refactor: simplify OAuth2 authorization flow and use 302 redirects (#18923)

ThomasK33 · web-flow · commit 7b06fc77ae4b · 2025-07-20T16:22:52.000+02:00
# Refactor OAuth2 Provider Authorization Flow

This PR refactors the OAuth2 provider authorization flow by:

1. Removing the `authorizeMW` middleware and directly implementing its functionality in the `ShowAuthorizePage` handler
2. Simplifying function signatures by removing unnecessary parameters:
   - Removed `db` parameter from `ShowAuthorizePage`
   - Removed `accessURL` parameter from `ProcessAuthorize`
3. Changing the redirect status code in `ProcessAuthorize` from 307 (Temporary Redirect) to 302 (Found) to improve compatibility with external OAuth2 apps and browsers. (Technical explanation: we replied with a 307 to a POST request, thus the browser performs a redirect to that URL as a POST request, but we need it to be a GET request to be compatible. Thus, we use the 302 redirect so that browsers turn it into a GET request when redirecting back to the redirect_uri.)

The changes maintain the same functionality while simplifying the code and improving compatibility with external systems.
diff --git a/coderd/coderdtest/oidctest/helper.go b/coderd/coderdtest/oidctest/helper.go
@@ -132,14 +132,14 @@ func OAuth2GetCode(rawAuthURL string, doRequest func(req *http.Request) (*http.R
 		return "", xerrors.Errorf("failed to create auth request: %w", err)
 	}
 
-	expCode := http.StatusTemporaryRedirect
 	resp, err := doRequest(r)
 	if err != nil {
 		return "", xerrors.Errorf("request: %w", err)
 	}
 	defer resp.Body.Close()
 
-	if resp.StatusCode != expCode {
+	// Accept both 302 (Found) and 307 (Temporary Redirect) as valid OAuth2 redirects
+	if resp.StatusCode != http.StatusFound && resp.StatusCode != http.StatusTemporaryRedirect {
 		return "", codersdk.ReadBodyAsError(resp)
 	}
 
diff --git a/coderd/oauth2.go b/coderd/oauth2.go
@@ -116,7 +116,7 @@ func (api *API) deleteOAuth2ProviderAppSecret() http.HandlerFunc {
 // @Success 200 "Returns HTML authorization page"
 // @Router /oauth2/authorize [get]
 func (api *API) getOAuth2ProviderAppAuthorize() http.HandlerFunc {
-	return oauth2provider.ShowAuthorizePage(api.Database, api.AccessURL)
+	return oauth2provider.ShowAuthorizePage(api.AccessURL)
 }
 
 // @Summary OAuth2 authorization request (POST - process authorization).
@@ -131,7 +131,7 @@ func (api *API) getOAuth2ProviderAppAuthorize() http.HandlerFunc {
 // @Success 302 "Returns redirect with authorization code"
 // @Router /oauth2/authorize [post]
 func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
-	return oauth2provider.ProcessAuthorize(api.Database, api.AccessURL)
+	return oauth2provider.ProcessAuthorize(api.Database)
 }
 
 // @Summary OAuth2 token exchange.
diff --git a/coderd/oauth2provider/authorize.go b/coderd/oauth2provider/authorize.go
@@ -16,6 +16,7 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/site"
 )
 
 type authorizeParams struct {
@@ -67,16 +68,46 @@ func extractAuthorizeParams(r *http.Request, callbackURL *url.URL) (authorizePar
 }
 
