From 8de1006b128ceb4ed02832cfef8d53ed8cdafc6e Mon Sep 17 00:00:00 2001
From: rl-gitpod <robert@gitpod.io>
Date: Fri, 21 May 2021 10:24:54 +0000
Subject: [PATCH] [server] add OAuth2 server endpoints (behind a feature flag)

to manage client application access to users Gitpod workspaces
---
 .werft/values.dev.yaml                        |   1 +
 chart/templates/server-deployment.yaml        |   6 +
 .../dashboard/public/complete-auth/index.html |   7 +-
 components/dashboard/src/App.tsx              |   8 +
 components/dashboard/src/Login.tsx            |  32 ++-
 .../dashboard/src/OauthClientApproval.tsx     |  48 ++++
 components/dashboard/src/provider-utils.tsx   |  20 +-
 components/gitpod-db/README.md                |  17 ++
 components/gitpod-db/package.json             |   7 +-
 components/gitpod-db/src/container-module.ts  |   3 +
 .../src/typeorm/auth-code-repository-db.ts    |  67 ++++++
 .../src/typeorm/entity/db-oauth-auth-code.ts  |  64 ++++++
 .../1620865190518-OAuthAuthCodeDB.ts          |  22 ++
 .../gitpod-db/src/typeorm/user-db-impl.ts     |  98 ++++++++-
 components/gitpod-db/src/user-db.ts           |   9 +-
 components/gitpod-protocol/src/protocol.ts    |   3 +
 components/local-app/README.md                |  15 ++
 components/local-app/go.mod                   |   4 +-
 components/local-app/go.sum                   |   6 +
 components/local-app/main.go                  |   7 +
 components/local-app/oauth.go                 | 208 ++++++++++++++++++
 components/server/package.json                |   1 +
 components/server/src/container-module.ts     |   3 +
 components/server/src/env.ts                  |   2 +
 components/server/src/oauth-server/db.ts      |  49 +++++
 .../oauth-authorization-server.ts             |  32 +++
 .../src/oauth-server/oauth-controller.ts      | 175 +++++++++++++++
 .../server/src/oauth-server/repository.ts     |  47 ++++
 components/server/src/server.ts               |   3 +
 components/server/src/user/user-controller.ts |   9 +-
 gitpod-ws.code-workspace                      |   1 +
 yarn.lock                                     |  18 +-
 32 files changed, 957 insertions(+), 35 deletions(-)
 create mode 100644 components/dashboard/src/OauthClientApproval.tsx
 create mode 100644 components/gitpod-db/README.md
 create mode 100644 components/gitpod-db/src/typeorm/auth-code-repository-db.ts
 create mode 100644 components/gitpod-db/src/typeorm/entity/db-oauth-auth-code.ts
 create mode 100644 components/gitpod-db/src/typeorm/migration/1620865190518-OAuthAuthCodeDB.ts
 create mode 100644 components/local-app/oauth.go
 create mode 100644 components/server/src/oauth-server/db.ts
 create mode 100644 components/server/src/oauth-server/oauth-authorization-server.ts
 create mode 100644 components/server/src/oauth-server/oauth-controller.ts
 create mode 100644 components/server/src/oauth-server/repository.ts

