Skip to content

refactor: replace OAuth2 callback_url with RFC 6749 compliant redirect_uris #18810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: graphite-base/18810
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 25 additions & 14 deletions coderd/apidoc/docs.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 23 additions & 12 deletions coderd/apidoc/swagger.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions coderd/database/db2sdk/db2sdk.go
Original file line number Diff line number Diff line change
Expand Up @@ -355,10 +355,10 @@ func TemplateVersionParameterOptionFromPreview(option *previewtypes.ParameterOpt

func OAuth2ProviderApp(accessURL *url.URL, dbApp database.OAuth2ProviderApp) codersdk.OAuth2ProviderApp {
return codersdk.OAuth2ProviderApp{
ID: dbApp.ID,
Name: dbApp.Name,
CallbackURL: dbApp.CallbackURL,
Icon: dbApp.Icon,
ID: dbApp.ID,
Name: dbApp.Name,
RedirectURIs: dbApp.RedirectUris,
Icon: dbApp.Icon,
Endpoints: codersdk.OAuth2AppEndpoints{
Authorization: accessURL.ResolveReference(&url.URL{
Path: "/oauth2/authorize",
Expand Down
15 changes: 12 additions & 3 deletions coderd/database/dbauthz/dbauthz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5341,7 +5341,18 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
})
}))
s.Run("InsertOAuth2ProviderApp", s.Subtest(func(db database.Store, check *expects) {
check.Args(database.InsertOAuth2ProviderAppParams{}).Asserts(rbac.ResourceOauth2App, policy.ActionCreate)
check.Args(database.InsertOAuth2ProviderAppParams{
ID: uuid.New(),
Name: fmt.Sprintf("test-app-%d", time.Now().UnixNano()),
CreatedAt: dbtestutil.NowInDefaultTimezone(),
UpdatedAt: dbtestutil.NowInDefaultTimezone(),
RedirectUris: []string{"http://localhost"},
ClientType: sql.NullString{String: "confidential", Valid: true},
DynamicallyRegistered: sql.NullBool{Bool: false, Valid: true},
GrantTypes: []string{"authorization_code", "refresh_token"},
ResponseTypes: []string{"code"},
TokenEndpointAuthMethod: sql.NullString{String: "client_secret_basic", Valid: true},
}).Asserts(rbac.ResourceOauth2App, policy.ActionCreate)
}))
s.Run("UpdateOAuth2ProviderAppByID", s.Subtest(func(db database.Store, check *expects) {
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
Expand All @@ -5352,7 +5363,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
ID: app.ID,
Name: app.Name,
Icon: app.Icon,
CallbackURL: app.CallbackURL,
RedirectUris: app.RedirectUris,
ClientType: app.ClientType,
DynamicallyRegistered: app.DynamicallyRegistered,
Expand Down Expand Up @@ -5394,7 +5404,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
ID: app.ID,
Name: app.Name,
Icon: app.Icon,
CallbackURL: app.CallbackURL,
RedirectUris: app.RedirectUris,
ClientType: app.ClientType,
ClientSecretExpiresAt: app.ClientSecretExpiresAt,
Expand Down
3 changes: 1 addition & 2 deletions coderd/database/dbgen/dbgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -1204,8 +1204,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov
CreatedAt: takeFirst(seed.CreatedAt, dbtime.Now()),
UpdatedAt: takeFirst(seed.UpdatedAt, dbtime.Now()),
Icon: takeFirst(seed.Icon, ""),
CallbackURL: takeFirst(seed.CallbackURL, "http://localhost"),
RedirectUris: takeFirstSlice(seed.RedirectUris, []string{}),
RedirectUris: takeFirstSlice(seed.RedirectUris, []string{"http://localhost"}),
ClientType: takeFirst(seed.ClientType, sql.NullString{String: "confidential", Valid: true}),
DynamicallyRegistered: takeFirst(seed.DynamicallyRegistered, sql.NullBool{Bool: false, Valid: true}),
ClientIDIssuedAt: takeFirst(seed.ClientIDIssuedAt, sql.NullTime{}),
Expand Down
8 changes: 4 additions & 4 deletions coderd/database/dump.sql

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
-- Reverse migration: restore callback_url column from redirect_uris

-- Add back the callback_url column
ALTER TABLE oauth2_provider_apps
ADD COLUMN callback_url text;

-- Populate callback_url from the first redirect_uri
UPDATE oauth2_provider_apps
SET callback_url = redirect_uris[1]
WHERE redirect_uris IS NOT NULL AND array_length(redirect_uris, 1) > 0;

-- Remove NOT NULL and CHECK constraints from redirect_uris (restore original state)
ALTER TABLE oauth2_provider_apps
DROP CONSTRAINT IF EXISTS oauth2_provider_apps_redirect_uris_nonempty;
ALTER TABLE oauth2_provider_apps
ALTER COLUMN redirect_uris DROP NOT NULL;

COMMENT ON COLUMN oauth2_provider_apps.callback_url IS 'Legacy callback URL field (replaced by redirect_uris array)';
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-- Migrate from callback_url to redirect_uris as source of truth for OAuth2 apps
-- RFC 6749 compliance: use array of redirect URIs instead of single callback URL

-- Populate redirect_uris from callback_url where redirect_uris is empty or NULL.
-- NULLIF is used to treat empty strings in callback_url as NULL.
-- If callback_url is NULL or empty, this will result in redirect_uris
-- being an array with a single NULL element. This is preferable to an empty
-- array as it will pass a CHECK for array length > 0, enforcing that all
-- apps have at least one URI entry, even if it's null.
Comment on lines +7 to +9
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we make the CHECK check for the cardinality OR the "nullness"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'm doing that in the client_credentials PR up in the stack, but I would need to double-check.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry. I just reread the comment. I'd rather not introduce a possible null here and perform a clean migration from callback_url to redirect_uris, then make sure that all of them get carried over.

The constraint for redirect_uris will be loosened in the PR introducing client_credentials. We'll then allow setting an empty redirect_uris array but not a null one.

UPDATE oauth2_provider_apps
SET redirect_uris = ARRAY[NULLIF(callback_url, '')]
WHERE (redirect_uris IS NULL OR cardinality(redirect_uris) = 0);

-- Add NOT NULL constraint to redirect_uris
ALTER TABLE oauth2_provider_apps
ALTER COLUMN redirect_uris SET NOT NULL;

-- Add CHECK constraint to ensure redirect_uris is not empty.
-- This prevents empty arrays, which could have been created by the old logic,
-- and ensures data integrity going forward.
ALTER TABLE oauth2_provider_apps
ADD CONSTRAINT redirect_uris_not_empty CHECK (cardinality(redirect_uris) > 0);

-- Drop the callback_url column entirely
ALTER TABLE oauth2_provider_apps
DROP COLUMN callback_url;

COMMENT ON COLUMN oauth2_provider_apps.redirect_uris IS 'RFC 6749 compliant list of valid redirect URIs for the application';
13 changes: 6 additions & 7 deletions coderd/database/models.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading