Skip to content

Commit eac2681

Browse files
ThomasK33ThomasK33
committed
feat(oauth2): add client credentials grant type and user ownership
- Add client_credentials to OAuth2ProviderGrantType enum - Add user_id column to oauth2_provider_apps for ownership tracking - Make refresh_hash nullable for client credentials tokens per RFC 6749 - Update API schemas to use proper OAuth2 enums for grant/response types - Add grant_types field to OAuth2 app create/update requests - Support user-scoped client credentials apps vs system-scoped auth flows - Update database queries and models for new fields Change-Id: I11901919656c86c51e7c808324e2df5205eda002 Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent 5c7f06a commit eac2681

27 files changed

+840
-84
lines changed

coderd/apidoc/docs.go

Lines changed: 40 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 36 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbgen/dbgen.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1159,6 +1159,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov
11591159
RedirectUris: takeFirstSlice(seed.RedirectUris, []string{"http://localhost"}),
11601160
ClientType: takeFirst(seed.ClientType, sql.NullString{String: "confidential", Valid: true}),
11611161
DynamicallyRegistered: takeFirst(seed.DynamicallyRegistered, sql.NullBool{Bool: false, Valid: true}),
1162+
UserID: takeFirst(seed.UserID, uuid.NullUUID{Valid: false}),
11621163
ClientIDIssuedAt: takeFirst(seed.ClientIDIssuedAt, sql.NullTime{}),
11631164
ClientSecretExpiresAt: takeFirst(seed.ClientSecretExpiresAt, sql.NullTime{}),
11641165
GrantTypes: takeFirstSlice(seed.GrantTypes, []string{"authorization_code", "refresh_token"}),

coderd/database/dump.sql

Lines changed: 5 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/foreign_key_constraint.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000351_add_user_id_to_oauth2_provider_apps.down.sql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
-- Restore refresh_hash as NOT NULL (existing data should still be valid)
2+
ALTER TABLE oauth2_provider_app_tokens
3+
ALTER COLUMN refresh_hash SET NOT NULL;
4+
5+
-- Remove user_id column from OAuth2 provider apps
6+
ALTER TABLE oauth2_provider_apps
7+
DROP COLUMN user_id;

coderd/database/migrations/000351_add_user_id_to_oauth2_provider_apps.up.sql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
-- Add user ownership to OAuth2 provider apps for client credentials support
2+
ALTER TABLE oauth2_provider_apps
3+
ADD COLUMN user_id uuid REFERENCES users(id) ON DELETE CASCADE;
4+
5+
-- Make refresh_hash nullable to support client credentials tokens
6+
-- RFC 6749 Section 4.4.3: "A refresh token SHOULD NOT be included" for client credentials
7+
ALTER TABLE oauth2_provider_app_tokens
8+
ALTER COLUMN refresh_hash DROP NOT NULL;

coderd/database/models.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy