coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 25 additions & 14 deletions b/‎coderd/apidoc/docs.go
Lines changed: 25 additions & 14 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 23 additions & 12 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 23 additions & 12 deletions
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 4 additions & 4 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 27 additions & 3 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 27 additions & 3 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go
Lines changed: 1 addition & 2 deletions b/‎coderd/database/dbgen/dbgen.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 4 additions & 4 deletions b/‎coderd/database/dump.sql
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/database/migrations/000351_remove_oauth2_callback_url.down.sql
Lines changed: 18 additions & 0 deletions b/‎coderd/database/migrations/000351_remove_oauth2_callback_url.down.sql
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000351_remove_oauth2_callback_url.up.sql
Lines changed: 28 additions & 0 deletions b/‎coderd/database/migrations/000351_remove_oauth2_callback_url.up.sql
Lines changed: 28 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 6 additions & 7 deletions b/‎coderd/database/models.go
Lines changed: 6 additions & 7 deletions
@@ -355,10 +355,10 @@ func TemplateVersionParameterOptionFromPreview(option *previewtypes.ParameterOpt
 
 func OAuth2ProviderApp(accessURL *url.URL, dbApp database.OAuth2ProviderApp) codersdk.OAuth2ProviderApp {
 	return codersdk.OAuth2ProviderApp{
-		ID:          dbApp.ID,
-		Name:        dbApp.Name,
-		CallbackURL: dbApp.CallbackURL,
-		Icon:        dbApp.Icon,
+		ID:           dbApp.ID,
+		Name:         dbApp.Name,
+		RedirectURIs: dbApp.RedirectUris,
+		Icon:         dbApp.Icon,
 		Endpoints: codersdk.OAuth2AppEndpoints{
 			Authorization: accessURL.ResolveReference(&url.URL{
 				Path: "/oauth2/authorize",
 
@@ -5336,7 +5336,33 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
 		})
 	}))
 	s.Run("InsertOAuth2ProviderApp", s.Subtest(func(db database.Store, check *expects) {
-		check.Args(database.InsertOAuth2ProviderAppParams{}).Asserts(rbac.ResourceOauth2App, policy.ActionCreate)
+		check.Args(database.InsertOAuth2ProviderAppParams{
+			ID:                      uuid.New(),
+			Name:                    fmt.Sprintf("test-app-%d", time.Now().UnixNano()),
+			CreatedAt:               dbtestutil.NowInDefaultTimezone(),
+			UpdatedAt:               dbtestutil.NowInDefaultTimezone(),
+			Icon:                    "",
+			RedirectUris:            []string{"http://localhost"},
+			ClientType:              sql.NullString{String: "confidential", Valid: true},
+			DynamicallyRegistered:   sql.NullBool{Bool: false, Valid: true},
+			ClientIDIssuedAt:        sql.NullTime{},
+			ClientSecretExpiresAt:   sql.NullTime{},
+			GrantTypes:              []string{"authorization_code", "refresh_token"},
+			ResponseTypes:           []string{"code"},
+			TokenEndpointAuthMethod: sql.NullString{String: "client_secret_basic", Valid: true},
+			Scope:                   sql.NullString{},
+			Contacts:                []string{},
+			ClientUri:               sql.NullString{},
+			LogoUri:                 sql.NullString{},
+			TosUri:                  sql.NullString{},
+			PolicyUri:               sql.NullString{},
+			JwksUri:                 sql.NullString{},
+			Jwks:                    pqtype.NullRawMessage{},
+			SoftwareID:              sql.NullString{},
+			SoftwareVersion:         sql.NullString{},
+			RegistrationAccessToken: sql.NullString{},
+			RegistrationClientUri:   sql.NullString{},
+		}).Asserts(rbac.ResourceOauth2App, policy.ActionCreate)
 	}))
 	s.Run("UpdateOAuth2ProviderAppByID", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -5347,7 +5373,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
 			ID:                      app.ID,
 			Name:                    app.Name,
 			Icon:                    app.Icon,
-			CallbackURL:             app.CallbackURL,
 			RedirectUris:            app.RedirectUris,
 			ClientType:              app.ClientType,
 			DynamicallyRegistered:   app.DynamicallyRegistered,
@@ -5389,7 +5414,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
 			ID:                      app.ID,
 			Name:                    app.Name,
 			Icon:                    app.Icon,
-			CallbackURL:             app.CallbackURL,
 			RedirectUris:            app.RedirectUris,
 			ClientType:              app.ClientType,
 			ClientSecretExpiresAt:   app.ClientSecretExpiresAt,
 
