Skip to content

Commit ac0d1f6

Browse files
ThomasK33ThomasK33
committed
feat(oauth2): add client credentials grant type and user ownership
- Add client_credentials to OAuth2ProviderGrantType enum - Add user_id column to oauth2_provider_apps for ownership tracking - Make refresh_hash nullable for client credentials tokens per RFC 6749 - Update API schemas to use proper OAuth2 enums for grant/response types - Add grant_types field to OAuth2 app create/update requests - Support user-scoped client credentials apps vs system-scoped auth flows - Update database queries and models for new fields Change-Id: I11901919656c86c51e7c808324e2df5205eda002 Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent 0393465 commit ac0d1f6

27 files changed

+840
-84
lines changed

coderd/apidoc/docs.go

Lines changed: 40 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 36 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbgen/dbgen.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1159,6 +1159,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov
11591159
RedirectUris: takeFirstSlice(seed.RedirectUris, []string{"http://localhost"}),
11601160
ClientType: takeFirst(seed.ClientType, sql.NullString{String: "confidential", Valid: true}),
11611161
DynamicallyRegistered: takeFirst(seed.DynamicallyRegistered, sql.NullBool{Bool: false, Valid: true}),
1162+
UserID: takeFirst(seed.UserID, uuid.NullUUID{Valid: false}),
11621163
ClientIDIssuedAt: takeFirst(seed.ClientIDIssuedAt, sql.NullTime{}),
11631164
ClientSecretExpiresAt: takeFirst(seed.ClientSecretExpiresAt, sql.NullTime{}),
11641165
GrantTypes: takeFirstSlice(seed.GrantTypes, []string{"authorization_code", "refresh_token"}),

coderd/database/dump.sql

Lines changed: 5 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/foreign_key_constraint.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000351_add_user_id_to_oauth2_provider_apps.down.sql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
-- Restore refresh_hash as NOT NULL (existing data should still be valid)
2+
ALTER TABLE oauth2_provider_app_tokens
3+
ALTER COLUMN refresh_hash SET NOT NULL;
4+
5+
-- Remove user_id column from OAuth2 provider apps
6+
ALTER TABLE oauth2_provider_apps
7+
DROP COLUMN user_id;

coderd/database/migrations/000351_add_user_id_to_oauth2_provider_apps.up.sql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
-- Add user ownership to OAuth2 provider apps for client credentials support
2+
ALTER TABLE oauth2_provider_apps
3+
ADD COLUMN user_id uuid REFERENCES users(id) ON DELETE CASCADE;
4+
5+
-- Make refresh_hash nullable to support client credentials tokens
6+
-- RFC 6749 Section 4.4.3: "A refresh token SHOULD NOT be included" for client credentials
7+
ALTER TABLE oauth2_provider_app_tokens
8+
ALTER COLUMN refresh_hash DROP NOT NULL;

coderd/database/models.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)