From eab2971ded28690d72ed89fce92466756793170f Mon Sep 17 00:00:00 2001
From: Thomas Kosiewski <tk@coder.com>
Date: Mon, 8 Sep 2025 13:31:30 +0200
Subject: [PATCH] fix: support path parameters in OAuth2 metadata endpoints

Change-Id: Ic28d30af39fcb3c8eea40607e0241c5aa096cc80
Signed-off-by: Thomas Kosiewski <tk@coder.com>
---
 coderd/coderd.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/coderd/coderd.go b/coderd/coderd.go
index c028462469b2a..7b30b20c74cce 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -948,9 +948,13 @@ func New(options *Options) *API {
 	}
 
 	// OAuth2 metadata endpoint for RFC 8414 discovery
-	r.Get("/.well-known/oauth-authorization-server", api.oauth2AuthorizationServerMetadata())
+	r.Route("/.well-known/oauth-authorization-server", func(r chi.Router) {
+		r.Get("/*", api.oauth2AuthorizationServerMetadata())
+	})
 	// OAuth2 protected resource metadata endpoint for RFC 9728 discovery
-	r.Get("/.well-known/oauth-protected-resource", api.oauth2ProtectedResourceMetadata())
+	r.Route("/.well-known/oauth-protected-resource", func(r chi.Router) {
+		r.Get("/*", api.oauth2ProtectedResourceMetadata())
+	})
 
 	// OAuth2 linking routes do not make sense under the /api/v2 path.  These are
 	// for an external application to use Coder as an OAuth2 provider, not for