Skip to content

feat: add RFC 9728 OAuth2 resource metadata support #18920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 19, 2025
Merged

feat: add RFC 9728 OAuth2 resource metadata support #18920

merged 1 commit into from
Jul 19, 2025
+116 −39

Conversation

ThomasK33
Copy link
Member

Enhanced OAuth2 and MCP Compliance for API Authentication

This PR improves OAuth2 and MCP (Microsoft Cloud for Sovereignty) compliance by:

  1. Adding RFC 9728 compliant WWW-Authenticate headers with resource metadata URLs
  2. Passing the configured AccessURL to API key middleware for proper audience validation
  3. Creating specialized CORS handling for OAuth2 and MCP endpoints with appropriate headers
  4. Making the state parameter optional in OAuth2 authorization requests

These changes ensure proper OAuth2 token audience validation against the configured access URL and improve interoperability with OAuth2 clients by providing better error responses and metadata discovery.

@ThomasK33 Graphite App
Copy link
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 marked this pull request as ready for review July 19, 2025 09:16
@ThomasK33
feat: enhance OAuth2 RFC compliance with resource metadata and CORS i…
cfa05fa 
…mprovements

Change-Id: I99fc71255165133bf858268030d39d2b1a71a288
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/07-19-feat_enhance_oauth2_rfc_compliance_with_resource_metadata_and_cors_improvements branch from bd01a1d to cfa05fa Compare July 19, 2025 16:52
@ThomasK33 ThomasK33 requested a review from dannykopping July 19, 2025 17:02
kylecarbs
kylecarbs approved these changes Jul 19, 2025
View reviewed changes
Copy link
Member

@kylecarbs kylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly a stamp but i asked blink too

@ThomasK33 ThomasK33 merged commit 071383b into main Jul 19, 2025
31 checks passed
@ThomasK33 ThomasK33 deleted the thomask33/07-19-feat_enhance_oauth2_rfc_compliance_with_resource_metadata_and_cors_improvements branch July 19, 2025 20:05
@github-actions github-actions bot locked and limited conversation to collaborators Jul 19, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kylecarbs kylecarbs kylecarbs approved these changes

@dannykopping dannykopping Awaiting requested review from dannykopping

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ThomasK33 @kylecarbs