coder
diff --git a/‎codersdk/oauth2.go
Lines changed: 19 additions & 0 deletions b/‎codersdk/oauth2.go
Lines changed: 19 additions & 0 deletions
diff --git a/‎enterprise/coderd/coderd.go
Lines changed: 16 additions & 0 deletions b/‎enterprise/coderd/coderd.go
Lines changed: 16 additions & 0 deletions
diff --git a/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 136 additions & 0 deletions b/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 136 additions & 0 deletions
diff --git a/‎enterprise/coderd/identityprovider/middleware.go
Lines changed: 73 additions & 0 deletions b/‎enterprise/coderd/identityprovider/middleware.go
Lines changed: 73 additions & 0 deletions
@@ -179,3 +179,22 @@ func (c *Client) DeleteOAuth2ProviderAppSecret(ctx context.Context, appID uuid.U
 	}
 	return nil
 }
+
+type OAuth2ProviderGrantType string
+
+const (
+	OAuth2ProviderGrantTypeAuthorizationCode OAuth2ProviderGrantType = "authorization_code"
+)
+
+// RevokeOAuth2ProviderApp completely revokes an app's access for the user.
+func (c *Client) RevokeOAuth2ProviderApp(ctx context.Context, appID uuid.UUID) error {
+	res, err := c.Request(ctx, http.MethodDelete, fmt.Sprintf("/api/v2/oauth2-provider/apps/%s/tokens", appID), nil)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusNoContent {
+		return ReadBodyAsError(res)
+	}
+	return nil
+}
@@ -164,6 +164,21 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 		return nil, xerrors.Errorf("failed to get deployment ID: %w", err)
 	}
 
+	api.AGPL.RootHandler.Group(func(r chi.Router) {
+		r.Use(
+			api.oAuth2ProviderMiddleware,
+			apiKeyMiddlewareOptional,
+			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+		)
+		// Oauth2 linking routes do not make sense under the /api/v2 path.
+		r.Route("/login", func(r chi.Router) {
+			r.Route("/oauth2", func(r chi.Router) {
+				r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
+				r.Post("/tokens", api.postOAuth2ProviderAppToken())
+			})
+		})
+	})
+
 	api.AGPL.APIHandler.Group(func(r chi.Router) {
 		r.Get("/entitlements", api.serveEntitlements)
 		// /regions overrides the AGPL /regions endpoint
@@ -334,6 +349,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 					r.Get("/", api.oAuth2ProviderApp)
 					r.Put("/", api.putOAuth2ProviderApp)
 					r.Delete("/", api.deleteOAuth2ProviderApp)
+					r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens)
 
 					r.Route("/secrets", func(r chi.Router) {
 						r.Get("/", api.oAuth2ProviderAppSecrets)
 
@@ -0,0 +1,136 @@
+package identityprovider
+
+import (
+	"crypto/sha256"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/cryptorand"
+)
+
+/**
+ * Authorize displays an HTML for authorizing an application when the user has
+ * first been redirected to this path and generates a code and redirects to the
+ * app's callback URL after the user clicks "allow" on that page.
+ */
+func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
+	handler := func(rw http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		apiKey, ok := httpmw.APIKeyOptional(r)
+		if !ok {
+			// TODO: Should this be unauthorized? Or Forbidden?
+			// This should redirect to a login page.
+			httpapi.Forbidden(rw)
+			return
+		}
+
+		app := httpmw.OAuth2ProviderApp(r)
+
+		// TODO: @emyrk this should always work, maybe make callbackURL a *url.URL?
+		callbackURL, _ := url.Parse(app.CallbackURL)
+
+		// TODO: Should validate these on the HTML page as well and show errors
+		// there rather than wait until this endpoint to show them.
+		p := httpapi.NewQueryParamParser()
+		vals := r.URL.Query()
+		p.Required("state", "response_type")
+		state := p.String(vals, "", "state")
+		scope := p.Strings(vals, []string{}, "scope")
+		// Client_id is already parsed in the mw above.
+		_ = p.String(vals, "", "client_id")
+		redirectURL := p.URL(vals, callbackURL, "redirect_uri")
+		responseType := p.String(vals, "", "response_type")
+		// TODO: Redirected might exist but it should not cause validation errors.
+		_ = p.String(vals, "", "redirected")
+		p.ErrorExcessParams(vals)
+		if len(p.Errors) > 0 {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message:     "Invalid query params.",
+				Validations: p.Errors,
+			})
+			return
+		}
+
+		// TODO: @emyrk what other ones are there?
+		if responseType != "code" {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Invalid response type.",
+			})
+			return
+		}
+
+		// TODO: @emyrk handle scope?
+		_ = scope
+
+		if <
103CE
span class=pl-s1>err := validateRedirectURL(app.CallbackURL, redirectURL.String()); err != nil {
+			httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Invalid redirect URL.",
+			})
+			return
+		}
+		// 40 characters matches the length of GitHub's client secrets.
+		rawSecret, err := cryptorand.String(40)
+		if err != nil {
+			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to generate OAuth2 app authorization code.",
+			})
+			return
+		}
+		hashed := sha256.Sum256([]byte(rawSecret))
+		_, err = db.InsertOAuth2ProviderAppCode(ctx, database.InsertOAuth2ProviderAppCodeParams{
+			ID:        uuid.New(),
+			CreatedAt: dbtime.Now(),
+			// TODO: Configurable expiration?
+			ExpiresAt:    dbtime.Now().Add(time.Duration(10) * time.Minute),
+			HashedSecret: hashed[:],
+			AppID:        app.ID,
+			UserID:       apiKey.UserID,
+		})
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Internal error insert OAuth2 authorization code.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+
+		newQuery := redirectURL.Query()
+		newQuery.Add("code", rawSecret)
+		newQuery.Add("state", state)
+		redirectURL.RawQuery = newQuery.Encode()
+
+		http.Redirect(rw, r, redirectURL.String(), http.StatusTemporaryRedirect)
+	}
+
+	// Always wrap with its custom mw.
+	return authorizeMW(accessURL)(http.HandlerFunc(handler)).ServeHTTP
+}
+
+// validateRedirectURL validates that the redirectURL is contained in baseURL.
+func validateRedirectURL(baseURL string, redirectURL string) error {
+	base, err := url.Parse(baseURL)
+	if err != nil {
+		return err
+	}
+
+	redirect, err := url.Parse(redirectURL)
+	if err != nil {
+		return err
+	}
+	// It can be a sub-directory but not a sub-domain, as we have apps on
+	// sub-domains so it seems too dangerous.
+	if redirect.Host != base.Host || !strings.HasPrefix(redirect.Path, base.Path) {
+		return xerrors.New("invalid redirect URL")
+	}
+	return nil
+}
@@ -0,0 +1,73 @@
+package identityprovider
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/site"
+)
+
+// authorizeMW serves to remove some code from the primary authorize handler.
+// It decides when to show the html allow page, and when to just continue.
+func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get(httpmw.OriginHeader)
+			originU, err := url.Parse(origin)
+			if err != nil {
+				// TODO: Curl requests will not have this. One idea is to always show
+				// html here??
+				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+					Message: "Internal error deleting OAuth2 client secret.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+
+			referer := r.Referer()
+			refererU, err := url.Parse(referer)
+			if err != nil {
+				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+					Message: "Internal error deleting OAuth2 client secret.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+
+			app := httpmw.OAuth2ProviderApp(r)
+			// If the request comes from outside, then we show the html allow page.
+			// TODO: Skip this step if the user has already clicked allow before, and
+			// we can just reuse the token.
+			if originU.Hostname() != accessURL.Hostname() && refererU.Path != "/login/oauth2/authorize" {
+				if r.URL.Query().Get("redirected") != "" {
+					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+						Status:       http.StatusInternalServerError,
+						HideStatus:   false,
+						Title:        "Oauth Redirect Loop",
+						Description:  "Oauth redirect loop detected.",
+						RetryEnabled: false,
+						DashboardURL: accessURL.String(),
+						Warnings:     nil,
+					})
+					return
+				}
+
+				redirect := r.URL
+				vals := redirect.Query()
+				vals.Add("redirected", "true")
+				r.URL.RawQuery = vals.Encode()
+				site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
+					AppName:     app.Name,
+					Icon:        app.Icon,
+					RedirectURI: r.URL.String(),
+				})
+				return
+			}
+
+			next.ServeHTTP(rw, r)
+		})
+	}
+}