Skip to content

Minimal modern OAuth 2.1 stack #2296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jeremy wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Minimal modern OAuth 2.1 stack #2296

jeremy wants to merge 3 commits into from
+1,414 −4

Conversation

@jeremy
Copy link
Member

@jeremy jeremy commented Jan 6, 2026

  • Builds on existing Identity::AccessToken (optionally belongs to an OAuth client)
  • Provides everything MCP clients need for dynamic registration and auth
  • Adds a Connected Apps listing to user profiles to view and revoke granted tokens

No refresh tokens; no token expiry; only implicit grants; only authorization code exchange.

Needs design: Authorization

  • Consent screen
oauth consent screen

Needs design: Connected Apps

  • section on user profile
  • listing
  • revocation flow
oauth user profile oauth connected apps

@jeremy jeremy requested review from dhh and jzimdars January 6, 2026 01:34
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
@jeremy jeremy mentioned this pull request Jan 6, 2026
Open
jeremy added 3 commits January 7, 2026 17:11
@jeremy
OAuth 2.1 support
fbedd43 
- OAuth tokens = Access Token that belongs to an OAuth client
- One table (oauth_clients) + one column (oauth_client_id)
- Stateless authorization codes via MessageEncryptor (60s TTL)
- Implicit grants (token exists = grant, revoke = delete tokens)
- Dynamic client registration for MCPs
- Token lifetime: no expiry, explicit revocation only
- Scope mapping: space-delimited OAuth scopes → permission enum
- Security: PKCE required, loopback-only DCR, rate limiting
- RFC compliance: 6749, 6750, 7636, 7591, 8252, 8414, 9728

Authorization flow with PKCE (S256 only)
- Consent screen showing client name and requested scopes
- Stateless authorization codes via MessageEncryptor

Token endpoint
- Authorization code exchange with PKCE verification
- Issues Identity::AccessToken linked to OAuth client

Revocation endpoint (RFC 7009)
- Revoke access tokens by value
- Always returns 200 per spec
@jeremy
OAuth discovery and dynamic client registration
77e04ae 
Discovery endpoints (RFC 8414):
- /.well-known/oauth-authorization-server
- /.well-known/oauth-protected-resource

Dynamic Client Registration (RFC 7591):
- POST /oauth/clients for MCP clients
- Loopback redirects only (127.0.0.1, localhost, [::1])
- Rate limited to 10 requests/minute
@jeremy
Connected Apps UI for OAuth grant management
08404f7 
View and revoke OAuth client access at /my/connected_apps.
Scoped through identity's OAuth tokens for proper authorization.
Links from access tokens index for discoverability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhh dhh Awaiting requested review from dhh

@jzimdars jzimdars Awaiting requested review from jzimdars

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremy