Skip to content

feat: implement OAuth2 dynamic client registration (RFC 7591/7592) #18645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance
Choose a base branch
from
Open

feat: implement OAuth2 dynamic client registration (RFC 7591/7592) #18645

wants to merge 1 commit into from
+5,805 −132

Conversation

ThomasK33
Copy link
Member

Implement OAuth2 Dynamic Client Registration (RFC 7591/7592)

This PR implements OAuth2 Dynamic Client Registration according to RFC 7591 and Client Configuration Management according to RFC 7592. These standards allow OAuth2 clients to register themselves programmatically with Coder as an authorization server.

Key changes include:

  1. Added database schema extensions to support RFC 7591/7592 fields in the oauth2_provider_apps table

  2. Implemented /oauth2/register endpoint for dynamic client registration (RFC 7591)

  3. Added client configuration management endpoints (RFC 7592):

    • GET/PUT/DELETE /oauth2/clients/{client_id}
    • Registration access token validation middleware

  4. Added comprehensive validation for OAuth2 client metadata:

    • URI validation with support for custom schemes for native apps
    • Grant type and response type validation
    • Token endpoint authentication method validation

  5. Enhanced developer documentation with:

    • RFC compliance guidelines
    • Testing best practices to avoid race conditions
    • Systematic debugging approaches for OAuth2 implementations

The implementation follows security best practices from the RFCs, including proper token handling, secure defaults, and appropriate error responses. This enables third-party applications to integrate with Coder's OAuth2 provider capabilities programmatically.

This was referenced Jun 27, 2025
Open
Merged
This was referenced Jun 27, 2025
Open
Merged
Open
@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented Jun 27, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced Jun 27, 2025
Open
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 3902793 to b37d850 Compare June 27, 2025 17:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from ff83df4 to 3665807 Compare June 27, 2025 17:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from b37d850 to caf974c Compare June 27, 2025 17:11
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 3665807 to 56126dd Compare June 27, 2025 17:11
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from caf974c to 22b8b6d Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 56126dd to fca6b9a Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch 2 times, most recently from 14c7196 to c43b551 Compare June 27, 2025 17:54
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from fca6b9a to 68baa21 Compare June 27, 2025 17:54
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch 12 times, most recently from 46d50e8 to 61142ba Compare June 30, 2025 08:58
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 1d6b428 to 7b97205 Compare June 30, 2025 11:49
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 578e708 to 26c0eeb Compare June 30, 2025 11:49
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 7b97205 to 28416c6 Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch 2 times, most recently from 7b70f7f to 1a9400e Compare June 30, 2025 12:31
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 28416c6 to 8669e9c Compare June 30, 2025 12:31
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 1a9400e to 5f946b1 Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 8669e9c to 3d19a30 Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 5f946b1 to 14d91ac Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 3d19a30 to 7a348cb Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 requested review from Emyrk and johnstcn June 30, 2025 13:21
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 7a348cb to eb5615f Compare June 30, 2025 16:42
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 14d91ac to 0f4491b Compare June 30, 2025 16:42
This was referenced Jun 30, 2025
Open
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 0f4491b to 8c975b5 Compare June 30, 2025 16:45
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch 2 times, most recently from 5b9f0b2 to a320c08 Compare June 30, 2025 17:56
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch 2 times, most recently from 017f23f to 77e3e55 Compare July 1, 2025 09:15
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch 2 times, most recently from 3417103 to 66f2908 Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 77e3e55 to 1e1e046 Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 66f2908 to 4a0ebd7 Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 1e1e046 to 17982a7 Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 mentioned this pull request Jul 1, 2025
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 17982a7 to 119626d Compare July 1, 2025 13:41
@ThomasK33
feat(oauth2): implement RFC 7591/7592 Dynamic Client Registration for…
2f305f7 
… MCP compliance

- Add comprehensive OAuth2 dynamic client registration support
- Implement RFC 7591 client registration endpoint with proper validation
- Implement RFC 7592 client management protocol (GET/PUT/DELETE)
- Add RFC 6750 Bearer token authentication support
- Fix authorization context issues with AsSystemRestricted
- Add proper RBAC permissions for OAuth2 resources
- Implement registration access token security per RFC 7592
- Add comprehensive validation for redirect URIs, grant types, response types
- Support custom schemes for native applications
- Add database migration with all RFC-required fields
- Add audit logging support for OAuth2 operations
- Ensure full RFC compliance with proper error handling
- Add comprehensive test coverage for all scenarios

Change-Id: I36c711201d598a117f6bfc381fc74e07fc3cc365
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 4a0ebd7 to 2f305f7 Compare July 1, 2025 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Emyrk Emyrk Awaiting requested review from Emyrk

@johnstcn johnstcn Awaiting requested review from johnstcn

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ThomasK33