shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-05 14:08:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
acbfb90c30902985a9a90cecfd323a748655be7e
coder/coderd
T
History
Kyle Carberry acbfb90c30 feat: auto-discover OAuth2 config for MCP servers via RFC 7591 DCR (#23406) 
## Problem

When adding an external MCP server with `auth_type=oauth2`, admins
currently must manually provide:
- `oauth2_client_id`
- `oauth2_client_secret`
- `oauth2_auth_url`
- `oauth2_token_url`

This requires the admin to manually register an OAuth2 client with the
external MCP server's authorization server first — a friction-heavy
process that contradicts the MCP spec's vision of plug-and-play
discovery.

## Solution

When an admin creates an MCP server config with `auth_type=oauth2` and
omits the OAuth2 fields, Coder now automatically discovers and registers
credentials following the MCP authorization spec:

1. **Protected Resource Metadata (RFC 9728)** — Fetches
`/.well-known/oauth-protected-resource` from the MCP server to discover
its authorization server. Falls back to probing the server URL for a
`WWW-Authenticate` header with a `resource_metadata` parameter.

2. **Authorization Server Metadata (RFC 8414)** — Fetches
`/.well-known/oauth-authorization-server` from the discovered auth
server to find all endpoints.

3. **Dynamic Client Registration (RFC 7591)** — Registers Coder as an
OAuth2 client at the auth server's registration endpoint, obtaining a
`client_id` and `client_secret` automatically.

The discovered/generated credentials are stored in the MCP server
config, and the existing per-user OAuth2 connect flow works unchanged.

### Backward compatibility

- **Manual config still works**: If all three fields
(`oauth2_client_id`, `oauth2_auth_url`, `oauth2_token_url`) are
provided, the existing behavior is unchanged.
- **Partial config is rejected**: Providing some but not all fields
returns a clear error explaining the two options.
- **Discovery failure is clear**: If auto-discovery fails, the error
message explains what went wrong and suggests manual configuration.

