# Refactor OAuth2 Provider Authorization Flow
This PR refactors the OAuth2 provider authorization flow by:
1. Removing the `authorizeMW` middleware and directly implementing its functionality in the `ShowAuthorizePage` handler
2. Simplifying function signatures by removing unnecessary parameters:
- Removed `db` parameter from `ShowAuthorizePage`
- Removed `accessURL` parameter from `ProcessAuthorize`
3. Changing the redirect status code in `ProcessAuthorize` from 307 (Temporary Redirect) to 302 (Found) to improve compatibility with external OAuth2 apps and browsers. (Technical explanation: we replied with a 307 to a POST request, thus the browser performs a redirect to that URL as a POST request, but we need it to be a GET request to be compatible. Thus, we use the 302 redirect so that browsers turn it into a GET request when redirecting back to the redirect_uri.)
The changes maintain the same functionality while simplifying the code and improving compatibility with external systems.
# Enhanced OAuth2 and MCP Compliance for API Authentication
This PR improves OAuth2 and MCP (Microsoft Cloud for Sovereignty)
compliance by:
1. Adding RFC 9728 compliant `WWW-Authenticate` headers with resource
metadata URLs
2. Passing the configured `AccessURL` to API key middleware for proper
audience validation
3. Creating specialized CORS handling for OAuth2 and MCP endpoints with
appropriate headers
4. Making the `state` parameter optional in OAuth2 authorization
requests
These changes ensure proper OAuth2 token audience validation against the
configured access URL and improve interoperability with OAuth2 clients
by providing better error responses and metadata discovery.
Signed-off-by: Thomas Kosiewski <tk@coder.com>
# Refactor OAuth2 Provider Code into Dedicated Package
This PR refactors the OAuth2 provider functionality by moving it from the main `coderd` package into a dedicated `oauth2provider` package. The change improves code organization and maintainability without changing functionality.
Key changes:
- Created a new `oauth2provider` package to house all OAuth2 provider-related code
- Moved existing OAuth2 provider functionality from `coderd/identityprovider` to the new package
- Refactored handler functions to follow a consistent pattern of returning `http.HandlerFunc` instead of being handlers directly
- Split large files into smaller, more focused files organized by functionality:
- `app_secrets.go` - Manages OAuth2 application secrets
- `apps.go` - Handles OAuth2 application CRUD operations
- `authorize.go` - Implements the authorization flow
- `metadata.go` - Provides OAuth2 metadata endpoints
- `registration.go` - Handles dynamic client registration
- `revoke.go` - Implements token revocation
- `secrets.go` - Manages secret generation and validation
- `tokens.go` - Handles token issuance and validation
This refactoring improves code organization and makes the OAuth2 provider functionality more maintainable while preserving all existing behavior.
Thomas Kosiewski