Skip to content

Commit 09c5055

Browse files
ThomasK33ThomasK33
authored
feat: implement RFC 6750 Bearer token authentication (#18644)
# Add RFC 6750 Bearer Token Authentication Support This PR implements RFC 6750 Bearer Token authentication as an additional authentication method for Coder's API. This allows clients to authenticate using standard OAuth 2.0 Bearer tokens in two ways: 1. Using the `Authorization: Bearer <token>` header 2. Using the `access_token` query parameter Key changes: - Added support for extracting tokens from both Bearer headers and access_token query parameters - Implemented proper WWW-Authenticate headers for 401/403 responses with appropriate error descriptions - Added comprehensive test coverage for the new authentication methods - Updated the OAuth2 protected resource metadata endpoint to advertise Bearer token support - Enhanced the OAuth2 testing script to verify Bearer token functionality These authentication methods are added as fallback options, maintaining backward compatibility with Coder's existing authentication mechanisms. The existing authentication methods (cookies, session token header, etc.) still take precedence. This implementation follows the OAuth 2.0 Bearer Token specification (RFC 6750) and improves interoperability with standard OAuth 2.0 clients.
1 parent eade5b0 commit 09c5055

File tree

7 files changed

+784
-7
lines changed

7 files changed

+784
-7
lines changed

coderd/httpmw/apikey.go

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,31 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
214214
return nil, nil, false
215215
}
216216

217+
// Add WWW-Authenticate header for 401/403 responses (RFC 6750)
218+
if code == http.StatusUnauthorized || code == http.StatusForbidden {
219+
var wwwAuth string
220+
221+
switch code {
222+
case http.StatusUnauthorized:
223+
// Map 401 to invalid_token with specific error descriptions
224+
switch {
225+
case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"):
226+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
227+
case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"):
228+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
229+
default:
230+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
231+
}
232+
case http.StatusForbidden:
233+
// Map 403 to insufficient_scope per RFC 6750
234+
wwwAuth = `Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
235+
default:
236+
wwwAuth = `Bearer realm="coder"`
237+
}
238+
239+
rw.Header().Set("WWW-Authenticate", wwwAuth)
240+
}
241+
217242
httpapi.Write(ctx, rw, code, response)
218243
return nil, nil, false
219244
}
@@ -653,9 +678,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
653678
// 1: The cookie
654679
// 2. The coder_session_token query parameter
655680
// 3. The custom auth header
681+
// 4. RFC 6750 Authorization: Bearer header
682+
// 5. RFC 6750 access_token query parameter
656683
//
657684
// API tokens for apps are read from workspaceapps/cookies.go.
658685
func APITokenFromRequest(r *http.Request) string {
686+
// Prioritize existing Coder custom authentication methods first
687+
// to maintain backward compatibility and existing behavior
688+
659689
cookie, err := r.Cookie(codersdk.SessionTokenCookie)
660690
if err == nil && cookie.Value != "" {
661691
return cookie.Value
@@ -671,7 +701,18 @@ func APITokenFromRequest(r *http.Request) string {
671701
return headerValue
672702
}
673703

674-
// TODO(ThomasK33): Implement RFC 6750
704+
// RFC 6750 Bearer Token support (added as fallback methods)
705+
// Check Authorization: Bearer <token> header (case-insensitive per RFC 6750)
706+
authHeader := r.Header.Get("Authorization")
707+
if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
708+
return authHeader[7:] // Skip "Bearer " (7 characters)
709+
}
710+
711+
// Check access_token query parameter
712+
accessToken := r.URL.Query().Get("access_token")
713+
if accessToken != "" {
714+
return accessToken
715+
}
675716

676717
return ""
677718
}

coderd/httpmw/csrf.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,12 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
102102
return true
103103
}
104104

105+
// RFC 6750 Bearer Token authentication is exempt from CSRF
106+
// as it uses custom headers that cannot be set by malicious sites
107+
if authHeader := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
108+
return true
109+
}
110+
105111
// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
106112
// This is the CSRF check.
107113
sent := r.Header.Get("X-CSRF-TOKEN")

0 commit comments

Comments
 (0)