Skip to content

feat: OAuth 2.0 Provider (behind feature flag)#12391

Merged
Dschoordsch merged 21 commits intomasterfrom
feat/oauth-provider
Jan 13, 2026
Merged

feat: OAuth 2.0 Provider (behind feature flag)#12391
Dschoordsch merged 21 commits intomasterfrom
feat/oauth-provider

Conversation

@jordanh
Copy link
Contributor

@jordanh jordanh commented Dec 2, 2025

Description

Implements the start of an OAuth 2.0 Provider, configurable from Org Admin and hidden behind a org-level feature flag (oauthProvider). Note: this is not intended to be a production-ready solution, rather, the a merge-ready solution that can be iterated upon and used for internal testing (or potentially, by self-hosted customers).

It provides the following:

  • The oauthProvider feature flag
  • An Org Admin interface for adding/removing application provider configurations
  • OAuth 2.0 token issuance and authorization
  • Two simple scopes graphql:query, graphql:mutation
  • A yoga plugin for analyzing incoming ad-hoc queries against scopes

It does not implement:

  • Any kind of query complexity or fine-grained scopes
  • The .well-known route
  • Force re-authentication when issuing a new token
  • Refresh tokens

Demo

https://www.loom.com/share/e129366000ce4164a93c6d20cf6e0213

Testing scenarios

[Please list all the testing scenarios a reviewer has to check before approving the PR]

  • Can list the feature flag
query {
  getAllFeatureFlags {
    description
    featureName
    scope
    expiresAt
  }
}
  • Can migrate up

  • Can migrate down

  • Can migrate up again

  • Verify that the Org Admin OAuth 2.0 interface is hidden without the feature flag set

  • Can add the feature flag

mutation {
  applyFeatureFlag(flagName: "oauthProvider", subjects: {
    orgIds: ["AP9kDq76Ra"]
  }){
    __typename
    ... on ApplyFeatureFlagSuccess {
      organizations {
        name 
        featureFlag(featureName: "oauthProvider")
      }
      users {
        email
        featureFlag(featureName: "oauthProvider")
      }
      teams {
        name
        featureFlag(featureName: "oauthProvider")
      }
    }
    ... on ErrorPayload {
      error {
        message
      }
    }
  }
}
  • See the OAuth Provider Interface after the flag is added

  • Add a new OAuth 2.0 App

  • Can save it

  • Can edit it

  • Can click regenerate, then cancel secret regeneration

  • Can click regenerate, then confirm creating a new secret

  • Can get a token

  • Can use the token

Final checklist

  • I checked the code review guidelines
  • I have added Metrics Representative as reviewer(s) if my PR invovles metrics/data/analytics related changes
  • I have performed a self-review of my code, the same way I'd do it for any other team member
  • I have tested all cases I listed in the testing scenarios and I haven't found any issues or regressions
  • Whenever I took a non-obvious choice I added a comment explaining why I did it this way
  • PR title is human readable and could be used in changelog

@jordanh jordanh changed the title Feat: OAuth 2.0 Provider (behind feature flag) feat: OAuth 2.0 Provider (behind feature flag) Dec 2, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from fb1d09d to 9a3aec6 Compare December 4, 2025 23:01
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 4, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from ce26182 to 8da3cea Compare December 5, 2025 17:30
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from 8da3cea to e82a496 Compare December 5, 2025 17:30
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from e82a496 to 08df72f Compare December 5, 2025 17:32
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from 08df72f to 6df8b15 Compare December 5, 2025 17:44
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from 6df8b15 to 5722006 Compare December 5, 2025 18:09
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from 5722006 to 50e5ef7 Compare December 5, 2025 18:11
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from 50e5ef7 to edc10b7 Compare December 5, 2025 18:13
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@jordanh jordanh force-pushed the feat/oauth-provider branch from edc10b7 to 1b68e7e Compare December 5, 2025 18:16
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 5, 2025
@github-actions github-actions bot added size/xl and removed size/xs labels Dec 18, 2025
@jordanh
Copy link
Contributor Author

jordanh commented Dec 18, 2025

Ok @mattkrick , I've made another suite of changes – thanks again for looking this over


const result = isSuperUser || (isOAuthToken && !!hasScope)

return result
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-2

We would never enable this feature flag for anybody other than us on SaaS production. Yes, we could use our su tokens, but better if we didn't.

Organization scope feature flags can be enabled by enterprise organizations on their own.

@jordanh
Copy link
Contributor Author

jordanh commented Jan 8, 2026

@Dschoordsch to pick this up

@github-actions github-actions bot added size/xl and removed size/xl labels Jan 12, 2026
@github-actions github-actions bot added size/xl and removed size/xl labels Jan 12, 2026
@github-actions github-actions bot added size/xl and removed size/xl labels Jan 13, 2026
@Dschoordsch
Copy link
Contributor

Scopes don't work

@github-actions github-actions bot added size/xl and removed size/xl labels Jan 13, 2026
@Dschoordsch
Copy link
Contributor

I have tested it with a made up client and added some scope tests.
Tests should be a bit more comprehensive before we enable it for a 3rd party.

@Dschoordsch Dschoordsch merged commit 39f80b3 into master Jan 13, 2026
8 checks passed
@Dschoordsch Dschoordsch deleted the feat/oauth-provider branch January 13, 2026 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants