Skip to content

feat: implement OAuth2 dynamic client registration (RFC 7591/7592) #18645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance
Choose a base branch
from
Draft

feat: implement OAuth2 dynamic client registration (RFC 7591/7592) #18645

wants to merge 1 commit into from
+5,687 −116

Conversation

ThomasK33
Copy link
Member

Implement OAuth2 Dynamic Client Registration (RFC 7591/7592)

This PR implements OAuth2 Dynamic Client Registration according to RFC 7591 and Client Configuration Management according to RFC 7592. These standards allow OAuth2 clients to register themselves programmatically with Coder as an authorization server.

Key changes include:

  1. Added database schema extensions to support RFC 7591/7592 fields in the oauth2_provider_apps table

  2. Implemented /oauth2/register endpoint for dynamic client registration (RFC 7591)

  3. Added client configuration management endpoints (RFC 7592):

    • GET/PUT/DELETE /oauth2/clients/{client_id}
    • Registration access token validation middleware

  4. Added comprehensive validation for OAuth2 client metadata:

    • URI validation with support for custom schemes for native apps
    • Grant type and response type validation
    • Token endpoint authentication method validation

  5. Enhanced developer documentation with:

    • RFC compliance guidelines
    • Testing best practices to avoid race conditions
    • Systematic debugging approaches for OAuth2 implementations

The implementation follows security best practices from the RFCs, including proper token handling, secure defaults, and appropriate error responses. This enables third-party applications to integrate with Coder's OAuth2 provider capabilities programmatically.

This was referenced Jun 27, 2025
Open
Open
This was referenced Jun 27, 2025
Open
Merged
Open
@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented Jun 27, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced Jun 27, 2025
Open
Draft
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 3902793 to b37d850 Compare June 27, 2025 17:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from ff83df4 to 3665807 Compare June 27, 2025 17:02
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from b37d850 to caf974c Compare June 27, 2025 17:11
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 3665807 to 56126dd Compare June 27, 2025 17:11
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from caf974c to 22b8b6d Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from 56126dd to fca6b9a Compare June 27, 2025 17:29
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch 2 times, most recently from 14c7196 to c43b551 Compare June 27, 2025 17:54
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_6750_bearer_token_support_for_mcp_compliance branch from fca6b9a to 68baa21 Compare June 27, 2025 17:54
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch 8 times, most recently from da04da3 to 1ac699e Compare June 29, 2025 18:30
@ThomasK33
feat(oauth2): implement RFC 7591/7592 Dynamic Client Registration for…
1b1df11 
… MCP compliance

- Add comprehensive OAuth2 dynamic client registration support
- Implement RFC 7591 client registration endpoint with proper validation
- Implement RFC 7592 client management protocol (GET/PUT/DELETE)
- Add RFC 6750 Bearer token authentication support
- Fix authorization context issues with AsSystemRestricted
- Add proper RBAC permissions for OAuth2 resources
- Implement registration access token security per RFC 7592
- Add comprehensive validation for redirect URIs, grant types, response types
- Support custom schemes for native applications
- Add database migration with all RFC-required fields
- Add audit logging support for OAuth2 operations
- Ensure full RFC compliance with proper error handling
- Add comprehensive test coverage for all scenarios

Change-Id: I36c711201d598a117f6bfc381fc74e07fc3cc365
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-27-feat_oauth2_implement_rfc_7591_7592_dynamic_client_registration_for_mcp_compliance branch from 1ac699e to 1b1df11 Compare June 29, 2025 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ThomasK33