## Changes

- **New package `coderd/mcpauth`** — Self-contained discovery and DCR
logic with no `codersdk` dependency
- **Modified `coderd/mcp.go`** — `createMCPServerConfig` handler now
attempts auto-discovery when OAuth2 fields are omitted
- **Tests** — Unit tests for discovery (happy path, WWW-Authenticate
fallback, no registration endpoint, registration failure) and
`parseResourceMetadataParam` helper
2026-03-23 19:26:47 -04:00
..
agentapi
fix: limit calls to GetWorkspaceAgentByID in agentapi (#23015)
2026-03-20 15:42:05 -05:00
agentmetrics
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
aibridge
feat: use coder specific header for aibridge authentication from AI proxy (#21590)
2026-01-21 19:06:19 +00:00
aiseats
feat: track ai seat usage (#22682)
2026-03-16 12:36:26 -05:00
apidoc
feat: pass session token as query param on agent chat WebSockets (#23405)
2026-03-23 15:27:55 +01:00
apikey
fix: initialize API key LastUsed to Unix epoch instead of zero time (#22327)
2026-03-02 16:02:01 +01:00
appearance
fix: make cli respect deployment --docs-url (#14568)
2024-09-18 21:47:53 +10:00
audit
chore: add audit log entry when ai seat is consumed (#22683)
2026-03-16 15:30:25 -05:00
autobuild
fix: use "idle timeout" as task auto-pause reason (#22287)
2026-02-24 16:45:56 +00:00
awsidentity
fix: add new aws regions to instance identity (#10434)
2023-10-30 19:44:29 +00:00
azureidentity
chore: update azure certs (#21265)
2025-12-15 13:44:44 -09:00
boundaryusage
fix: make boundary usage telemetry collection atomic (#21907)
2026-02-06 09:52:17 -07:00
cachecompress
fix(site): avoid duplicating bin download headers (#22981)
2026-03-13 00:22:55 +11:00
coderdtest
feat: add new group members endpoint with filtering and pagination (#23067)
2026-03-20 12:43:03 -08:00
connectionlog
fix: avoid connection logging crashes in agent (#20307)
2025-10-16 01:56:43 +11:00
cryptokeys
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
database
refactor: replace sort.Strings with slices.Sort (#23457)
2026-03-23 23:19:23 +02:00
devtunnel
chore: remove unnecessary loop variable captures (#22180)
2026-02-19 09:02:19 +00:00
dynamicparameters
refactor: replace sort.Strings with slices.Sort (#23457)
2026-03-23 23:19:23 +02:00
entitlements
feat: add Prometheus metrics for license warnings and errors (#21749)
2026-01-29 13:50:15 +01:00
externalauth
feat: add head_branch to pull request diff status (#23076)
2026-03-14 17:24:19 +00:00
files
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
gitsshkey
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
healthcheck
refactor(healthcheck): reduce test boilerplate with healthyChecker helper (#23028)
2026-03-13 10:40:57 +00:00
httpapi
chore: extract testutil.FakeSink for slog test assertions (#23208)
2026-03-18 17:02:38 +00:00
httpmw
chore: extract testutil.FakeSink for slog test assertions (#23208)
2026-03-18 17:02:38 +00:00
idpsync
test: remove unnecessary dbauthz.AsSystemRestricted calls in tests (#22663)
2026-03-05 20:29:49 +00:00
jobreaper
refactor: extract test helpers in coderd/jobreaper to reduce duplication (#23001)
2026-03-19 21:51:26 +00:00
jwtutils
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
mcp
feat: expose MCP tool annotations for tool grouping (#23195)
2026-03-18 10:21:45 +00:00
metricscache
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
notifications
refactor: replace sort.Strings with slices.Sort (#23457)
2026-03-23 23:19:23 +02:00
oauth2provider
test: share coderdtest instances in OAuth2 validation tests (#23455)
2026-03-23 21:03:34 +00:00
oauthpki
fix(coderd): support string type for oidc response's expires_in json property (#20152)
2025-10-15 17:37:37 +00:00
portsharing
fix: properly convert max port share level for oss (#13261)
2024-05-13 14:37:51 -04:00
pproflabel
chore: add tallyman events for ai seat tracking (#22689)
2026-03-18 09:30:22 -05:00
prebuilds
chore: remove unnecessary loop variable captures (#22180)
2026-02-19 09:02:19 +00:00
prometheusmetrics
refactor: replace sort.Strings with slices.Sort (#23457)
2026-03-23 23:19:23 +02:00
promoauth
fix!: remove deprecated prometheus metrics (#21788)
2026-01-30 13:30:06 +01:00
provisionerdserver
feat: add merge_strategy support for coder_env resources (#23107)
2026-03-18 15:43:28 +01:00
provisionerkey
chore!: ensure consistent secret token generation and hashing (#20388)
2025-10-23 15:38:49 -05:00
proxyhealth
feat: add csp headers for embedded apps (#18374)
2025-06-17 09:00:32 -08:00
pubsub
fix(chatd): deliver retry control events via pubsub (#23349)
2026-03-20 15:19:41 +00:00
rbac
refactor: replace sort.Strings with slices.Sort (#23457)
2026-03-23 23:19:23 +02:00
render
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
runtimeconfig
chore(coderd/runtimeconfig): remove dbmem from tests (#18790)
2025-07-08 14:31:05 +00:00
schedule
chore: remove unnecessary loop variable captures (#22180)
2026-02-19 09:02:19 +00:00
searchquery
fix: use SQL-level auth filtering for chat listing (#23159)
2026-03-17 12:46:24 -04:00
taskname
fix(coderd): strip markdown code fences from Anthropic task name responses (#23024)
2026-03-13 17:35:26 +00:00
telemetry
feat: add telemetry for task lifecycle events (#21922)
2026-02-24 17:04:42 +00:00
testdata
feat: add flag to disable template insights (#20940)
2025-12-14 03:00:03 +00:00
tracing
fix: StatusWriter Unwrap and process output error recovery (#23383)
2026-03-20 20:00:55 +00:00
updatecheck
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
usage
chore: add tallyman events for ai seat tracking (#22689)
2026-03-18 09:30:22 -05:00
userpassword
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
util
refactor: deduplicate utility helpers across the codebase (#23338)
2026-03-20 15:12:41 +00:00
webpush
perf(coderd): reduce duplicated reads in push and webpush paths (#23115)
2026-03-17 13:50:47 +11:00
workspaceapps
fix(workspaceapps): use fresh context in LastUsedAt assertions (#22863)
2026-03-10 16:53:28 +00:00
workspacestats
fix: limit calls to GetWorkspaceAgentByID in agentapi (#23015)
2026-03-20 15:42:05 -05:00
wsbuilder
fix: mark presets as validation_failed to prevent endless prebuild retries (#22085)
2026-02-27 14:26:48 +00:00
wspubsub
feat: add WatchAllWorkspaceBuilds endpoint for autostart scaletests (#22057)
2026-03-13 20:37:41 -07:00
x
fix(coderd/x/chatd): stabilize auto-promotion flake (#23448)
2026-03-23 19:17:58 +00:00
activitybump_test.go
test: add testutil.WaitBuffer and replace time.Sleep in tests (#22922)
2026-03-12 18:07:52 +02:00
aitasks_internal_test.go
fix: set codersdk.Task current_state during task initialization (#20692)
2025-11-17 13:24:12 +00:00
aitasks_test.go
fix: return 409 Conflict instead of 502 when task agent is busy (#23424)
2026-03-23 09:52:34 +00:00
aitasks.go
fix: return 409 Conflict instead of 502 when task agent is busy (#23424)
2026-03-23 09:52:34 +00:00
apikey_scopes_validation_test.go
feat: add multi-scope support to API keys (#19917)
2025-09-26 11:56:34 +02:00
apikey_test.go
fix(coderd): use dbtime.Now() instead of time.Now() in test assertions against DB timestamps (#22685)
2026-03-06 09:14:11 +00:00
apikey.go
feat(coderd): filter expired API tokens server-side (#22263)
2026-02-24 15:27:03 +00:00
apiroot.go
audit_internal_test.go
chore: add sql filter to fetching audit logs (#14070)
2024-08-01 12:07:19 -05:00
audit_test.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
audit.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
authorize_test.go
feat: add an organization member permission level (#19953)
2025-10-27 17:14:16 -06:00
authorize.go
feat: add experimental agents support (#22290)
2026-02-27 16:50:56 +00:00
client_test.go
coderd_internal_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
coderd_test.go
fix: rate limit by user instead of IP for authenticated requests (#22049)
2026-03-09 13:54:31 +01:00
coderd.go
chore: move chatd and related packages to /x/ subpackage (#23445)
2026-03-23 17:34:43 +00:00
csp.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
debug_test.go
feat(coderd): add consolidated /debug/profile endpoint for pprof collection (#22892)
2026-03-13 14:09:39 +00:00
debug.go
feat(coderd): add consolidated /debug/profile endpoint for pprof collection (#22892)
2026-03-13 14:09:39 +00:00
deployment_test.go
fix(coderd): mark provisioner daemon psk as secret (#12322)
2024-02-27 16:33:32 +00:00
deployment.go
chore: remove chats experiment (#18535)
2025-06-25 13:03:32 +00:00
deprecated.go
chore!: remove deprecated agent v1 routes (#13486)
2024-06-11 12:22:59 +10:00
exp_chats_test.go
chore: move chatd and related packages to /x/ subpackage (#23445)
2026-03-23 17:34:43 +00:00
