RFC 8707 - resource indicator

Author: brendan-kellam

packages/db/prisma/migrations/20260304230353_add_oauth_resource_parameter/migration.sql

@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "OAuthAuthorizationCode" ADD COLUMN     "resource" TEXT;
+
+-- AlterTable
+ALTER TABLE "OAuthToken" ADD COLUMN     "resource" TEXT;

packages/db/prisma/schema.prisma

@@ -493,7 +493,7 @@ model ChatAccess {
 // @see: https://datatracker.ietf.org/doc/html/rfc6749
 
 /// A registered OAuth2 client application (e.g. Claude Desktop, Cursor).
-/// Created via dynamic client registration (RFC 7591) at POST /api/oauth/register.
+/// Created via dynamic client registration (RFC 7591) at POST /api/ee/oauth/register.
 model OAuthClient {
   id           String   @id @default(cuid())
   name         String
@@ -515,6 +515,7 @@ model OAuthAuthorizationCode {
   user          User        @relation(fields: [userId], references: [id], onDelete: Cascade)
   redirectUri   String
   codeChallenge String // BASE64URL(SHA-256(codeVerifier))
+  resource      String? // RFC 8707: canonical URI of the target resource server
   expiresAt     DateTime
   createdAt     DateTime    @default(now())
 }
@@ -527,6 +528,7 @@ model OAuthToken {
   userId     String
   user       User        @relation(fields: [userId], references: [id], onDelete: Cascade)
   scope      String      @default("")
+  resource   String? // RFC 8707: canonical URI of the target resource server
   expiresAt  DateTime
   createdAt  DateTime    @default(now())
   lastUsedAt DateTime?

packages/web/src/app/oauth/authorize/page.tsx

@@ -17,6 +17,7 @@ interface AuthorizePageProps {
         code_challenge_method?: string;
         response_type?: string;
         state?: string;
+        resource?: string;
     }>;
 }
 
@@ -26,7 +27,7 @@ export default async function AuthorizePage({ searchParams }: AuthorizePageProps
     }
 
     const params = await searchParams;
-    const { client_id, redirect_uri, code_challenge, code_challenge_method, response_type, state } = params;
+    const { client_id, redirect_uri, code_challenge, code_challenge_method, response_type, state, resource } = params;
 
     // Validate required parameters. Per spec, do NOT redirect on client errors —
     // show an error page instead to avoid open redirect vulnerabilities.
@@ -67,6 +68,7 @@ export default async function AuthorizePage({ searchParams }: AuthorizePageProps
             userId: session!.user.id,
             redirectUri: redirect_uri!,
             codeChallenge: code_challenge!,
+            resource: resource ?? null,
         });
 
         const callbackUrl = new URL(redirect_uri!);

packages/web/src/features/oauth/server.ts

@@ -2,6 +2,7 @@ import 'server-only';
 
 import { prisma } from '@/prisma';
 import { generateOAuthToken, hashSecret } from '@sourcebot/shared';
+import { Prisma } from '@prisma/client';
 import crypto from 'crypto';
 
 const AUTH_CODE_TTL_MS = 10 * 60 * 1000; // 10 minutes
@@ -16,11 +17,13 @@ export async function generateAndStoreAuthCode({
     userId,
     redirectUri,
     codeChallenge,
+    resource,
 }: {
     clientId: string;
     userId: string;
     redirectUri: string;
     codeChallenge: string;
+    resource: string | null;
 }): Promise<string> {
     const rawCode = crypto.randomBytes(32).toString('hex');
     const codeHash = hashSecret(rawCode);
@@ -32,6 +35,7 @@ export async function generateAndStoreAuthCode({
             userId,
             redirectUri,
             codeChallenge,
+            resource,
             expiresAt: new Date(Date.now() + AUTH_CODE_TTL_MS),
         },
     });
@@ -46,11 +50,13 @@ export async function verifyAndExchangeCode({
     clientId,
     redirectUri,
     codeVerifier,
+    resource,
 }: {
     rawCode: string;
     clientId: string;
     redirectUri: string;
     codeVerifier: string;
+    resource: string | null;
 }): Promise<{ token: string; expiresIn: number } | { error: string; errorDescription: string }> {
     const codeHash = hashSecret(rawCode);
 
@@ -85,10 +91,15 @@ export async function verifyAndExchangeCode({
         return { error: 'invalid_grant', errorDescription: 'PKCE code verifier is invalid.' };
     }
 
+    // RFC 8707: if a resource was bound to the auth code, the token request must present the same value.
+    if (authCode.resource !== null && authCode.resource !== resource) {
+        return { error: 'invalid_target', errorDescription: 'resource parameter does not match the value bound to the authorization code.' };
+    }
+
     // Single-use: delete the auth code before issuing token.
     // Handle concurrent consume attempts gracefully.
     try {
-    await prisma.oAuthAuthorizationCode.delete({ where: { codeHash } });
+        await prisma.oAuthAuthorizationCode.delete({ where: { codeHash } });
     } catch (error) {
         if (error instanceof Prisma.PrismaClientKnownRequestError && error.code === 'P2025') {
             return { error: 'invalid_grant', errorDescription: 'Authorization code has already been used.' };
@@ -103,6 +114,7 @@ export async function verifyAndExchangeCode({
             hash,
             clientId,
             userId: authCode.userId,
+            resource: authCode.resource,
             expiresAt: new Date(Date.now() + ACCESS_TOKEN_TTL_MS),
         },
     });

packages/web/src/withAuthV2.ts

@@ -122,6 +122,10 @@ export const getAuthenticatedUser = async () => {
 
         // OAuth access token (sourcebot-oauth-<hex>)
         if (bearerToken.startsWith("sourcebot-oauth-")) {
+            if (!hasEntitlement('oauth')) {
+                return undefined;
+            }
+
             const secret = bearerToken.slice("sourcebot-oauth-".length);
             const hash = hashSecret(secret);
             const oauthToken = await __unsafePrisma.oAuthToken.findUnique({