Skip to content

feat: add OAuth client type #2152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 3, 2025
Merged

feat: add OAuth client type #2152

merged 4 commits into from
Sep 3, 2025
+697 −38

Conversation

cemalkilic
Copy link
Contributor

Summary

Add OAuth 2.1 client type support (public vs confidential) to enable proper client authentication for MCP integrations and lay the foundation for the upcoming token endpoint implementation.

Why This Matters

  • MCP Integration: Some MCP clients don't provide client secrets in /token requests. We need to know which clients require secrets vs PKCE-only authentication.
  • OAuth 2.1 Compliance: Proper distinction between public clients (SPAs, mobile apps) and confidential clients (server apps) as required by the spec.
  • Token Endpoint Foundation: This client authentication logic will be essential for the upcoming /token endpoint implementation to handle different client types correctly.

Key Changes

Database

  • Added client_type enum ('public', 'confidential') to oauth_clients table
  • Made client_secret_hash nullable for public clients
  • Default: 'confidential' for security

OAuth Client Registration

  • Support token_endpoint_auth_method parameter in registration
  • Auto-infer client type: none → public, client_secret_* → confidential
  • Priority: explicit client_type > inferred from auth method > default confidential

Authentication Logic

  • Public clients: No client secret required, use PKCE
  • Confidential clients: Client secret required
  • Updated middleware to enforce type-specific authentication rules
  • Foundation for /token endpoint: Centralized client auth functions ready for token exchange implementation

@cemalkilic cemalkilic requested a review from a team as a code owner September 1, 2025 18:35
@coveralls
Copy link

coveralls commented Sep 1, 2025
edited
Loading

Pull Request Test Coverage Report for Build 17429949610

Details

  • 116 of 142 (81.69%) changed or added relevant lines in 6 files are covered.
  • 2 unchanged lines in 2 files lost coverage.
  • Overall coverage increased (+0.09%) to 68.798%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/middleware.go 0 2 0.0%
internal/api/oauthserver/auth.go 0 2 0.0%
internal/api/oauthserver/handlers.go 18 21 85.71%
internal/models/oauth_client.go 9 15 60.0%
internal/api/oauthserver/service.go 23 36 63.89%
Files with Coverage Reduction New Missed Lines %
internal/api/middleware.go 1 79.67%
internal/api/oauthserver/auth.go 1 41.38%
Totals Coverage Status
Change from base Build 17383331724: 0.09%
Covered Lines: 12630
Relevant Lines: 18358
💛 - Coveralls

hf
hf reviewed Sep 2, 2025
View reviewed changes
@cemalkilic cemalkilic merged commit b118f1f into master Sep 3, 2025
5 checks passed
@cemalkilic cemalkilic deleted the cemal/feat-add-oauth-client-type branch September 3, 2025 20:06
@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Merged
@cemalkilic cemalkilic mentioned this pull request Sep 9, 2025
Merged
cemalkilic pushed a commit that referenced this pull request Sep 23, 2025
@github-actions
chore(master): release 2.180.0 (#2151)
3511eb4 
🤖 I have created a release *beep* *boop*
---


##
[2.180.0](v2.179.0...v2.180.0)
(2025-09-23)


### Features

* add OAuth client type
([#2152](#2152))
([b118f1f](b118f1f))
* add phone to sms webhook payload
([#2160](#2160))
([d475ac1](d475ac1))
* background template reloading p1 - baseline decomposition
([#2148](#2148))
([746c937](746c937))
* config reloading with fsnotify, poller fallback, and signals
([#2161](#2161))
([c77d512](c77d512))
* enhance issuer URL validation in OAuth server metadata
([#2164](#2164))
([a9424d2](a9424d2))
* implement OAuth2 authorization endpoint
([#2107](#2107))
([5318552](5318552))
* **oauth2:** add `/oauth/token` endpoint
([#2159](#2159))
([a89a0b0](a89a0b0))
* **oauth2:** add admin endpoint to regenerate OAuth client secrets
([#2170](#2170))
([0bd1c28](0bd1c28))
* **oauth2:** return redirect_uri on GET authorization
([#2175](#2175))
([b0a0c3e](b0a0c3e))
* **oauth2:** use `id` field as the public client_id
([#2154](#2154))
([86b7de4](86b7de4))
* **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes
([#2165](#2165))
([1f804a2](1f804a2))
* password changed email notification
([#2176](#2176))
([fe0fd04](fe0fd04))
* support `transfer_sub` in apple id tokens
([#2162](#2162))
([8a71006](8a71006))


### Bug Fixes

* ensure request context exists in API db operations
([#2171](#2171))
([060a992](060a992))
* **makefile:** remove invalid @ symbol from shell commands
([#2168](#2168))
([e6afe45](e6afe45))
* **oauth2:** switch to Origin header for request validation
([#2174](#2174))
([42bc9ab](42bc9ab))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@cemalkilic @issuedat
feat: add OAuth client type (#2152)
5f297b4 
## Summary
Add OAuth 2.1 client type support (public vs confidential) to enable
proper client authentication for MCP integrations and lay the foundation
for the upcoming token endpoint implementation.

## Why This Matters
- MCP Integration: Some MCP clients don't provide client secrets in
/token requests. We need to know which clients require secrets vs
PKCE-only authentication.
- OAuth 2.1 Compliance: Proper distinction between public clients (SPAs,
mobile apps) and confidential clients (server apps) as required by the
spec.
- Token Endpoint Foundation: This client authentication logic will be
essential for the upcoming /token endpoint implementation to handle
different client types correctly.

## Key Changes
### Database
- Added client_type enum ('public', 'confidential') to oauth_clients
table
- Made client_secret_hash nullable for public clients
- Default: 'confidential' for security

### OAuth Client Registration
- Support token_endpoint_auth_method parameter in registration
- Auto-infer client type: `none` → public, `client_secret_*` →
confidential
- Priority: explicit client_type > inferred from auth method > default
confidential

### Authentication Logic
- Public clients: No client secret required, use PKCE
- Confidential clients: Client secret required
- Updated middleware to enforce type-specific authentication rules
- Foundation for /token endpoint: Centralized client auth functions
ready for token exchange implementation
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@github-actions @issuedat
chore(master): release 2.180.0 (#2151)
8d191ff 
🤖 I have created a release *beep* *boop*
---


##
[2.180.0](v2.179.0...v2.180.0)
(2025-09-23)


### Features

* add OAuth client type
([#2152](#2152))
([b118f1f](b118f1f))
* add phone to sms webhook payload
([#2160](#2160))
([d475ac1](d475ac1))
* background template reloading p1 - baseline decomposition
([#2148](#2148))
([746c937](746c937))
* config reloading with fsnotify, poller fallback, and signals
([#2161](#2161))
([c77d512](c77d512))
* enhance issuer URL validation in OAuth server metadata
([#2164](#2164))
([a9424d2](a9424d2))
* implement OAuth2 authorization endpoint
([#2107](#2107))
([5318552](5318552))
* **oauth2:** add `/oauth/token` endpoint
([#2159](#2159))
([a89a0b0](a89a0b0))
* **oauth2:** add admin endpoint to regenerate OAuth client secrets
([#2170](#2170))
([0bd1c28](0bd1c28))
* **oauth2:** return redirect_uri on GET authorization
([#2175](#2175))
([b0a0c3e](b0a0c3e))
* **oauth2:** use `id` field as the public client_id
([#2154](#2154))
([86b7de4](86b7de4))
* **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes
([#2165](#2165))
([1f804a2](1f804a2))
* password changed email notification
([#2176](#2176))
([fe0fd04](fe0fd04))
* support `transfer_sub` in apple id tokens
([#2162](#2162))
([8a71006](8a71006))


### Bug Fixes

* ensure request context exists in API db operations
([#2171](#2171))
([060a992](060a992))
* **makefile:** remove invalid @ symbol from shell commands
([#2168](#2168))
([e6afe45](e6afe45))
* **oauth2:** switch to Origin header for request validation
([#2174](#2174))
([42bc9ab](42bc9ab))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cstockton cstockton cstockton left review comments

@hf hf hf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cemalkilic @coveralls @cstockton @hf