feat: Add RFC 8414 OAuth 2.0 Authorization Server Metadata endpoint#1665
feat: Add RFC 8414 OAuth 2.0 Authorization Server Metadata endpoint#1665zacharypodbela wants to merge 8 commits into
Conversation
|
@dopry could I get a review on this? |
dopry
force-pushed
the
rfc-8414-oauth-server-metadata
branch
from
b6b1c88 to
d5108c7
Compare
There was a problem hiding this comment.
Pull request overview
Adds an RFC 8414-compliant OAuth 2.0 Authorization Server Metadata discovery endpoint and refactors existing OIDC discovery code to reuse shared URL-building logic.
Changes:
- Added
/.well-known/oauth-authorization-serverendpoint with RFC 8414 metadata response and CORS header. - Introduced
ServerMetadataViewMixinand refactoredConnectDiscoveryInfoViewto remove duplicated endpoint URL-building logic. - Added new settings defaults + documentation, and tests for endpoint behavior (issuer derivation, JWKS conditional, CORS, OIDC disabled).
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_oidc_views.py | Adds tests validating RFC 8414 metadata response shape and key conditionals. |
| oauth2_provider/views/oidc.py | Refactors OIDC discovery to reuse shared endpoint URL builder. |
| oauth2_provider/views/metadata.py | Implements the RFC 8414 metadata endpoint + shared URL-building mixin. |
| oauth2_provider/views/init.py | Exposes the new metadata view for URL registration. |
| oauth2_provider/urls.py | Registers the /.well-known/oauth-authorization-server route. |
| oauth2_provider/settings.py | Adds OAuth2 metadata settings and an issuer helper method. |
| docs/settings.rst | Documents new settings related to the metadata endpoint. |
| docs/oauth2_server_metadata.rst | Adds user-facing docs for the RFC 8414 endpoint. |
| docs/index.rst | Adds the new docs page to the documentation index. |
| CHANGELOG.md | Notes the new endpoint in the unreleased changelog. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
dopry
force-pushed
the
rfc-8414-oauth-server-metadata
branch
from
d5108c7 to
2a42baa
Compare
|
@zacharypodbela can you review the copilot comments and address them? |
|
I'll address the last round of copilot review by end of day today and ping back when that's done. |
|
@dopry I addressed all the feedback. Once of the suggestions from Copilot is not valid. I left a comment explaining why. Let me know if anything else is needed to finalize PR! |
|
One thing I just realized is that between this PR and #1667, whichever PR is merged second will need to enhance the metadata endpoint to also return the DCR I'd actually suggest we merge #1667 first and then we make that enhancement in this PR. |
|
@dopry just want to bump this -- do we think we can get this merged this week? I have ample time to address more feedback if needed. |
|
I think the base for the reverse used in |
|
@leiserfg can you provide example code of the use case you are talking about? Happy to make sure we support it but a code snippet will help me better understand your needs and also test locally. |
|
@zacharypodbela looks like CI isn't happy, can you address the test and lint issues? |
I'm talking for instance in the case of a user overriding the authorize view or in the case of that url to be mounted in another app, the reverse won't work and the meta will be missing the links. |
dopry
force-pushed
the
rfc-8414-oauth-server-metadata
branch
from
cd186e5 to
7b56f04
Compare
dopry
force-pushed
the
rfc-8414-oauth-server-metadata
branch
from
7b56f04 to
92b3ce0
Compare
Implements the /.well-known/oauth-authorization-server discovery endpoint per RFC 8414. Unlike the existing OIDC discovery endpoint, this is available regardless of whether OIDC is enabled. - Add OAuthServerMetadataView and ServerMetadataViewMixin in new metadata.py - Refactor ConnectDiscoveryInfoView to use ServerMetadataViewMixin, removing duplicated URL-building logic - Add OAUTH2_RESPONSE_TYPES_SUPPORTED, OAUTH2_GRANT_TYPES_SUPPORTED, and OAUTH2_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED settings with defaults - Add oauth2_metadata_issuer() helper to OAuth2ProviderSettings - Register endpoint in base_urlpatterns as oauth-server-metadata Closes django-oauth#1099 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add oauth2_server_metadata.rst with endpoint description and example response - Link from index.rst toctree after oidc - Document OAUTH2_RESPONSE_TYPES_SUPPORTED, OAUTH2_GRANT_TYPES_SUPPORTED, and OAUTH2_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED in settings.rst Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Derive the well-known path via reverse() instead of hardcoding the suffix in oauth2_metadata_issuer(), and sort scopes_supported for deterministic metadata output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ndpoint The JWKS endpoint is served by JwksInfoView which requires OIDCOnlyMixin, so jwks_uri should only appear in metadata when OIDC is actually enabled. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…erns
RFC 8414 requires the metadata endpoint at {issuer}/.well-known/oauth-authorization-server.
When base_urlpatterns is mounted at a prefix (e.g., /o/), the metadata endpoint
ends up at /o/.well-known/oauth-authorization-server, which clients cannot discover.
Move the metadata view into its own metadata_urlpatterns list so downstream apps
can mount it at the root separately from prefixed toolkit URLs. The default
urlpatterns still includes everything for simple setups.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
_get_endpoint_url() now catches NoReverseMatch and returns None instead of letting it propagate as a 500. The metadata view omits any endpoint URLs that couldn't be resolved, so downstream apps that don't include all of base_urlpatterns won't crash the metadata endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
oauth2_metadata_issuer() was reversing the metadata view's URL name and stripping the .well-known path to derive the issuer. This broke when the metadata view was mounted outside the oauth2_provider namespace (as recommended after moving it to metadata_urlpatterns). Use the request's scheme + host directly instead — this is correct per RFC 8414 and doesn't depend on URL routing internals. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Include revocation_endpoint_auth_methods_supported and introspection_endpoint_auth_methods_supported in the RFC 8414 metadata response. Both reuse the token_endpoint_auth_methods_supported value, and are only included when the corresponding endpoint is registered. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dopry
force-pushed
the
rfc-8414-oauth-server-metadata
branch
from
92b3ce0 to
378c7b3
Compare
Summary
Implements the
/.well-known/oauth-authorization-serverdiscovery endpoint per RFC 8414 — OAuth 2.0 Authorization Server Metadata.Closes #1099
Changes
oauth2_provider/views/metadata.py— containsServerMetadataViewMixin(shared URL-building logic for discovery views) andOAuthServerMetadataView(the RFC 8414 endpoint). The view is available regardless of whether OIDC is enabled and has noOIDCOnlyMixindependency.ConnectDiscoveryInfoView— now inheritsServerMetadataViewMixin, eliminating the duplicated if/else URL-building logic that previously existed for the request-relative vsOIDC_ISS_ENDPOINT-anchored cases.OAUTH2_RESPONSE_TYPES_SUPPORTEDOAUTH2_GRANT_TYPES_SUPPORTEDOAUTH2_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTEDoauth2_metadata_issuer()helper onOAuth2ProviderSettings, mirroring the existingoidc_issuer().oauth-server-metadataregistered inbase_urlpatterns.OIDC_ISS_ENDPOINT),jwks_uriconditional on RSA key presence, CORS header, and availability when OIDC is disabled.Relationship to OIDC discovery
RFC 8414 is the OAuth 2.0 equivalent of OpenID Connect discovery. The key differences from
ConnectDiscoveryInfoView:/.well-known/openid-configuration/.well-known/oauth-authorization-serveruserinfo_endpointjwks_urigrant_types_supportedrevocation_endpointintrospection_endpoint