diff --git a/.werft/values.dev.yaml b/.werft/values.dev.yaml
index 5ddf101e144552..49a1012342e05d 100644
--- a/.werft/values.dev.yaml
+++ b/.werft/values.dev.yaml
@@ -31,6 +31,7 @@ components:
     makeNewUsersAdmin: true # for development
     theiaPluginsBucketName: gitpod-core-dev-plugins
     enableLocalApp: true
+    enableOAuthServer: true
     blockNewUsers: true
     blockNewUsersPasslist:
     - "gitpod.io"
diff --git a/chart/templates/server-deployment.yaml b/chart/templates/server-deployment.yaml
index 9761f9d4d7827c..0a6795bd84ff46 100644
--- a/chart/templates/server-deployment.yaml
+++ b/chart/templates/server-deployment.yaml
@@ -170,6 +170,10 @@ spec:
         - name: ENABLE_LOCAL_APP
           value: "true"
     {{- end }}
+    {{- if $comp.enableOAuthServer }}
+        - name: ENABLE_OAUTH_SERVER
+          value: "true"
+    {{- end }}
     {{- if $comp.portAccessForUsersOnly }}
         - name: PORT_ACCESS_FOR_USERS_ONLY
           value: "true"
@@ -216,6 +220,8 @@ spec:
               key: apikey
         - name: GITPOD_GARBAGE_COLLECTION_DISABLED
           value: {{ $comp.garbageCollection.disabled | default "false" | quote }}
+        - name: OAUTH_SERVER_JWT_SECRET
+          value: {{ (randAlphaNum 20) | quote }}
 {{- if $comp.serverContainer.env }}
 {{ toYaml $comp.serverContainer.env | indent 8 }}
 {{- end }}
diff --git a/components/dashboard/public/complete-auth/index.html b/components/dashboard/public/complete-auth/index.html
index 7e87db0dc735d6..c2478233670782 100644
--- a/components/dashboard/public/complete-auth/index.html
+++ b/components/dashboard/public/complete-auth/index.html
@@ -11,7 +11,12 @@
     <title>Done</title>
     <script>
         if (window.opener) {
-            const message = new URLSearchParams(window.location.search).get("message");
+            const search = new URLSearchParams(window.location.search);
+            let message = search.get("message");
+            const returnTo = search.get("returnTo");
+            if (returnTo) {
+                message = `${message}&returnTo=${encodeURIComponent(returnTo)}`;
+            }
             window.opener.postMessage(message, `https://${window.location.hostname}`);
         } else {
             console.log("This page is supposed to be opened by Gitpod.")
diff --git a/components/dashboard/src/App.tsx b/components/dashboard/src/App.tsx
index 80af1b8c2ed80f..52baf822ec0bd8 100644
--- a/components/dashboard/src/App.tsx
+++ b/components/dashboard/src/App.tsx
@@ -34,6 +34,7 @@ const InstallGitHubApp = React.lazy(() => import(/* webpackPrefetch: true */ './
 const FromReferrer = React.lazy(() => import(/* webpackPrefetch: true */ './FromReferrer'));
 const UserSearch = React.lazy(() => import(/* webpackPrefetch: true */ './admin/UserSearch'));
 const WorkspacesSearch = React.lazy(() => import(/* webpackPrefetch: true */ './admin/WorkspacesSearch'));
+const OAuthClientApproval = React.lazy(() => import(/* webpackPrefetch: true */ './OauthClientApproval'));
 
 function Loading() {
     return <>
@@ -118,6 +119,13 @@ function App() {
     if (shouldWhatsNewShown !== isWhatsNewShown) {
         setWhatsNewShown(shouldWhatsNewShown);
     }
+    if (window.location.pathname.startsWith('/oauth-approval')) {
+        return (
+            <Suspense fallback={<Loading />}>
+                <OAuthClientApproval />
+            </Suspense>
+        );
+    }
 
     window.addEventListener("hashchange", () => {
         // Refresh on hash change if the path is '/' (new context URL)
diff --git a/components/dashboard/src/Login.tsx b/components/dashboard/src/Login.tsx
index a8583bcdb697da..e4e9812d6824bc 100644
--- a/components/dashboard/src/Login.tsx
+++ b/components/dashboard/src/Login.tsx
@@ -8,7 +8,7 @@ import { AuthProviderInfo } from "@gitpod/gitpod-protocol";
 import { useContext, useEffect, useState } from "react";
 import { UserContext } from "./user-context";
 import { getGitpodService } from "./service/service";
-import { iconForAuthProvider, openAuthorizeWindow, simplifyProviderName } from "./provider-utils";
+import { iconForAuthProvider, openAuthorizeWindow, simplifyProviderName, getSafeURLRedirect } from "./provider-utils";
 import gitpod from './images/gitpod.svg';
 import gitpodDark from './images/gitpod-dark.svg';
 import gitpodIcon from './icons/gitpod.svg';
@@ -50,6 +50,23 @@ export function Login() {
         })();
     }, [])
 
+    const authorizeSuccessful = async (payload?: string) => {
+        updateUser();
+        // Check for a valid returnTo in payload
+        const safeReturnTo = getSafeURLRedirect(payload);
+        if (safeReturnTo) {
+            // ... and if it is, redirect to it 
+            window.location.replace(safeReturnTo);
+        }
+    }
+
+    const updateUser = async () => {
+        await getGitpodService().reconnect();
+        const user = await getGitpodService().server.getLoggedInUser();
+        setUser(user);
+        markLoggedIn();
+    }
+
     const openLogin = async (host: string) => {
         setErrorMessage(undefined);
 
@@ -57,7 +74,7 @@ export function Login() {
             await openAuthorizeWindow({
                 login: true,
                 host,
-                onSuccess: () => updateUser(),
+                onSuccess: authorizeSuccessful,
                 onError: (payload) => {
                     let errorMessage: string;
                     if (typeof payload === "string") {
@@ -76,20 +93,13 @@ export function Login() {
         }
     }
 
-    const updateUser = async () => {
-        await getGitpodService().reconnect();
-        const user = await getGitpodService().server.getLoggedInUser();
-        setUser(user);
-        markLoggedIn();
-    }
-
     return (<div id="login-container" className="z-50 flex w-screen h-screen">
         {showWelcome ? <div id="feature-section" className="flex-grow bg-gray-100 dark:bg-gray-800 w-1/2 hidden lg:block">
             <div id="feature-section-column" className="flex max-w-xl h-full mx-auto pt-6">
                 <div className="flex flex-col px-8 my-auto ml-auto">
                     <div className="mb-12">
-                        <img src={gitpod} className="h-8 block dark:hidden"/>
-                        <img src={gitpodDark} className="h-8 hidden dark:block"/>
+                        <img src={gitpod} className="h-8 block dark:hidden" />
+                        <img src={gitpodDark} className="h-8 hidden dark:block" />
                     </div>
                     <div className="mb-10">
                         <h1 className="text-5xl mb-3">Welcome to Gitpod</h1>
diff --git a/components/dashboard/src/OauthClientApproval.tsx b/components/dashboard/src/OauthClientApproval.tsx
new file mode 100644
index 00000000000000..77dc62711adeaf
--- /dev/null
+++ b/components/dashboard/src/OauthClientApproval.tsx
@@ -0,0 +1,48 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import gitpodIcon from './icons/gitpod.svg';
+import { getSafeURLRedirect } from "./provider-utils";
+
+export default function OAuthClientApproval() {
+    const params = new URLSearchParams(window.location.search);
+    const clientName = params.get("clientName") || "";
+    let redirectToParam = params.get("redirectTo") || undefined;
+    if (redirectToParam) {
+        redirectToParam = decodeURIComponent(redirectToParam);
+    }
+    const redirectTo = getSafeURLRedirect(redirectToParam) || "/";
+    const updateClientApproval = async (isApproved: boolean) => {
+        if (redirectTo === "/") {
+            window.location.replace(redirectTo);
+        }
+        window.location.replace(`${redirectTo}&approved=${isApproved ? 'yes' : 'no'}`);
+    }
+
+    return (<div id="oauth-container" className="z-50 flex w-screen h-screen">
+        <div id="oauth-section" className="flex-grow flex w-full">
+            <div id="oauth-section-column" className="flex-grow max-w-2xl flex flex-col h-100 mx-auto">
+                <div className="flex-grow h-100 flex flex-row items-center justify-center" >
+                    <div className="rounded-xl px-10 py-10 mx-auto">
+                        <div className="mx-auto pb-8">
+                            <img src={gitpodIcon} className="h-16 mx-auto" />
+                        </div>
+                        <div className="mx-auto text-center pb-8 space-y-2">
+                            <h1 className="text-3xl">Authorize {clientName}</h1>
+                        <h4>You are about to authorize {clientName} to access your Gitpod account including data for all workspaces.</h4>
+                        </div>
+                        <div className="flex justify-center mt-6">
+                            <button className="secondary" onClick={() => updateClientApproval(false)}>Cancel</button>
+                            <button key={"button-yes"} className="ml-2" onClick={() => updateClientApproval(true)}>
+                                Authorize
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>);
+}
\ No newline at end of file
diff --git a/components/dashboard/src/provider-utils.tsx b/components/dashboard/src/provider-utils.tsx
index 80fda0bb859b4e..ff61c470a79f75 100644
--- a/components/dashboard/src/provider-utils.tsx
+++ b/components/dashboard/src/provider-utils.tsx
@@ -40,13 +40,19 @@ interface OpenAuthorizeWindowParams {
     host: string;
     scopes?: string[];
     overrideScopes?: boolean;
+    overrideReturn?: string;
     onSuccess?: (payload?: string) => void;
     onError?: (error: string | { error: string, description?: string }) => void;
 }
 
