Skip to content

feat: add OAuth2 protected resource metadata endpoint for RFC 9728 #18643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation
Choose a base branch
from
Open

feat: add OAuth2 protected resource metadata endpoint for RFC 9728 #18643

wants to merge 1 commit into from
+233 −2

Conversation

ThomasK33
Copy link
Member

Add OAuth2 Protected Resource Metadata Endpoint

This PR implements the OAuth2 Protected Resource Metadata endpoint according to RFC 9728. The endpoint is available at /.well-known/oauth-protected-resource and provides information about Coder as an OAuth2 protected resource.

Key changes:

  • Added a new endpoint at /.well-known/oauth-protected-resource that returns metadata about Coder as an OAuth2 protected resource
  • Created a new OAuth2ProtectedResourceMetadata struct in the SDK
  • Added tests to verify the endpoint functionality
  • Updated API documentation to include the new endpoint

The implementation currently returns basic metadata including the resource identifier and authorization server URL. The scopes_supported field is empty until a scope system based on RBAC permissions is implemented. The bearer_methods_supported field is omitted as Coder uses custom authentication methods rather than standard RFC 6750 bearer tokens.

A TODO has been added to implement RFC 6750 bearer token support in the future.

This was referenced Jun 27, 2025
Open
Merged
Open
@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented Jun 27, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Jun 27, 2025
Merged
This was referenced Jun 27, 2025
Open
Open
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from 5be6c6a to fded148 Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 1e2bc51 to 3de973b Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 marked this pull request as ready for review June 29, 2025 11:14
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 3de973b to 9f159b0 Compare June 30, 2025 11:06
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from 9b7f5d9 to 7ef25b1 Compare June 30, 2025 11:49
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch 2 times, most recently from 47d9a0a to bffc160 Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 7ef25b1 to f0608bc Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from bffc160 to e733c7b Compare June 30, 2025 12:31
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from c68a923 to f55771a Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from e733c7b to 70e8be9 Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from f55771a to 34af681 Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 70e8be9 to 476c079 Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 requested review from Emyrk and johnstcn June 30, 2025 13:21
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 34af681 to e72476e Compare June 30, 2025 16:42
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 476c079 to d2eb876 Compare June 30, 2025 16:42
@ThomasK33 ThomasK33 mentioned this pull request Jun 30, 2025
Open
@ThomasK33 ThomasK33 mentioned this pull request Jun 30, 2025
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from d2eb876 to bb57d1e Compare June 30, 2025 16:45
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from e72476e to 1a99f3c Compare June 30, 2025 16:45
johnstcn
johnstcn reviewed Jun 30, 2025
View reviewed changes
@ThomasK33 ThomasK33 changed the base branch from thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation to graphite-base/18643 June 30, 2025 17:24
@ThomasK33 ThomasK33 force-pushed the graphite-base/18643 branch from bb57d1e to 8949808 Compare June 30, 2025 17:56
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 1a99f3c to 01a10ef Compare June 30, 2025 17:56
@ThomasK33 ThomasK33 changed the base branch from graphite-base/18643 to thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation June 30, 2025 17:56
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 01a10ef to 3b6d8ba Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 8949808 to 373faa2 Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 3b6d8ba to dac326d Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 373faa2 to 79a40a3 Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 mentioned this pull request Jul 1, 2025
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 79a40a3 to 2621adf Compare July 1, 2025 13:40
@ThomasK33
feat(oauth2): implement RFC 9728 Protected Resource Metadata endpoint
1858134 
- Add OAuth2ProtectedResourceMetadata struct in codersdk/oauth2.go
- Implement /.well-known/oauth-protected-resource endpoint handler
- Register route in coderd.go for Protected Resource Metadata discovery
- Add comprehensive test coverage in oauth2_metadata_test.go
- Update OpenAPI documentation and generated API types
- Correctly omit bearer_methods_supported field (Coder uses custom auth)
- Support MCP OAuth2 compliance requirement for resource server metadata

This implements RFC 9728 OAuth 2.0 Protected Resource Metadata to enable
MCP clients to discover resource server capabilities and authorization servers.

Change-Id: I089232ae755acf13eb0a7be46944c9eeaaafb75b
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from dac326d to 1858134 Compare July 1, 2025 13:41
Emyrk
Emyrk approved these changes Jul 1, 2025
View reviewed changes
coderd/oauth2_metadata_test.go
defer cancel()

// Use a plain HTTP client since this endpoint doesn't require authentication
req, err := http.NewRequestWithContext(ctx, http.MethodGet, serverURL.String()+"/.well-known/oauth-protected-resource", nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer using something that handles a trailing slash on serverURL. Just a nit though, your call 👍

endpoint := serverURL.ResolveReference(&url.URL{Path: "/.well-known/oauth-authorization-server"}).String()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ThomasK33 @johnstcn @Emyrk