exp_chats.go
chore: move chatd and related packages to /x/ subpackage (#23445)
2026-03-23 17:34:43 +00:00
experiments_test.go
chore: revert dynamic params as a safe experiment (#17510)
2025-04-22 16:21:15 +00:00
experiments.go
fix: do not warn on valid known experiments (#18514)
2025-06-24 09:14:41 +01:00
externalauth_test.go
feat(coderd/rbac): make organization-member a per-org system custom role (#21359)
2026-01-12 18:19:19 -08:00
externalauth.go
feat!: support PKCE in the oauth2 client's auth/exchange flow (#21215)
2025-12-15 17:41:47 +00:00
files_test.go
test: share coderdtest instances to stop paying the startup tax 22 times (#23454)
2026-03-23 19:54:43 +00:00
files.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
gitsshkey_test.go
chore: distinct operations for provisioner's 'parse', 'init', 'plan', 'apply', 'graph' (#21064)
2025-12-15 11:26:41 -06:00
gitsshkey.go
feat: add API key scope to restrict access to user data (#17692)
2025-05-15 15:32:52 +01:00
inboxnotifications_internal_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
inboxnotifications_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
inboxnotifications.go
fix(coderd): ensure inbox WebSocket is closed when client disconnects (#21652)
2026-01-26 09:24:45 +00:00
initscript_test.go
test: share coderdtest instances to stop paying the startup tax 22 times (#23454)
2026-03-23 19:54:43 +00:00
initscript.go
feat(coderd): add support for external agents to API's and provisioner (#19286)
2025-08-19 10:41:33 +02:00
insights_internal_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
insights_test.go
fix(coderd): fix flaky TestGetUserStatusCounts timezone boundary (#22639)
2026-03-04 18:01:56 -08:00
insights.go
fix: user status change chart accommodates DST (#22191)
2026-03-04 12:54:39 +02:00
latencycheck.go
mcp_http.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
mcp_test.go
feat: auto-discover OAuth2 config for MCP servers via RFC 7591 DCR (#23406)
2026-03-23 19:26:47 -04:00
mcp.go
feat: auto-discover OAuth2 config for MCP servers via RFC 7591 DCR (#23406)
2026-03-23 19:26:47 -04:00
members_test.go
feat: add filtering to org members (#23334)
2026-03-21 16:58:45 -08:00
members.go
feat: add filtering to org members (#23334)
2026-03-21 16:58:45 -08:00
notifications_test.go
chore: return 404, not 400 if missing or authz deny (#22069)
2026-02-13 08:19:07 -06:00
notifications.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
oauth2_error_compliance_test.go
refactor: add RFC-compliant enum types and use SDK as source of truth (#21468)
2026-01-15 12:41:28 +03:00
oauth2_metadata_test.go
refactor: add RFC-compliant enum types and use SDK as source of truth (#21468)
2026-01-15 12:41:28 +03:00
oauth2_metadata_validation_test.go
test: share coderdtest instances in OAuth2 validation tests (#23455)
2026-03-23 21:03:34 +00:00
oauth2_security_test.go
feat: implement OAuth2 dynamic client registration (RFC 7591/7592) (#18645)
2025-07-03 18:33:47 +02:00
oauth2_test.go
fix(coderd): use dbtime.Now() instead of time.Now() in test assertions against DB timestamps (#22685)
2026-03-06 09:14:11 +00:00
oauth2.go
feat: implement oauth2 RFC 7009 token revocation endpoint (#20362)
2025-10-22 15:18:42 -05:00
organizations_test.go
chore: protect organization endpoints with license (#14001)
2024-07-25 16:07:53 -05:00
organizations.go
chore(coderd/database): remove deprecated db2sdk.List(Lazy)? methods (#21902)
2026-02-03 17:52:07 +00:00
pagination_test.go
feat: add connectionlogs API (#18628)
2025-07-15 14:55:34 +10:00
pagination.go
feat: add connectionlogs API (#18628)
2025-07-15 14:55:34 +10:00
parameters_test.go
feat: archive modules in size order until limit is hit (#21773)
2026-02-02 09:03:18 -06:00
parameters.go
chore(coderd/database): remove deprecated db2sdk.List(Lazy)? methods (#21902)
2026-02-03 17:52:07 +00:00
presets_test.go
chore: remove unnecessary loop variable captures (#22180)
2026-02-19 09:02:19 +00:00
presets.go
feat: support icon and description in preset (#18977)
2025-07-28 15:02:26 +01:00
provisionerdaemons_test.go
feat: add filtering options to provisioners list (#19378)
2025-08-21 16:03:34 -04:00
provisionerdaemons.go
chore(coderd/database): remove deprecated db2sdk.List(Lazy)? methods (#21902)
2026-02-03 17:52:07 +00:00