 async function openAuthorizeWindow(params: OpenAuthorizeWindowParams) {
     const { login, host, scopes, overrideScopes, onSuccess, onError } = params;
-    const returnTo = gitpodHostUrl.with({ pathname: 'complete-auth', search: 'message=success' }).toString();
+    let search = 'message=success';
+    const redirectURL = getSafeURLRedirect();
+    if (redirectURL) {
+        search = `${search}&returnTo=${encodeURIComponent(redirectURL)}`
+    }
+    const returnTo = gitpodHostUrl.with({ pathname: 'complete-auth', search: search }).toString();
     const requestedScopes = scopes || [];
     const url = login
         ? gitpodHostUrl.withApi({
@@ -94,5 +100,15 @@ async function openAuthorizeWindow(params: OpenAuthorizeWindowParams) {
     };
     window.addEventListener("message", eventListener);
 }
+const getSafeURLRedirect = (source?: string) => {
+    const returnToURL: string | null = new URLSearchParams(source ? source : window.location.search).get("returnTo");
+    if (returnToURL) {
+        // Only allow oauth on the same host
+        if (returnToURL.toLowerCase().startsWith(`${window.location.protocol}//${window.location.host}/api/oauth/`.toLowerCase())) {
+            return returnToURL;
+        }
+    }
+}
+
 
-export { iconForAuthProvider, simplifyProviderName, openAuthorizeWindow }
\ No newline at end of file
+export { iconForAuthProvider, simplifyProviderName, openAuthorizeWindow, getSafeURLRedirect }
\ No newline at end of file
diff --git a/components/gitpod-db/README.md b/components/gitpod-db/README.md
new file mode 100644
index 00000000000000..505c969c9a7e3a
--- /dev/null
+++ b/components/gitpod-db/README.md
@@ -0,0 +1,17 @@
+## Gitpod-db
+
+Contains all the database related functionality, implemented using [typeorm](https://typeorm.io/).
+
+### Adding a new table
+1. Create a [migration](./src/typeorm/migration/README.md) - use the [baseline](./src/typeorm/migration/1592203031938-Baseline.ts) as an exemplar
+1. Create a new entity that implements the requisite interface or extend an existing entity as required - see [db-user.ts](./src/typeorm/entity/db-user.ts) 
+1. If it is a new table, create the matching injectable ORM implementation and interface (if required) - see [user-db-impl.ts](./src/typeorm/user-db-impl.ts) and [user-db.ts](./src/user-db.ts). Otherwise extend the existing interface and implementation as required.
+1. Add the injectable implementation to the [DB container module](./src/container-module.ts), binding the interface and implementation as appropriate, otherwise it will not be instantiated correctly e.g. 
+```
+    bind(TypeORMUserDBImpl).toSelf().inSingletonScope();
+    bind(UserDB).toService(TypeORMUserDBImpl);
+```
+1. Add the new ORM as an injected component where required e.g. in [user-controller.ts](./src/user/user-controller.ts)
+```
+    @inject(UserDB) protected readonly userDb: UserDB;
+```
\ No newline at end of file
diff --git a/components/gitpod-db/package.json b/components/gitpod-db/package.json
index d69f14ba8b6143..558f9ccf733ae3 100644
--- a/components/gitpod-db/package.json
+++ b/components/gitpod-db/package.json
@@ -25,6 +25,7 @@
   ],
   "dependencies": {
     "@gitpod/gitpod-protocol": "0.1.5",
+    "@jmondi/oauth2-server": "^1.1.0",
     "mysql": "^2.15.0",
     "reflect-metadata": "^0.1.10",
     "typeorm": "0.1.20",
@@ -34,11 +35,11 @@
     "@types/chai": "^4.2.2",
     "@types/mysql": "^2.15.0",
     "@types/uuid": "^3.1.0",
-    "rimraf": "^2.6.1",
+    "chai": "^4.2.0",
     "mocha": "^4.1.0",
     "mocha-typescript": "^1.1.17",
-    "chai": "^4.2.0",
+    "rimraf": "^2.6.1",
     "ts-node": "<7.0.0",
     "typescript": "~4.1.2"
   }
-}
\ No newline at end of file
+}
diff --git a/components/gitpod-db/src/container-module.ts b/components/gitpod-db/src/container-module.ts
index 5722e36cd2c9e7..f5cb5de5c03ac2 100644
--- a/components/gitpod-db/src/container-module.ts
+++ b/components/gitpod-db/src/container-module.ts
@@ -35,6 +35,7 @@ import { TermsAcceptanceDBImpl } from './typeorm/terms-acceptance-db-impl';
 import { CodeSyncResourceDB } from './typeorm/code-sync-resource-db';
 import { WorkspaceClusterDBImpl } from './typeorm/workspace-cluster-db-impl';
 import { WorkspaceClusterDB } from './workspace-cluster-db';
+import { AuthCodeRepositoryDB } from './typeorm/auth-code-repository-db';
 