@@ -1203,8 +1203,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov
 		CreatedAt:               takeFirst(seed.CreatedAt, dbtime.Now()),
 		UpdatedAt:               takeFirst(seed.UpdatedAt, dbtime.Now()),
 		Icon:                    takeFirst(seed.Icon, ""),
-		CallbackURL:             takeFirst(seed.CallbackURL, "http://localhost"),
-		RedirectUris:            takeFirstSlice(seed.RedirectUris, []string{}),
+		RedirectUris:            takeFirstSlice(seed.RedirectUris, []string{"http://localhost"}),
 		ClientType:              takeFirst(seed.ClientType, sql.NullString{String: "confidential", Valid: true}),
 		DynamicallyRegistered:   takeFirst(seed.DynamicallyRegistered, sql.NullBool{Bool: false, Valid: true}),
 		ClientIDIssuedAt:        takeFirst(seed.ClientIDIssuedAt, sql.NullTime{}),
 
@@ -0,0 +1,18 @@
+-- Reverse migration: restore callback_url column from redirect_uris
+
+-- Add back the callback_url column
+ALTER TABLE oauth2_provider_apps
+ADD COLUMN callback_url text;
+
+-- Populate callback_url from the first redirect_uri
+UPDATE oauth2_provider_apps
+SET callback_url = redirect_uris[1]
+WHERE redirect_uris IS NOT NULL AND array_length(redirect_uris, 1) > 0;
+
+-- Remove NOT NULL and CHECK constraints from redirect_uris (restore original state)
+ALTER TABLE oauth2_provider_apps
+DROP CONSTRAINT IF EXISTS oauth2_provider_apps_redirect_uris_nonempty;
+ALTER TABLE oauth2_provider_apps
+ALTER COLUMN redirect_uris DROP NOT NULL;
+
+COMMENT ON COLUMN oauth2_provider_apps.callback_url IS 'Legacy callback URL field (replaced by redirect_uris array)';
@@ -0,0 +1,28 @@
+-- Migrate from callback_url to redirect_uris as source of truth for OAuth2 apps
+-- RFC 6749 compliance: use array of redirect URIs instead of single callback URL
+
+-- Populate redirect_uris from callback_url where redirect_uris is empty or NULL.
+-- NULLIF is used to treat empty strings in callback_url as NULL.
+-- If callback_url is NULL or empty, this will result in redirect_uris
+-- being an array with a single NULL element. This is preferable to an empty
+-- array as it will pass a CHECK for array length > 0, enforcing that all
+-- apps have at least one URI entry, even if it's null.
+UPDATE oauth2_provider_apps
+SET redirect_uris = ARRAY[NULLIF(callback_url, '')]
+WHERE (redirect_uris IS NULL OR cardinality(redirect_uris) = 0);
+
+-- Add NOT NULL constraint to redirect_uris
+ALTER TABLE oauth2_provider_apps
+ALTER COLUMN redirect_uris SET NOT NULL;
+
+-- Add CHECK constraint to ensure redirect_uris is not empty.
+-- This prevents empty arrays, which could have been created by the old logic,
+-- and ensures data integrity going forward.
+ALTER TABLE oauth2_provider_apps
+ADD CONSTRAINT redirect_uris_not_empty CHECK (cardinality(redirect_uris) > 0);
+
+-- Drop the callback_url column entirely
+ALTER TABLE oauth2_provider_apps
+DROP COLUMN callback_url;
+
+COMMENT ON COLUMN oauth2_provider_apps.redirect_uris IS 'RFC 6749 compliant list of valid redirect URIs for the application';