Skip to content

feat: backend-oauth-consent-screen#7124

Open
Zaimwa9 wants to merge 7 commits intofeat/implement-dynamic-client-registrationfrom
feat/oauth-consent-backend
Open

feat: backend-oauth-consent-screen#7124
Zaimwa9 wants to merge 7 commits intofeat/implement-dynamic-client-registrationfrom
feat/oauth-consent-backend

Conversation

@Zaimwa9
Copy link
Copy Markdown
Contributor

@Zaimwa9 Zaimwa9 commented Apr 3, 2026
edited
Loading

Thanks for submitting a PR! Please check the boxes below:

  • I have read the Contributing Guide.
  • I have added information to docs/ if required so people know about the feature.
  • I have filled in the "Changes" section below.
  • I have filled in the "How did you test this code" section below.

Changes

Contributes to #7042
Adds a custom OAuth authorisation endpoint (GET/POST /api/v1/oauth/authorize/) that replaces DOT's template based AuthorizationView with a JSON API the frontend consent screen can call.

GET /api/v1/oauth/authorize/
Validates an OAuth authorisation request and returns application info:

{
  "application": { "name": "My App", "client_id": "abc123" },
  "scopes": { "mcp": "MCP access" },
  "redirect_uri": "https://example.com/callback",
  "is_verified": false
}

POST /api/v1/oauth/authorize/
Processes the user's consent decision and returns the redirect URI with an authorisation code (allow) or error=access_denied (deny):
{ "redirect_uri": "https://example.com/callback?code=...&state=..." }

Implementation details

  • OAuthAuthorizeView combines DRF's APIView with DOT's OAuthLibMixin to bridge token auth with DOT's
    session-based internals.
  • POST injects OAuth params into request._request.GET and META['QUERY_STRING'] so DOT's
    validate_authorization_request can read them (DOT expects a form-based flow). This is documented with a
    comment noting fragility on DOT upgrades.
  • is_verified maps to DOT's skip_authorization field, with a comment explaining it's safe since this
    custom view always shows the consent screen.
  • OAuthConsentSerializer validates the POST body.
  • DOT's built-in /o/authorize/ is no longer exposed — only /o/token/, /o/revoke_token/, and /o/introspect/
    remain.

How did you test this code?

  • New tests

Manual end-to-end testing:

  1. Created an OAuth application via DCR:
curl -X POST http://localhost:8000/o/register/ \
    -H "Content-Type: application/json" \
    -d '{
      "client_name": "Test MCP Client",
      "redirect_uris": ["http://localhost:3000/oauth/callback"],
      "grant_types": ["authorization_code"],
      "response_types": ["code"],
      "token_endpoint_auth_method": "none"
    }'
  1. Ran node api/oauth2_test_server.mjs: consent screen → Authorise → code → token
    exchange
  2. Tested Decline → error=access_denied on callback

@Zaimwa9 Zaimwa9 requested a review from gagantrivedi April 3, 2026 15:17
@Zaimwa9 Zaimwa9 requested a review from a team as a code owner April 3, 2026 15:17
claude[bot]
claude bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Actions Updated (UTC)
docs Ignored Ignored Preview Apr 6, 2026 0:57am
flagsmith-frontend-preview Ignored Ignored Preview Apr 6, 2026 0:57am
flagsmith-frontend-staging Ignored Ignored Preview Apr 6, 2026 0:57am

Request Review

@github-actions github-actions bot added api Issue related to the REST API feature New feature or request labels Apr 3, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

Docker builds report

Image Build Status Security report
ghcr.io/flagsmith/flagsmith-e2e:pr-7124 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-7124 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-api-test:pr-7124 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith:pr-7124 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-private-cloud:pr-7124 Finished ✅ Results

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.28%. Comparing base (254c215) to head (f02e487).

Additional details and impacted files 
@@                             Coverage Diff                              @@
##           feat/implement-dynamic-client-registration    #7124    +/-   ##
============================================================================
  Coverage                                       98.27%   98.28%            
============================================================================
  Files                                            1348     1349     +1     
  Lines                                           50350    50500   +150     
============================================================================
+ Hits                                            49483    49633   +150     
  Misses                                            867      867

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  47.8 seconds
commit  7488731
info  🔄 Run: #15701 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  47.9 seconds
commit  7488731
info  🔄 Run: #15701 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  1 minute, 5 seconds
commit  7488731
info  🔄 Run: #15701 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  59.2 seconds
commit  7488731
info  🔄 Run: #15701 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  25.8 seconds
commit  235ba2b
info  🔄 Run: #15740 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  28.6 seconds
commit  235ba2b
info  🔄 Run: #15740 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  42.6 seconds
commit  235ba2b
info  🔄 Run: #15740 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  1 minute, 11 seconds
commit  235ba2b
info  🔄 Run: #15740 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  24.5 seconds
commit  70eca0a
info  🔄 Run: #15754 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  27.9 seconds
commit  70eca0a
info  🔄 Run: #15754 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  16 passed

Details

stats  16 tests across 13 suites
duration  50.8 seconds
commit  70eca0a
info  🔄 Run: #15754 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  1 minute, 9 seconds
commit  70eca0a
info  🔄 Run: #15754 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  42.7 seconds
commit  f02e487
info  🔄 Run: #15782 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  10 passed

Details

stats  10 tests across 7 suites
duration  49.3 seconds
commit  f02e487
info  🔄 Run: #15782 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  54.1 seconds
commit  f02e487
info  🔄 Run: #15782 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  1 minute, 9 seconds
commit  f02e487
info  🔄 Run: #15782 (attempt 1)

@github-actions github-actions bot added feature New feature or request and removed feature New feature or request labels Apr 6, 2026
@github-actions github-actions bot added feature New feature or request and removed feature New feature or request labels Apr 6, 2026
@github-actions github-actions bot added feature New feature or request and removed feature New feature or request labels Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@gagantrivedi gagantrivedi Awaiting requested review from gagantrivedi

Assignees

No one assigned

Labels

api Issue related to the REST API feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Zaimwa9