 // THE DB container module that contains all DB implementations
 export const dbContainerModule = new ContainerModule((bind, unbind, isBound, rebind) => {
@@ -89,4 +90,6 @@ export const dbContainerModule = new ContainerModule((bind, unbind, isBound, reb
     bind(CodeSyncResourceDB).toSelf().inSingletonScope();
 
     bind(WorkspaceClusterDB).to(WorkspaceClusterDBImpl).inSingletonScope();
+
+    bind(AuthCodeRepositoryDB).toSelf().inSingletonScope();
 });
diff --git a/components/gitpod-db/src/typeorm/auth-code-repository-db.ts b/components/gitpod-db/src/typeorm/auth-code-repository-db.ts
new file mode 100644
index 00000000000000..7d2336d0a3246b
--- /dev/null
+++ b/components/gitpod-db/src/typeorm/auth-code-repository-db.ts
@@ -0,0 +1,67 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { DateInterval, OAuthAuthCode, OAuthAuthCodeRepository, OAuthClient, OAuthScope, OAuthUser } from "@jmondi/oauth2-server";
+import * as crypto from 'crypto';
+import { inject, injectable } from "inversify";
+import { EntityManager, Repository } from "typeorm";
+import { DBOAuthAuthCodeEntry } from './entity/db-oauth-auth-code';
+import { TypeORM } from './typeorm';
+
+const expiryInFuture = new DateInterval("5m");
+
+@injectable()
+export class AuthCodeRepositoryDB implements OAuthAuthCodeRepository {
+
+    @inject(TypeORM)
+    private readonly typeORM: TypeORM;
+
+    protected async getEntityManager(): Promise<EntityManager> {
+        return (await this.typeORM.getConnection()).manager;
+    }
+
+    async getOauthAuthCodeRepo(): Promise<Repository<DBOAuthAuthCodeEntry>> {
+        return (await this.getEntityManager()).getRepository<DBOAuthAuthCodeEntry>(DBOAuthAuthCodeEntry);
+    }
+
+    public async getByIdentifier(authCodeCode: string): Promise<OAuthAuthCode> {
+        const authCodeRepo = await this.getOauthAuthCodeRepo();
+        let authCodes = await authCodeRepo.find({ code: authCodeCode });
+        authCodes = authCodes.filter(te => (new Date(te.expiresAt)).getTime() > Date.now());
+        const authCode = authCodes.length > 0 ? authCodes[0] : undefined;
+        if (!authCode) {
+            throw new Error(`authentication code not found`);
+        }
+        return authCode;
+    }
+    public issueAuthCode(client: OAuthClient, user: OAuthUser | undefined, scopes: OAuthScope[]): OAuthAuthCode {
+        const code = crypto.randomBytes(30).toString('hex');
+        // NOTE: caller (@jmondi/oauth2-server) is responsible for adding the remaining items, PKCE params, redirect URL, etc
+        return {
+            code: code,
+            user,
+            client,
+            expiresAt: expiryInFuture.getEndDate(),
+            scopes: scopes,
+        };
+    }
+    public async persist(authCode: OAuthAuthCode): Promise<void> {
+        const authCodeRepo = await this.getOauthAuthCodeRepo();
+        authCodeRepo.save(authCode);
+    }
+    public async isRevoked(authCodeCode: string): Promise<boolean> {
+        const authCode = await this.getByIdentifier(authCodeCode);
+        return Date.now() > authCode.expiresAt.getTime();
+    }
+    public async revoke(authCodeCode: string): Promise<void> {
+        const authCode = await this.getByIdentifier(authCodeCode);
+        if (authCode) {
+            // Set date to earliest timestamp that MySQL allows
+            authCode.expiresAt = new Date(1000);
+            return this.persist(authCode);
+        }
+    }
+}
diff --git a/components/gitpod-db/src/typeorm/entity/db-oauth-auth-code.ts b/components/gitpod-db/src/typeorm/entity/db-oauth-auth-code.ts
new file mode 100644
index 00000000000000..2b91d35d1006a2
--- /dev/null
+++ b/components/gitpod-db/src/typeorm/entity/db-oauth-auth-code.ts
@@ -0,0 +1,64 @@
+/**
+ * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { OAuthAuthCode, OAuthClient, OAuthScope } from "@jmondi/oauth2-server";
+import { Column, Entity, JoinColumn, ManyToOne, PrimaryGeneratedColumn } from "typeorm";
+import { Transformer } from "../transformer";
+import { DBUser } from "./db-user";
+
+@Entity({ name: 'd_b_oauth_auth_code_entry' })
+export class DBOAuthAuthCodeEntry implements OAuthAuthCode {
+    @PrimaryGeneratedColumn()
+    id: number;
+
+    @Column({
+        type: "varchar",
+        length: 1024,
+    })
+    code: string;
+
+    @Column({
+        type: "varchar",
+        length: 1024,
+        default: '',
+        transformer: Transformer.MAP_EMPTY_STR_TO_UNDEFINED
+    })
+    redirectURI?: string;
+
+    @Column({
+        type: "varchar",
+        length: 128,
+    })
+    codeChallenge: string
+
+    @Column({
+        type: "varchar",
+        length: 10,
+    })
+    codeChallengeMethod: string
+
+    @Column({
+        type: 'timestamp',
+        precision: 6
+    })
+    expiresAt: Date;
+
+    @ManyToOne(type => DBUser)
+    @JoinColumn()
+    user: DBUser
+
+    @Column({
+        type: 'simple-json',
+        nullable: false,
+    })
+    client: OAuthClient
+
+    @Column({
+        type: 'simple-json',
+        nullable: false,
+    })
+    scopes: OAuthScope[]
+}
\ No newline at end of file
diff --git a/components/gitpod-db/src/typeorm/migration/1620865190518-OAuthAuthCodeDB.ts b/components/gitpod-db/src/typeorm/migration/1620865190518-OAuthAuthCodeDB.ts
new file mode 100644
index 00000000000000..cc2d81f041ef58
--- /dev/null
+++ b/components/gitpod-db/src/typeorm/migration/1620865190518-OAuthAuthCodeDB.ts
@@ -0,0 +1,22 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import {MigrationInterface, QueryRunner} from "typeorm";
+import { tableExists } from "./helper/helper";
+
+export class OAuthAuthCodeDB1620865190518 implements MigrationInterface {
+
+    public async up(queryRunner: QueryRunner): Promise<any> {
+        await queryRunner.query("CREATE TABLE IF NOT EXISTS `d_b_oauth_auth_code_entry` (`id` int NOT NULL AUTO_INCREMENT, `code` varchar(1024) NOT NULL, `redirectURI` varchar(1024) NOT NULL DEFAULT '', `codeChallenge` varchar(128) NOT NULL, `codeChallengeMethod` varchar(10) NOT NULL, `expiresAt` timestamp(6) NOT NULL, `userId` char(36) NOT NULL, `client` text NOT NULL, `scopes` text NOT NULL, PRIMARY KEY(`id`)) ENGINE=InnoDB;");
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<any> {
