Skip to content

feat: implement RFC 6750 Bearer token authentication #18644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint
Choose a base branch
from
Open

feat: implement RFC 6750 Bearer token authentication #18644

wants to merge 1 commit into from
+854 −7

Conversation

ThomasK33
Copy link
Member

Add RFC 6750 Bearer Token Authentication Support

This PR implements RFC 6750 Bearer Token authentication as an additional authentication method for Coder's API. This allows clients to authenticate using standard OAuth 2.0 Bearer tokens in two ways:

  1. Using the Authorization: Bearer <token> header
  2. Using the access_token query parameter

Key changes:

  • Added support for extracting tokens from both Bearer headers and access_token query parameters
  • Implemented proper WWW-Authenticate headers for 401/403 responses with appropriate error descriptions
  • Added comprehensive test coverage for the new authentication methods
  • Updated the OAuth2 protected resource metadata endpoint to advertise Bearer token support
  • Enhanced the OAuth2 testing script to verify Bearer token functionality

These authentication methods are added as fallback options, maintaining backward compatibility with Coder's existing authentication mechanisms. The existing authentication methods (cookies, session token header, etc.) still take precedence.

This implementation follows the OAuth 2.0 Bearer Token specification (RFC 6750) and improves interoperability with standard OAuth 2.0 clients.

@ThomasK33 ThomasK33 mentioned this pull request Jun 27, 2025
Open
This was referenced Jun 27, 2025
Merged
Open
Merged
Open
@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented Jun 27, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced Jun 27, 2025
Open
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from ff83df4 to 3665807 Compare June 27, 2025 17:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 5898895 to 5be6c6a Compare June 27, 2025 17:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 3665807 to 56126dd Compare June 27, 2025 17:11
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 5be6c6a to fded148 Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch 2 times, most recently from fca6b9a to 68baa21 Compare June 27, 2025 17:54
@ThomasK33 ThomasK33 marked this pull request as ready for review June 29, 2025 11:14
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 68baa21 to 578e708 Compare June 30, 2025 11:06
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from 9b7f5d9 to 7ef25b1 Compare June 30, 2025 11:49
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 578e708 to 26c0eeb Compare June 30, 2025 11:49
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 7ef25b1 to f0608bc Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 26c0eeb to 7b70f7f Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from f0608bc to c68a923 Compare June 30, 2025 12:31
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 7b70f7f to 1a9400e Compare June 30, 2025 12:31
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from c68a923 to f55771a Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch 2 times, most recently from 5f946b1 to 14d91ac Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from f55771a to 34af681 Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 requested review from Emyrk and johnstcn June 30, 2025 13:21
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 34af681 to e72476e Compare June 30, 2025 16:42
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 14d91ac to 0f4491b Compare June 30, 2025 16:42
This was referenced Jun 30, 2025
Open
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 0f4491b to 8c975b5 Compare June 30, 2025 16:45
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 1a99f3c to 01a10ef Compare June 30, 2025 17:56
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 8c975b5 to 017f23f Compare June 30, 2025 17:56
johnstcn
johnstcn reviewed Jul 1, 2025
View reviewed changes
johnstcn
johnstcn reviewed Jul 1, 2025
View reviewed changes
coderd/httpmw/rfc6750_extended_test.go
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the significance of extended versus the regular test?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea was that rfc6750_test.go contain basic RFC 6750 compliance tests (authentication methods, basic token validation), while the rfc6750_extended_test.go contain security and edge case testing (malformed headers, precedence, WWW-Authenticate compliance, etc.).

@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 017f23f to 77e3e55 Compare July 1, 2025 09:15
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 01a10ef to 3b6d8ba Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 77e3e55 to 1e1e046 Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 3b6d8ba to dac326d Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 1e1e046 to 17982a7 Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 mentioned this pull request Jul 1, 2025
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from dac326d to 1858134 Compare July 1, 2025 13:41
@ThomasK33
feat(oauth2): implement RFC 6750 Bearer Token Support for MCP compliance
119626d 
- Add RFC 6750 bearer token extraction to APITokenFromRequest as fallback methods
- Support Authorization: Bearer <token> header and access_token query parameter
- Maintain backward compatibility by prioritizing existing custom methods first
- Add WWW-Authenticate headers to 401/403 responses per RFC 6750
- Update Protected Resource Metadata to advertise bearer_methods_supported
- Add comprehensive test suite for RFC 6750 compliance in rfc6750_test.go
- Update MCP test scripts with bearer token authentication tests
- Enhance CLAUDE.md with improved Go LSP tool usage guidelines

Implements RFC 6750 Section 2.1 (Authorization Request Header Field) and 2.3 (URI Query Parameter).
Maintains full backward compatibility with existing Coder authentication methods.
Completes major MCP OAuth2 compliance milestone.

Change-Id: Ic9c9057153b40728ad91b377d753a7ffd566add7
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 17982a7 to 119626d Compare July 1, 2025 13:41
johnstcn
johnstcn approved these changes Jul 1, 2025
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving but would like a second pair of eyes.

coderd/httpmw/rfc6750_test.go
Comment on lines +22 to +31
// defaultIPAddressForTests returns a default IP address for test API keys
func defaultIPAddressForTests() pqtype.Inet {
return pqtype.Inet{
IPNet: net.IPNet{
IP: net.IPv4(127, 0, 0, 1),
Mask: net.IPv4Mask(255, 255, 255, 255),
},
Valid: true,
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't be needed anymore because you're using dbgen

Suggested change
// defaultIPAddressForTests returns a default IP address for test API keys
func defaultIPAddressForTests() pqtype.Inet {
return pqtype.Inet{
IPNet: net.IPNet{
IP: net.IPv4(127, 0, 0, 1),
Mask: net.IPv4Mask(255, 255, 255, 255),
},
Valid: true,
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Awaiting requested review from Emyrk

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ThomasK33 @johnstcn