coder
diff --git a/‎cli/server.go‎
Lines changed: 10 additions & 0 deletions b/‎cli/server.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/coderd.go‎
Lines changed: 5 additions & 3 deletions b/‎coderd/coderd.go‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎coderd/externalauth/externalauth.go‎
Lines changed: 48 additions & 26 deletions b/‎coderd/externalauth/externalauth.go‎
Lines changed: 48 additions & 26 deletions
diff --git a/‎coderd/externalauth/externalauth_internal_test.go‎
Lines changed: 54 additions & 45 deletions b/‎coderd/externalauth/externalauth_internal_test.go‎
Lines changed: 54 additions & 45 deletions
@@ -186,6 +186,14 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
 		secondaryClaimsSrc = coderd.MergedClaimsSourceAccessToken
 	}
 
+	var pkceSupport struct {
+		CodeChallengeMethodsSupported []promoauth.Oauth2PKCEChallengeMethod `json:"code_challenge_methods_supported"`
+	}
+	err = oidcProvider.Claims(&pkceSupport)
+	if err != nil {
+		return nil, xerrors.Errorf("pkce detect in claims: %w", err)
+	}
+
 	return &coderd.OIDCConfig{
 		OAuth2Config: useCfg,
 		Provider:     oidcProvider,
@@ -206,6 +214,8 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
 		SignupsDisabledText: vals.OIDC.SignupsDisabledText.String(),
 		IconURL:             vals.OIDC.IconURL.String(),
 		IgnoreEmailVerified: vals.OIDC.IgnoreEmailVerified.Value(),
+		// We only support S256 PKCE challenge method.
+		PKCEMethods: pkceSupport.CodeChallengeMethodsSupported,
 	}, nil
 }
 
 
@@ -24,6 +24,7 @@ import (
 	"github.com/coder/coder/v2/coderd/oauth2provider"
 	"github.com/coder/coder/v2/coderd/pproflabel"
 	"github.com/coder/coder/v2/coderd/prebuilds"
+	"github.com/coder/coder/v2/coderd/promoauth"
 	"github.com/coder/coder/v2/coderd/usage"
 	"github.com/coder/coder/v2/coderd/wsbuilder"
 
@@ -940,7 +941,7 @@ func New(options *Options) *API {
 				r.Route(fmt.Sprintf("/%s/callback", externalAuthConfig.ID), func(r chi.Router) {
 					r.Use(
 						apiKeyMiddlewareRedirect,
-						httpmw.ExtractOAuth2(externalAuthConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil),
+						httpmw.ExtractOAuth2(externalAuthConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil, externalAuthConfig.CodeChallengeMethodsSupported),
 					)
 					r.Get("/", api.externalAuthCallback(externalAuthConfig))
 				})
@@ -1289,14 +1290,15 @@ func New(options *Options) *API {
 					r.Get("/github/device", api.userOAuth2GithubDevice)
 					r.Route("/github", func(r chi.Router) {
 						r.Use(
-							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil),
+							// Github supports PKCE S256
+							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil, []promoauth.Oauth2PKCEChallengeMethod{promoauth.PKCEChallengeMethodSha256}),
 						)
 						r.Get("/callback", api.userOAuth2Github)
 					})
 				})
 				r.Route("/oidc/callback", func(r chi.Router) {
 					r.Use(
-						httpmw.ExtractOAuth2(options.OIDCConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, oidcAuthURLParams),
+						httpmw.ExtractOAuth2(options.OIDCConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, oidcAuthURLParams, options.OIDCConfig.PKCEMethods),
 					)
 					r.Get("/", api.userOIDC)
 				})
 
@@ -102,7 +102,8 @@ type Config struct {
 	// injected into Coder AI Bridge upstream requests.
 	// In the case of conflicts, items evaluated by this list override [MCPToolAllowRegex].
 	// This field can be nil if unspecified in the config.
-	MCPToolDenyRegex *regexp.Regexp
+	MCPToolDenyRegex              *regexp.Regexp
+	CodeChallengeMethodsSupported []promoauth.Oauth2PKCEChallengeMethod
 }
 
 // GenerateTokenExtra generates the extra token data to store in the database.
@@ -800,9 +801,11 @@ func applyDefaultsToConfig(config *codersdk.ExternalAuthConfig) {
 		copyDefaultSettings(config, azureDevopsEntraDefaults(config))
 		return
 	default:
-		// No defaults for this type. We still want to run this apply with
-		// an empty set of defaults.
-		copyDefaultSettings(config, codersdk.ExternalAuthConfig{})
+		// Defaults apply to any provider that doesn't have specific defaults.
+		copyDefaultSettings(config, codersdk.ExternalAuthConfig{
+			// PKCE should always be enabled by default.
+			CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodSha256)},
+		})
 		return
 	}
 }
@@ -856,6 +859,9 @@ func copyDefaultSettings(config *codersdk.ExternalAuthConfig, defaults codersdk.
 		// This is a key emoji.
 		config.DisplayIcon = "/emojis/1f511.png"
 	}
+	if config.CodeChallengeMethodsSupported == nil {
+		config.CodeChallengeMethodsSupported = defaults.CodeChallengeMethodsSupported
+	}
 }
 
 // gitHubDefaults returns default config values for GitHub.
@@ -869,9 +875,10 @@ func gitHubDefaults(config *codersdk.ExternalAuthConfig) codersdk.ExternalAuthCo
 		DisplayIcon: "/icon/github.svg",
 		Regex:       `^(https?://)?github\.com(/.*)?$`,
 		// "workflow" is required for managing GitHub Actions in a repository.
-		Scopes:              []string{"repo", "workflow"},
-		DeviceCodeURL:       "https://github.com/login/device/code",
-		AppInstallationsURL: "https://api.github.com/user/installations",
+		Scopes:                        []string{"repo", "workflow"},
+		DeviceCodeURL:                 "https://github.com/login/device/code",
+		AppInstallationsURL:           "https://api.github.com/user/installations",
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodSha256)},
 	}
 
 	if config.RevokeURL == "" && config.ClientID != "" {
@@ -886,6 +893,8 @@ func bitbucketServerDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exter
 		DisplayName: "Bitbucket Server",
 		Scopes:      []string{"PUBLIC_REPOS", "REPO_READ", "REPO_WRITE"},
 		DisplayIcon: "/icon/bitbucket.svg",
+		// TODO: PKCE support? Test 'S256' as the string value
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	}
 	// Bitbucket servers will have some base url, e.g. https://bitbucket.coder.com.
 	// We will grab this from the Auth URL. This choice is a bit arbitrary,
@@ -923,14 +932,15 @@ func bitbucketServerDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exter
 // Any user specific fields will override this if provided.
 func gitlabDefaults(config *codersdk.ExternalAuthConfig) codersdk.ExternalAuthConfig {
 	cloud := codersdk.ExternalAuthConfig{
-		AuthURL:     "https://gitlab.com/oauth/authorize",
-		TokenURL:    "https://gitlab.com/oauth/token",
-		ValidateURL: "https://gitlab.com/oauth/token/info",
-		RevokeURL:   "https://gitlab.com/oauth/revoke",
-		DisplayName: "GitLab",
-		DisplayIcon: "/icon/gitlab.svg",
-		Regex:       `^(https?://)?gitlab\.com(/.*)?$`,
-		Scopes:      []string{"write_repository"},
+		AuthURL:                       "https://gitlab.com/oauth/authorize",
+		TokenURL:                      "https://gitlab.com/oauth/token",
+		ValidateURL:                   "https://gitlab.com/oauth/token/info",
+		RevokeURL:                     "https://gitlab.com/oauth/revoke",
+		DisplayName:                   "GitLab",
+		DisplayIcon:                   "/icon/gitlab.svg",
+		Regex:                         `^(https?://)?gitlab\.com(/.*)?$`,
+		Scopes:                        []string{"write_repository"},
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodSha256)},
 	}
 
 	if config.AuthURL == "" || config.AuthURL == cloud.AuthURL {
@@ -946,14 +956,15 @@ func gitlabDefaults(config *codersdk.ExternalAuthConfig) codersdk.ExternalAuthCo
 
 	// At this point, assume it is self-hosted and use the AuthURL
 	return codersdk.ExternalAuthConfig{
-		DisplayName: cloud.DisplayName,
-		Scopes:      cloud.Scopes,
-		DisplayIcon: cloud.DisplayIcon,
-		AuthURL:     au.ResolveReference(&url.URL{Path: "/oauth/authorize"}).String(),
-		TokenURL:    au.ResolveReference(&url.URL{Path: "/oauth/token"}).String(),
-		ValidateURL: au.ResolveReference(&url.URL{Path: "/oauth/token/info"}).String(),
-		RevokeURL:   au.ResolveReference(&url.URL{Path: "/oauth/revoke"}).String(),
-		Regex:       fmt.Sprintf(`^(https?://)?%s(/.*)?$`, strings.ReplaceAll(au.Host, ".", `\.`)),
+		DisplayName:                   cloud.DisplayName,
+		Scopes:                        cloud.Scopes,
+		DisplayIcon:                   cloud.DisplayIcon,
+		AuthURL:                       au.ResolveReference(&url.URL{Path: "/oauth/authorize"}).String(),
+		TokenURL:                      au.ResolveReference(&url.URL{Path: "/oauth/token"}).String(),
+		ValidateURL:                   au.ResolveReference(&url.URL{Path: "/oauth/token/info"}).String(),
+		RevokeURL:                     au.ResolveReference(&url.URL{Path: "/oauth/revoke"}).String(),
+		Regex:                         fmt.Sprintf(`^(https?://)?%s(/.*)?$`, strings.ReplaceAll(au.Host, ".", `\.`)),
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodSha256)},
 	}
 }
 
@@ -962,6 +973,8 @@ func jfrogArtifactoryDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exte
 		DisplayName: "JFrog Artifactory",
 		Scopes:      []string{"applied-permissions/user"},
 		DisplayIcon: "/icon/jfrog.svg",
+		// TODO: PKCE support? Test 'S256' as the string value
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	}
 	// Artifactory servers will have some base url, e.g. https://jfrog.coder.com.
 	// We will grab this from the Auth URL. This choice is not arbitrary. It is a
@@ -997,9 +1010,10 @@ func jfrogArtifactoryDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exte
 
 func giteaDefaults(config *codersdk.ExternalAuthConfig) codersdk.ExternalAuthConfig {
 	defaults := codersdk.ExternalAuthConfig{
-		DisplayName: "Gitea",
-		Scopes:      []string{"read:repository", " write:repository", "read:user"},
-		DisplayIcon: "/icon/gitea.svg",
+		DisplayName:                   "Gitea",
+		Scopes:                        []string{"read:repository", " write:repository", "read:user"},
+		DisplayIcon:                   "/icon/gitea.svg",
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodSha256)},
 	}
 	// Gitea's servers will have some base url, e.g: https://gitea.coder.com.
 	// If an auth url is not set, we will assume they are using the default
@@ -1031,6 +1045,8 @@ func azureDevopsEntraDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exte
 		DisplayName: "Azure DevOps (Entra)",
 		DisplayIcon: "/icon/azure-devops.svg",
 		Regex:       `^(https?://)?dev\.azure\.com(/.*)?$`,
+		// TODO: PKCE support? Test 'S256' as the string value
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	}
 	// The tenant ID is required for urls and is in the auth url.
 	if config.AuthURL == "" {
@@ -1069,6 +1085,8 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		DisplayIcon: "/icon/azure-devops.svg",
 		Regex:       `^(https?://)?dev\.azure\.com(/.*)?$`,
 		Scopes:      []string{"vso.code_write"},
+		// TODO: PKCE support? Test 'S256' as the string value
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	},
 	codersdk.EnhancedExternalAuthProviderBitBucketCloud: {
 		AuthURL:     "https://bitbucket.org/site/oauth2/authorize",
@@ -1078,6 +1096,8 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		DisplayIcon: "/icon/bitbucket.svg",
 		Regex:       `^(https?://)?bitbucket\.org(/.*)?$`,
 		Scopes:      []string{"account", "repository:write"},
+		// TODO: PKCE support? Test 'S256' as the string value
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	},
 	codersdk.EnhancedExternalAuthProviderSlack: {
 		AuthURL:     "https://slack.com/oauth/v2/authorize",
@@ -1087,6 +1107,8 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		DisplayIcon: "/icon/slack.svg",
 		// See: https://api.slack.com/authentication/oauth-v2#exchanging
 		ExtraTokenKeys: []string{"authed_user"},
+		// TODO: PKCE support? Test 'S256' as the string value
+		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	},
 }
 
 
@@ -5,6 +5,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/coder/coder/v2/coderd/promoauth"
 	"github.com/coder/coder/v2/codersdk"
 )
 