provisionerjobs_internal_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
provisionerjobs_test.go
test: reduce unnecessary sleep durations in tests (#22552)
2026-03-03 10:19:00 -05:00
provisionerjobs.go
ci: bump the github-actions group across 1 directory with 9 updates (#23345)
2026-03-20 02:59:50 +00:00
roles_test.go
chore: protect organization endpoints with license (#14001)
2024-07-25 16:07:53 -05:00
roles.go
feat(coderd/rbac): make organization-member a per-org system custom role (#21359)
2026-01-12 18:19:19 -08:00
scopes_catalog_api_test.go
feat: add external API key scopes (#19916)
2025-09-26 11:43:32 +02:00
scopes_catalog.go
feat: add external API key scopes (#19916)
2025-09-26 11:43:32 +02:00
tailnet_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
tailnet.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
templates_test.go
fix: hide "Create Workspace" button for deleted templates (#22092)
2026-02-13 19:44:50 -05:00
templates.go
fix: hide "Create Workspace" button for deleted templates (#22092)
2026-02-13 19:44:50 -05:00
templateversions_test.go
test: share coderdtest instances to stop paying the startup tax 22 times (#23454)
2026-03-23 19:54:43 +00:00
templateversions.go
feat: validate prebuild presets using dynamic parameter validation (#21858)
2026-03-03 16:50:18 +00:00
updatecheck_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
updatecheck.go
userauth_test.go
refactor: deduplicate utility helpers across the codebase (#23338)
2026-03-20 15:12:41 +00:00
userauth.go
refactor: replace sort.Strings with slices.Sort (#23457)
2026-03-23 23:19:23 +02:00
users_test.go
feat: add new group members endpoint with filtering and pagination (#23067)
2026-03-20 12:43:03 -08:00
users.go
feat: add endpoint and CLI for users to view their own OIDC claims (#23053)
2026-03-18 22:10:04 +00:00
webpush_test.go
perf(coderd): reduce duplicated reads in push and webpush paths (#23115)
2026-03-17 13:50:47 +11:00
webpush.go
perf(coderd): reduce duplicated reads in push and webpush paths (#23115)
2026-03-17 13:50:47 +11:00
workspaceagentportshare_test.go
feat(coderd/rbac): make organization-member a per-org system custom role (#21359)
2026-01-12 18:19:19 -08:00
workspaceagentportshare.go
docs: fix swagger documentation for DELETE port share endpoint (#18426)
2025-06-18 14:07:53 +00:00
workspaceagents_internal_test.go
refactor: consolidate chat streaming endpoints under /stream (#23248)
2026-03-18 18:04:42 +00:00
workspaceagents_test.go
fix(coderd): use dbtime.Now() for tailnet telemetry timestamps (#22861)
2026-03-09 20:37:05 +00:00
workspaceagents.go
fix: limit calls to GetWorkspaceAgentByID in agentapi (#23015)
2026-03-20 15:42:05 -05:00
workspaceagentsrpc_internal_test.go
test: use not before in TestAgentConnectionMonitor_* (#21332)
2025-12-22 10:21:39 +04:00
workspaceagentsrpc_test.go
test: add testutil.WaitBuffer and replace time.Sleep in tests (#22922)
2026-03-12 18:07:52 +02:00
workspaceagentsrpc.go
fix: limit calls to GetWorkspaceAgentByID in agentapi (#23015)
2026-03-20 15:42:05 -05:00
workspaceapps_test.go
chore: remove unnecessary redeclarations in for loops (#18440)
2025-06-20 13:16:55 -06:00
workspaceapps.go
feat: add multi-scope support to API keys (#19917)
2025-09-26 11:56:34 +02:00
workspacebuilds_test.go
feat: add link for viewing raw build logs in workspace and template build jobs (#21727)
2026-02-03 09:45:23 +00:00
workspacebuilds.go
feat: add WatchAllWorkspaceBuilds endpoint for autostart scaletests (#22057)
2026-03-13 20:37:41 -07:00
workspaceproxies_test.go
fix: allow ports in wildcard url configuration (#11657)
2024-01-18 09:44:05 -06:00
workspaceproxies.go
feat: add MCP server configuration backend for chats (#23227)
2026-03-19 14:07:36 +00:00
workspaceresourceauth_test.go
chore: distinct operations for provisioner's 'parse', 'init', 'plan', 'apply', 'graph' (#21064)
2025-12-15 11:26:41 -06:00
workspaceresourceauth.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
workspaces_test.go
test: remove classic params from ephemeral params test (#23302)
2026-03-19 11:32:36 -05:00
workspaces.go
fix: limit calls to GetWorkspaceAgentByID in agentapi (#23015)
2026-03-20 15:42:05 -05:00
workspaceupdates_test.go
chore: update testutil chan helpers (#17408)
2025-04-16 10:37:09 -06:00
workspaceupdates.go
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00