Skip to content

feat: add OAuth2 protected resource metadata endpoint for RFC 9728#18643

Merged
ThomasK33 merged 1 commit into
mainfrom
thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint
Jul 2, 2025
Merged

feat: add OAuth2 protected resource metadata endpoint for RFC 9728#18643
ThomasK33 merged 1 commit into
mainfrom
thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint

Conversation

@ThomasK33
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 commented Jun 27, 2025

Add OAuth2 Protected Resource Metadata Endpoint

This PR implements the OAuth2 Protected Resource Metadata endpoint according to RFC 9728. The endpoint is available at /.well-known/oauth-protected-resource and provides information about Coder as an OAuth2 protected resource.

Key changes:

  • Added a new endpoint at /.well-known/oauth-protected-resource that returns metadata about Coder as an OAuth2 protected resource
  • Created a new OAuth2ProtectedResourceMetadata struct in the SDK
  • Added tests to verify the endpoint functionality
  • Updated API documentation to include the new endpoint

The implementation currently returns basic metadata including the resource identifier and authorization server URL. The scopes_supported field is empty until a scope system based on RBAC permissions is implemented. The bearer_methods_supported field is omitted as Coder uses custom authentication methods rather than standard RFC 6750 bearer tokens.

A TODO has been added to implement RFC 6750 bearer token support in the future.

This was referenced Jun 27, 2025
Merged
Merged
Merged
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Jun 27, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Jun 27, 2025
Merged
This was referenced Jun 27, 2025
Merged
Merged
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from 5be6c6a to fded148 Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 1e2bc51 to 3de973b Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 marked this pull request as ready for review June 29, 2025 11:14
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 3de973b to 9f159b0 Compare June 30, 2025 11:06
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from 9b7f5d9 to 7ef25b1 Compare June 30, 2025 11:49
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch 2 times, most recently from 47d9a0a to bffc160 Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 7ef25b1 to f0608bc Compare June 30, 2025 12:02
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from bffc160 to e733c7b Compare June 30, 2025 12:31
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from c68a923 to f55771a Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from e733c7b to 70e8be9 Compare June 30, 2025 12:46
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from f55771a to 34af681 Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 70e8be9 to 476c079 Compare June 30, 2025 12:53
@ThomasK33 ThomasK33 requested review from Emyrk and johnstcn June 30, 2025 13:21
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 34af681 to e72476e Compare June 30, 2025 16:42
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 476c079 to d2eb876 Compare June 30, 2025 16:42
@ThomasK33 ThomasK33 mentioned this pull request Jun 30, 2025
Merged
Emyrk
Emyrk approved these changes Jul 1, 2025
View reviewed changes
Comment thread coderd/oauth2_metadata_test.go Outdated
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 1858134 to a239eaa Compare July 1, 2025 16:50
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 2621adf to 661c0e6 Compare July 1, 2025 16:50
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from a239eaa to 4ca3595 Compare July 1, 2025 16:56
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 661c0e6 to 5be06e7 Compare July 1, 2025 17:18
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 4ca3595 to 23374cd Compare July 1, 2025 17:18
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 5be06e7 to 3275584 Compare July 1, 2025 19:54
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch 2 times, most recently from 43fcceb to db5e215 Compare July 1, 2025 20:14
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 3275584 to 9bd7ff5 Compare July 1, 2025 20:14
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from db5e215 to 953036f Compare July 2, 2025 12:08
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 9bd7ff5 to 1d7dbb1 Compare July 2, 2025 12:08
@ThomasK33 ThomasK33 mentioned this pull request Jul 2, 2025
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 1d7dbb1 to 7cab8d5 Compare July 2, 2025 12:25
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 953036f to 22c2dc6 Compare July 2, 2025 12:25
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch 2 times, most recently from a1cb748 to 1809030 Compare July 2, 2025 15:49
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 22c2dc6 to 14e6e22 Compare July 2, 2025 15:50
@ThomasK33 ThomasK33 force-pushed the thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation branch from 1809030 to 910d2c8 Compare July 2, 2025 16:35
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 14e6e22 to 5791cb0 Compare July 2, 2025 16:35
@ThomasK33 ThomasK33 changed the base branch from thomask33/feat_add_Go_LSP_configuration_and_code_navigation_documentation to graphite-base/18643 July 2, 2025 16:43
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 5791cb0 to 7e0ce8a Compare July 2, 2025 16:43
@ThomasK33 ThomasK33 force-pushed the graphite-base/18643 branch from 910d2c8 to 1b73b1a Compare July 2, 2025 16:43
@graphite-app graphite-app Bot changed the base branch from graphite-base/18643 to main July 2, 2025 16:44
@ThomasK33
feat(oauth2): implement RFC 9728 Protected Resource Metadata endpoint
59b7a9d 
- Add OAuth2ProtectedResourceMetadata struct in codersdk/oauth2.go
- Implement /.well-known/oauth-protected-resource endpoint handler
- Register route in coderd.go for Protected Resource Metadata discovery
- Add comprehensive test coverage in oauth2_metadata_test.go
- Update OpenAPI documentation and generated API types
- Correctly omit bearer_methods_supported field (Coder uses custom auth)
- Support MCP OAuth2 compliance requirement for resource server metadata

This implements RFC 9728 OAuth 2.0 Protected Resource Metadata to enable
MCP clients to discover resource server capabilities and authorization servers.

Change-Id: I089232ae755acf13eb0a7be46944c9eeaaafb75b
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch from 7e0ce8a to 59b7a9d Compare July 2, 2025 16:44
@ThomasK33 ThomasK33 merged commit 33bbf18 into main Jul 2, 2025
35 checks passed
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Jul 2, 2025

Merge activity

@ThomasK33 ThomasK33 deleted the thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint branch July 2, 2025 16:58
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@ThomasK33 ThomasK33

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ThomasK33 @johnstcn @Emyrk