feat(worker): bespoke OAuth with device authorization grant (RFC 8628)#203
Merged
Conversation
Worker 側の OAuth 実装を @cloudflare/workers-oauth-provider から 自前の Device Authorization Grant (RFC 8628) 実装へ全面切り替え。 #195 の chronic auth loop の構造的根絶が目的(#198 Step 2)。 主な変更: - worker/src/oauth.ts を全面書き換え。RFC 8414 metadata / RFC 7591 dynamic registration / RFC 8628 §3.1 device_authorization / §3.4 device_code grant / §3.5 準拠の polling error (authorization_pending / slow_down / access_denied / expired_token) / refresh_token rotation / 独自 Bearer token 検証 middleware を提供。 - worker/src/oauth-store.ts を新規追加。OAuth KV schema helper: client:* / device:* / user_code:* / token:* / refresh:* / grant:*。 旧 provider の opaque key format は撤去。 - worker/src/index.ts から OAuthProvider wrapper を撤去し、独自 router へ移行。 /oauth/authorize と /oauth/callback は HTTP 410 Gone。 - @cloudflare/workers-oauth-provider dependency を package.json と package-lock.json から削除。 - docs/0-requirements.md と .ja.md に F7 (OAuth) セクションを追加。 target files 表に oauth.ts / oauth-store.ts を追記。 注記: issue で「worker/src/store.ts (KV schema 再設計)」とあったが、 既存 store.ts は WebhookStore DO 専用のため、OAuth 用 KV helper は 責務分離のため新規 oauth-store.ts に分離した。WebhookStore DO は無変更。 ローカル検証: npx wrangler deploy --dry-run 成功。 Part of #198 Refs #199
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
github-webhook-mcp | f31f0b0 | Apr 20 2026, 04:45 AM |
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #199
Worker 側の OAuth 実装を
@cloudflare/workers-oauth-providerから自前の Device Authorization Grant (RFC 8628) 実装へ全面切り替え。#195 の chronic auth loop を構造的に根絶するための Step 2 実装。主な変更:
worker/src/oauth.tsを全面書き換え。RFC 8414 metadata / RFC 7591 dynamic registration / RFC 8628 §3.1 device_authorization / §3.4 device_code grant / §3.5 準拠の polling error (authorization_pending / slow_down / access_denied / expired_token) / refresh_token rotation / 独自 Bearer token 検証 middleware を提供。worker/src/oauth-store.tsを新規追加。OAuth KV schema helper (client:*/device:*/user_code:*/token:*/refresh:*/grant:*)。旧 provider の opaque key format は撤去。worker/src/index.tsからOAuthProviderwrapper を撤去し、独自 router へ移行。/oauth/authorizeと/oauth/callbackは HTTP 410 Gone。@cloudflare/workers-oauth-providerdependency を削除(package.json + package-lock.json)。docs/0-requirements.mdと.ja.mdに F7 (OAuth) セクションを追加、target files 表を更新。Scope note: issue で「
worker/src/store.ts(KV schema 再設計)」とあったが、既存store.tsは WebhookStore DO 専用で OAuth とは無関係のため、OAuth KV helper は責務分離のため新規oauth-store.tsに分離しました。WebhookStoreDO は無変更。ローカル検証:
npx wrangler deploy --dry-run成功。Part of #198