@@ -13,17 +14,20 @@ func TestGitlabDefaults(t *testing.T) {
 
 	// The default cloud setup. Copying this here as hard coded
 	// values.
-	cloud := codersdk.ExternalAuthConfig{
-		Type:        string(codersdk.EnhancedExternalAuthProviderGitLab),
-		ID:          string(codersdk.EnhancedExternalAuthProviderGitLab),
-		AuthURL:     "https://gitlab.com/oauth/authorize",
-		TokenURL:    "https://gitlab.com/oauth/token",
-		ValidateURL: "https://gitlab.com/oauth/token/info",
-		RevokeURL:   "https://gitlab.com/oauth/revoke",
-		DisplayName: "GitLab",
-		DisplayIcon: "/icon/gitlab.svg",
-		Regex:       `^(https?://)?gitlab\.com(/.*)?$`,
-		Scopes:      []string{"write_repository"},
+	cloud := func() codersdk.ExternalAuthConfig {
+		return codersdk.ExternalAuthConfig{
+			Type:                          string(codersdk.EnhancedExternalAuthProviderGitLab),
+			ID:                            string(codersdk.EnhancedExternalAuthProviderGitLab),
+			AuthURL:                       "https://gitlab.com/oauth/authorize",
+			TokenURL:                      "https://gitlab.com/oauth/token",
+			ValidateURL:                   "https://gitlab.com/oauth/token/info",
+			RevokeURL:                     "https://gitlab.com/oauth/revoke",
+			DisplayName:                   "GitLab",
+			DisplayIcon:                   "/icon/gitlab.svg",
+			Regex:                         `^(https?://)?gitlab\.com(/.*)?$`,
+			Scopes:                        []string{"write_repository"},
+			CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodSha256)},
+		}
 	}
 
 	tests := []struct {
@@ -38,7 +42,7 @@ func TestGitlabDefaults(t *testing.T) {
 			input: codersdk.ExternalAuthConfig{
 				Type: string(codersdk.EnhancedExternalAuthProviderGitLab),
 			},
-			expected: cloud,
+			expected: cloud(),
 		},
 		{
 			// If someone was to manually configure the gitlab cli.
@@ -47,7 +51,7 @@ func TestGitlabDefaults(t *testing.T) {
 				Type:    string(codersdk.EnhancedExternalAuthProviderGitLab),
 				AuthURL: "https://gitlab.com/oauth/authorize",
 			},
-			expected: cloud,
+			expected: cloud(),
 		},
 		{
 			// Changing some of the defaults of the cloud option
@@ -60,7 +64,7 @@ func TestGitlabDefaults(t *testing.T) {
 				DisplayName: "custom",
 				Regex:       ".*",
 			},
-			expected: cloud,
+			expected: cloud(),
 			mutateExpected: func(config *codersdk.ExternalAuthConfig) {
 				config.AuthURL = "https://gitlab.com/oauth/authorize?foo=bar"
 				config.DisplayName = "custom"
@@ -75,7 +79,7 @@ func TestGitlabDefaults(t *testing.T) {
 				Type:    string(codersdk.EnhancedExternalAuthProviderGitLab),
 				AuthURL: "https://gitlab.company.org/oauth/authorize?foo=bar",
 			},
-			expected: cloud,
+			expected: cloud(),
 			mutateExpected: func(config *codersdk.ExternalAuthConfig) {
 				config.AuthURL = "https://gitlab.company.org/oauth/authorize?foo=bar"
 				config.ValidateURL = "https://gitlab.company.org/oauth/token/info"
@@ -88,20 +92,22 @@ func TestGitlabDefaults(t *testing.T) {
 			// Strange values
 			name: "RandomValues",
 			input: codersdk.ExternalAuthConfig{
-				Type:        string(codersdk.EnhancedExternalAuthProviderGitLab),
-				AuthURL:     "https://auth.com/auth",
-				ValidateURL: "https://validate.com/validate",
-				TokenURL:    "https://token.com/token",
-				RevokeURL:   "https://token.com/revoke",
-				Regex:       "random",
+				Type:                          string(codersdk.EnhancedExternalAuthProviderGitLab),
+				AuthURL:                       "https://auth.com/auth",
+				ValidateURL:                   "https://validate.com/validate",
+				TokenURL:                      "https://token.com/token",
+				RevokeURL:                     "https://token.com/revoke",
+				Regex:                         "random",
+				CodeChallengeMethodsSupported: []string{"random"},
 			},
-			expected: cloud,
+			expected: cloud(),
 			mutateExpected: func(config *codersdk.ExternalAuthConfig) {
 				config.AuthURL = "https://auth.com/auth"
 				config.ValidateURL = "https://validate.com/validate"
 				config.TokenURL = "https://token.com/token"
 				config.RevokeURL = "https://token.com/revoke"
 				config.Regex = `random`
+				config.CodeChallengeMethodsSupported = []string{"random"}
 			},
 		},
 	}
@@ -133,11 +139,12 @@ func Test_bitbucketServerConfigDefaults(t *testing.T) {
 				Type: bbType,
 			},
 			expected: codersdk.ExternalAuthConfig{
-				Type:        bbType,
-				ID:          bbType,
-				DisplayName: "Bitbucket Server",
-				Scopes:      []string{"PUBLIC_REPOS", "REPO_READ", "REPO_WRITE"},
-				DisplayIcon: "/icon/bitbucket.svg",
+				Type:                          bbType,
+				ID:                            bbType,
+				DisplayName:                   "Bitbucket Server",
+				Scopes:                        []string{"PUBLIC_REPOS", "REPO_READ", "REPO_WRITE"},
+				DisplayIcon:                   "/icon/bitbucket.svg",
+				CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 			},
 		},
 		{
@@ -148,15 +155,16 @@ func Test_bitbucketServerConfigDefaults(t *testing.T) {
 				AuthURL: "https://bitbucket.example.com/login/oauth/authorize",
 			},
 			expected: codersdk.ExternalAuthConfig{
-				Type:        bbType,
-				ID:          bbType,
-				AuthURL:     "https://bitbucket.example.com/login/oauth/authorize",
-				TokenURL:    "https://bitbucket.example.com/rest/oauth2/latest/token",
-				ValidateURL: "https://bitbucket.example.com/rest/api/latest/inbox/pull-requests/count",
-				Scopes:      []string{"PUBLIC_REPOS", "REPO_READ", "REPO_WRITE"},
-				Regex:       `^(https?://)?bitbucket\.example\.com(/.*)?$`,
-				DisplayName: "Bitbucket Server",
-				DisplayIcon: "/icon/bitbucket.svg",
+				Type:                          bbType,
+				ID:                            bbType,
+				AuthURL:                       "https://bitbucket.example.com/login/oauth/authorize",
+				TokenURL:                      "https://bitbucket.example.com/rest/oauth2/latest/token",
+				ValidateURL:                   "https://bitbucket.example.com/rest/api/latest/inbox/pull-requests/count",
+				Scopes:                        []string{"PUBLIC_REPOS", "REPO_READ", "REPO_WRITE"},
+				Regex:                         `^(https?://)?bitbucket\.example\.com(/.*)?$`,
+				DisplayName:                   "Bitbucket Server",
+				DisplayIcon:                   "/icon/bitbucket.svg",
+				CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 			},
 		},
 		{
@@ -167,15 +175,16 @@ func Test_bitbucketServerConfigDefaults(t *testing.T) {
 				Type: "bitbucket",
 			},
 			expected: codersdk.ExternalAuthConfig{
-				Type:        string(codersdk.EnhancedExternalAuthProviderBitBucketCloud),
-				ID:          "bitbucket", // Legacy ID remains unchanged
-				AuthURL:     "https://bitbucket.org/site/oauth2/authorize",
-				TokenURL:    "https://bitbucket.org/site/oauth2/access_token",
-				ValidateURL: "https://api.bitbucket.org/2.0/user",
-				DisplayName: "BitBucket",
-				DisplayIcon: "/icon/bitbucket.svg",
-				Regex:       `^(https?://)?bitbucket\.org(/.*)?$`,
-				Scopes:      []string{"account", "repository:write"},
+				Type:                          string(codersdk.EnhancedExternalAuthProviderBitBucketCloud),
+				ID:                            "bitbucket", // Legacy ID remains unchanged
+				AuthURL:                       "https://bitbucket.org/site/oauth2/authorize",
+				TokenURL:                      "https://bitbucket.org/site/oauth2/access_token",
+				ValidateURL:                   "https://api.bitbucket.org/2.0/user",
+				DisplayName:                   "BitBucket",
+				DisplayIcon:                   "/icon/bitbucket.svg",
+				Regex:                         `^(https?://)?bitbucket\.org(/.*)?$`,
+				Scopes:                        []string{"account", "repository:write"},
+				CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 			},
 		},
 	}