coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 24 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 24 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 24 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 24 additions & 0 deletions
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 11 additions & 0 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 22 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 22 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 1 deletion b/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 54 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 54 additions & 0 deletions
@@ -354,11 +354,19 @@ func TemplateVersionParameterOptionFromPreview(option *previewtypes.ParameterOpt
 }
 
 func OAuth2ProviderApp(accessURL *url.URL, dbApp database.OAuth2ProviderApp) codersdk.OAuth2ProviderApp {
+	var userID uuid.UUID
+	if dbApp.UserID.Valid {
+		userID = dbApp.UserID.UUID
+	}
+
 	return codersdk.OAuth2ProviderApp{
 		ID:           dbApp.ID,
 		Name:         dbApp.Name,
 		RedirectURIs: dbApp.RedirectUris,
 		Icon:         dbApp.Icon,
+		CreatedAt:    dbApp.CreatedAt,
+		GrantTypes:   dbApp.GrantTypes,
+		UserID:       userID,
 		Endpoints: codersdk.OAuth2AppEndpoints{
 			Authorization: accessURL.ResolveReference(&url.URL{
 				Path: "/oauth2/authorize",
@@ -369,6 +377,9 @@ func OAuth2ProviderApp(accessURL *url.URL, dbApp database.OAuth2ProviderApp) cod
 			DeviceAuth: accessURL.ResolveReference(&url.URL{
 				Path: "/oauth2/device/authorize",
 			}).String(),
+			Revocation: accessURL.ResolveReference(&url.URL{
+				Path: "/oauth2/revoke",
+			}).String(),
 		},
 	}
 }
 
@@ -2304,6 +2304,10 @@ func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2P
 	return q.db.GetOAuth2ProviderApps(ctx)
 }
 
+func (q *querier) GetOAuth2ProviderAppsByOwnerID(ctx context.Context, userID uuid.NullUUID) ([]database.OAuth2ProviderApp, error) {
+	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetOAuth2ProviderAppsByOwnerID)(ctx, userID)
+}
+
 func (q *querier) GetOAuth2ProviderAppsByUserID(ctx context.Context, userID uuid.UUID) ([]database.GetOAuth2ProviderAppsByUserIDRow, error) {
 	// This authz check is to make sure the caller can read all their own tokens.
 	if err := q.authorizeContext(ctx, policy.ActionRead,
 
@@ -5288,6 +5288,28 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
 		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
 		check.Args(app.ID).Asserts(rbac.ResourceOauth2App, policy.ActionDelete)
 	}))
+	s.Run("GetOAuth2ProviderAppsByOwnerID", s.Subtest(func(db database.Store, check *expects) {
+		owner := dbgen.User(s.T(), db, database.User{})
+		// Create multiple apps with the same owner
+		app1 := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{
+			UserID: uuid.NullUUID{UUID: owner.ID, Valid: true},
+		})
+		app2 := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{
+			UserID: uuid.NullUUID{UUID: owner.ID, Valid: true},
+		})
+		// Create an app with a different owner to ensure filtering works
+		differentOwner := dbgen.User(s.T(), db, database.User{})
+		_ = dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{
+			UserID: uuid.NullUUID{UUID: differentOwner.ID, Valid: true},
+		})
+		// fetchWithPostFilter will check each individual app, so we need to assert those checks
+		check.Args(uuid.NullUUID{UUID: owner.ID, Valid: true}).
+			Asserts(
+				app1, policy.ActionRead, // Check for first app (includes owner)
+				app2, policy.ActionRead, // Check for second app (includes owner)
+			).
+			Returns([]database.OAuth2ProviderApp{app1, app2})
+	}))
 	s.Run("GetOAuth2ProviderAppByClientID", s.Subtest(func(db database.Store, check *expects) {
 		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
 		check.Args(app.ID).Asserts(rbac.ResourceOauth2App, policy.ActionRead).Returns(app)
 
@@ -391,7 +391,10 @@ func (OAuth2ProviderAppSecret) RBACObject() rbac.Object {
 	return rbac.ResourceOauth2AppSecret
 }
 
-func (OAuth2ProviderApp) RBACObject() rbac.Object {
+func (app OAuth2ProviderApp) RBACObject() rbac.Object {
+	if app.UserID.Valid {
+		return rbac.ResourceOauth2App.WithOwner(app.UserID.UUID.String())
+	}
 	return rbac.ResourceOauth2App
 }
Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,10 @@ func (OAuth2ProviderAppSecret) RBACObject() rbac.Object {`
`391`	`391`	`return rbac.ResourceOauth2AppSecret`
`392`	`392`	`}`
`393`	`393`
`394`		`-func (OAuth2ProviderApp) RBACObject() rbac.Object {`
	`394`	`+func (app OAuth2ProviderApp) RBACObject() rbac.Object {`
	`395`	`+ if app.UserID.Valid {`
	`396`	`+ return rbac.ResourceOauth2App.WithOwner(app.UserID.UUID.String())`
	`397`	`+ }`
`395`	`398`	`return rbac.ResourceOauth2App`
`396`	`399`	`}`
`397`	`400`