From 7a98b4a8763cf95681ac666d41607abc7862afdc Mon Sep 17 00:00:00 2001
From: Ehab Younes <ehab.alyounes@gmail.com>
Date: Thu, 19 Mar 2026 11:42:04 +0000
Subject: [PATCH] fix(coderd): gate OAuth2 well-known endpoints behind
 experiment flag (#23278)

- Add `RequireExperimentWithDevBypass` middleware to
`/.well-known/oauth-authorization-server` and
`/.well-known/oauth-protected-resource` routes, matching the existing
`/oauth2` routes.
- Clients can now detect OAuth2 support via unauthenticated discovery
(404 = not available).

Fixes #21608
---
 coderd/coderd.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/coderd/coderd.go b/coderd/coderd.go
index ad4847e868..fc9f298cf7 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -1044,10 +1044,12 @@ func New(options *Options) *API {
 
 	// OAuth2 metadata endpoint for RFC 8414 discovery
 	r.Route("/.well-known/oauth-authorization-server", func(r chi.Router) {
+		r.Use(httpmw.RequireExperimentWithDevBypass(api.Experiments, codersdk.ExperimentOAuth2))
 		r.Get("/*", api.oauth2AuthorizationServerMetadata())
 	})
 	// OAuth2 protected resource metadata endpoint for RFC 9728 discovery
 	r.Route("/.well-known/oauth-protected-resource", func(r chi.Router) {
+		r.Use(httpmw.RequireExperimentWithDevBypass(api.Experiments, codersdk.ExperimentOAuth2))
 		r.Get("/*", api.oauth2ProtectedResourceMetadata())
 	})