Skip to content

feat: implement RFC 6750 Bearer token authentication #18644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: thomask33/06-27-feat_oauth2_implement_rfc_9728_protected_resource_metadata_endpoint
Choose a base branch
from
+1,004 −7
Open

feat: implement RFC 6750 Bearer token authentication #18644

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 37 additions & 1 deletion coderd/httpmw/apikey.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,26 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
return nil, nil, false
}

// Add WWW-Authenticate header for 401/403 responses (RFC 6750)
if code == http.StatusUnauthorized || code == http.StatusForbidden {
// Basic Bearer challenge with realm
wwwAuth := `Bearer realm="coder"`

// Add error details based on the type of error
switch {
case strings.Contains(response.Message, "invalid") || strings.Contains(response.Detail, "invalid"):
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"):
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"):
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
case code == http.StatusForbidden:
wwwAuth = `Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
}

rw.Header().Set("WWW-Authenticate", wwwAuth)
}

httpapi.Write(ctx, rw, code, response)
return nil, nil, false
}
Expand Down Expand Up @@ -534,9 +554,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
// 1: The cookie
// 2. The coder_session_token query parameter
// 3. The custom auth header
// 4. RFC 6750 Authorization: Bearer header
// 5. RFC 6750 access_token query parameter
//
// API tokens for apps are read from workspaceapps/cookies.go.
func APITokenFromRequest(r *http.Request) string {
// Prioritize existing Coder custom authentication methods first
// to maintain backward compatibility and existing behavior

cookie, err := r.Cookie(codersdk.SessionTokenCookie)
if err == nil && cookie.Value != "" {
return cookie.Value
Expand All @@ -552,7 +577,18 @@ func APITokenFromRequest(r *http.Request) string {
return headerValue
}

// TODO(ThomasK33): Implement RFC 6750
// RFC 6750 Bearer Token support (added as fallback methods)
// Check Authorization: Bearer <token> header
authHeader := r.Header.Get("Authorization")
if strings.HasPrefix(authHeader, "Bearer ") {
return strings.TrimPrefix(authHeader, "Bearer ")
}

// Check access_token query parameter
accessToken := r.URL.Query().Get("access_token")
if accessToken != "" {
return accessToken
}

return ""
}
Expand Down
Loading
Loading