServerMetadata(rw http.ResponseWriter, r *htt
 	}
 	httpapi.Write(ctx, rw, http.StatusOK, metadata)
 }
+
+// @Summary OAuth2 protected resource metadata.
+// @ID oauth2-protected-resource-metadata
+// @Produce json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.OAuth2ProtectedResourceMetadata
+// @Router /.well-known/oauth-protected-resource [get]
+func (api *API) oauth2ProtectedResourceMetadata(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	metadata := codersdk.OAuth2ProtectedResourceMetadata{
+		Resource:             api.AccessURL.String(),
+		AuthorizationServers: []string{api.AccessURL.String()},
+		// TODO: Implement scope system based on RBAC permissions
+		ScopesSupported: []string{},
+		// Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens
+		// TODO(ThomasK33): Implement RFC 6750
+		// BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support
+	}
+	httpapi.Write(ctx, rw, http.StatusOK, metadata)
+}
@@ -41,3 +41,35 @@ func TestOAuth2AuthorizationServerMetadata(t *testing.T) {
 	require.Contains(t, metadata.GrantTypesSupported, "refresh_token")
 	require.Contains(t, metadata.CodeChallengeMethodsSupported, "S256")
 }
+
+func TestOAuth2ProtectedResourceMetadata(t *testing.T) {
+	t.Parallel()
+
+	client := coderdtest.New(t, nil)
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+
+	// Get the protected resource metadata
+	resp, err := client.Request(ctx, http.MethodGet, "/.well-known/oauth-protected-resource", nil)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var metadata codersdk.OAuth2ProtectedResourceMetadata
+	err = json.NewDecoder(resp.Body).Decode(&metadata)
+	require.NoError(t, err)
+
+	// Verify the metadata
+	require.NotEmpty(t, metadata.Resource)
+	require.NotEmpty(t, metadata.AuthorizationServers)
+	require.Len(t, metadata.AuthorizationServers, 1)
+	require.Equal(t, metadata.Resource, metadata.AuthorizationServers[0])
+	// BearerMethodsSupported is omitted since Coder uses custom authentication methods
+	// Standard RFC 6750 bearer tokens are not supported
+	require.True(t, len(metadata.BearerMethodsSupported) == 0)
+	// ScopesSupported can be empty until scope system is implemented
+	// Empty slice is marshaled as empty array, but can be nil when unmarshaled
+	require.True(t, len(metadata.ScopesSupported) == 0)
+}
@@ -244,3 +244,11 @@ type OAuth2AuthorizationServerMetadata struct {
 	ScopesSupported                   []string `json:"scopes_supported,omitempty"`
 	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
 }
+
+// OAuth2ProtectedResourceMetadata represents RFC 9728 OAuth 2.0 Protected Resource Metadata
+type OAuth2ProtectedResourceMetadata struct {
+	Resource               string   `json:"resource"`
+	AuthorizationServers   []string `json:"authorization_servers"`
+	ScopesSupported        []string `json:"scopes_supported,omitempty"`
+	BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
+}
Original file line number	Diff line number	Diff line change
`@@ -625,6 +625,8 @@ func APITokenFromRequest(r *http.Request) string {`
`625`	`625`	`return headerValue`
`626`	`626`	`}`
`627`	`627`
	`628`	`+ // TODO(ThomasK33): Implement RFC 6750`
	`629`	`+`
`628`	`630`	`return ""`
`629`	`631`	`}`
`630`	`632`