 // ShowAuthorizePage handles GET /oauth2/authorize requests to display the HTML authorization page.
-// It uses authorizeMW which intercepts GET requests to show the authorization form.
-func ShowAuthorizePage(db database.Store, accessURL *url.URL) http.HandlerFunc {
-	handler := authorizeMW(accessURL)(ProcessAuthorize(db, accessURL))
-	return handler.ServeHTTP
+func ShowAuthorizePage(accessURL *url.URL) http.HandlerFunc {
+	return func(rw http.ResponseWriter, r *http.Request) {
+		app := httpmw.OAuth2ProviderApp(r)
+		ua := httpmw.UserAuthorization(r.Context())
+
+		callbackURL, err := url.Parse(app.CallbackURL)
+		if err != nil {
+			site.RenderStaticErrorPage(rw, r, site.ErrorPageData{Status: http.StatusInternalServerError, HideStatus: false, Title: "Internal Server Error", Description: err.Error(), RetryEnabled: false, DashboardURL: accessURL.String(), Warnings: nil})
+			return
+		}
+
+		params, validationErrs, err := extractAuthorizeParams(r, callbackURL)
+		if err != nil {
+			errStr := make([]string, len(validationErrs))
+			for i, err := range validationErrs {
+				errStr[i] = err.Detail
+			}
+			site.RenderStaticErrorPage(rw, r, site.ErrorPageData{Status: http.StatusBadRequest, HideStatus: false, Title: "Invalid Query Parameters", Description: "One or more query parameters are missing or invalid.", RetryEnabled: false, DashboardURL: accessURL.String(), Warnings: errStr})
+			return
+		}
+
+		cancel := params.redirectURL
+		cancelQuery := params.redirectURL.Query()
+		cancelQuery.Add("error", "access_denied")
+		cancel.RawQuery = cancelQuery.Encode()
+
+		site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
+			AppIcon:     app.Icon,
+			AppName:     app.Name,
+			CancelURI:   cancel.String(),
+			RedirectURI: r.URL.String(),
+			Username:    ua.FriendlyName,
+		})
+	}
 }
 
 // ProcessAuthorize handles POST /oauth2/authorize requests to process the user's authorization decision
-// and generate an authorization code. GET requests are handled by authorizeMW.
-func ProcessAuthorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
-	handler := func(rw http.ResponseWriter, r *http.Request) {
+// and generate an authorization code.
+func ProcessAuthorize(db database.Store) http.HandlerFunc {
+	return func(rw http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		apiKey := httpmw.APIKey(r)
 		app := httpmw.OAuth2ProviderApp(r)
@@ -159,9 +190,8 @@ func ProcessAuthorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 		}
 		params.redirectURL.RawQuery = newQuery.Encode()
 
-		http.Redirect(rw, r, params.redirectURL.String(), http.StatusTemporaryRedirect)
+		// (ThomasK33): Use a 302 redirect as some (external) OAuth 2 apps and browsers
+		// do not work with the 307.
+		http.Redirect(rw, r, params.redirectURL.String(), http.StatusFound)
 	}
-
-	// Always wrap with its custom mw.
-	return authorizeMW(accessURL)(http.HandlerFunc(handler)).ServeHTTP
 }
diff --git a/coderd/oauth2provider/middleware.go b/coderd/oauth2provider/middleware.go

Original file line number	Diff line number	Diff line change
`@@ -132,14 +132,14 @@ func OAuth2GetCode(rawAuthURL string, doRequest func(req http.Request) (http.R`
`132`	`132`	`return "", xerrors.Errorf("failed to create auth request: %w", err)`
`133`	`133`	`}`
`134`	`134`
`135`		`- expCode := http.StatusTemporaryRedirect`
`136`	`135`	`resp, err := doRequest(r)`
`137`	`136`	`if err != nil {`
`138`	`137`	`return "", xerrors.Errorf("request: %w", err)`
`139`	`138`	`}`
`140`	`139`	`defer resp.Body.Close()`
`141`	`140`
`142`		`- if resp.StatusCode != expCode {`
	`141`	`+ // Accept both 302 (Found) and 307 (Temporary Redirect) as valid OAuth2 redirects`
	`142`	`+ if resp.StatusCode != http.StatusFound && resp.StatusCode != http.StatusTemporaryRedirect {`
`143`	`143`	`return "", codersdk.ReadBodyAsError(resp)`
`144`	`144`	`}`
`145`	`145`