+        if (await tableExists(queryRunner, "d_b_oauth_auth_code_entry")) {
+            await queryRunner.query("DROP TABLE `d_b_oauth_auth_code_entry`");
+        }
+    }
+
+}
diff --git a/components/gitpod-db/src/typeorm/user-db-impl.ts b/components/gitpod-db/src/typeorm/user-db-impl.ts
index bb54822ef31759..68635260ec0670 100644
--- a/components/gitpod-db/src/typeorm/user-db-impl.ts
+++ b/components/gitpod-db/src/typeorm/user-db-impl.ts
@@ -4,19 +4,24 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
+import * as crypto from 'crypto';
+import { GitpodToken, GitpodTokenType, Identity, IdentityLookup, Token, TokenEntry, User, UserEnvVar } from "@gitpod/gitpod-protocol";
+import { EncryptionService } from "@gitpod/gitpod-protocol/lib/encryption/encryption-service";
+import { DateInterval, ExtraAccessTokenFields, GrantIdentifier, OAuthClient, OAuthScope, OAuthToken, OAuthUser } from "@jmondi/oauth2-server";
 import { inject, injectable, postConstruct } from "inversify";
-import { Identity, User, IdentityLookup, Token, TokenEntry, UserEnvVar, GitpodTokenType, GitpodToken } from "@gitpod/gitpod-protocol";
 import { EntityManager, Repository } from "typeorm";
 import * as uuidv4 from 'uuid/v4';
-import { MaybeUser, UserDB, PartialUserUpdate, BUILTIN_WORKSPACE_PROBE_USER_NAME } from "../user-db";
-import { DBUser } from './entity/db-user';
-import { TypeORM } from './typeorm';
+import { BUILTIN_WORKSPACE_PROBE_USER_NAME, MaybeUser, PartialUserUpdate, UserDB } from "../user-db";
+import { DBGitpodToken } from "./entity/db-gitpod-token";
 import { DBIdentity } from "./entity/db-identity";
-import { EncryptionService } from "@gitpod/gitpod-protocol/lib/encryption/encryption-service";
 import { DBTokenEntry } from "./entity/db-token-entry";
+import { DBUser } from './entity/db-user';
 import { DBUserEnvVar } from "./entity/db-user-env-vars";
-import { DBGitpodToken } from "./entity/db-gitpod-token";
 import { DBWorkspace } from "./entity/db-workspace";
+import { TypeORM } from './typeorm';
+
+// OAuth token expiry
+const tokenExpiryInFuture = new DateInterval("7d");
 
 /** HACK ahead: Some entities - namely DBTokenEntry for now - need access to an EncryptionService so we publish it here */
 export let encryptionService: EncryptionService;
@@ -149,7 +154,7 @@ export class TypeORMUserDBImpl implements UserDB {
         return result.sort(order);
     }
 
-    public async findUserByGitpodToken(tokenHash: string, tokenType?: GitpodTokenType): Promise<{user: User, token: GitpodToken} | undefined> {
+    public async findUserByGitpodToken(tokenHash: string, tokenType?: GitpodTokenType): Promise<{ user: User, token: GitpodToken } | undefined> {
         const repo = await this.getGitpodTokenRepo();
         const qBuilder = repo.createQueryBuilder('gitpodToken')
             .leftJoinAndSelect("gitpodToken.user", "user");
@@ -164,7 +169,7 @@ export class TypeORMUserDBImpl implements UserDB {
             return;
         }
 
-        return {user: token.user, token};
+        return { user: token.user, token };
     }
 
     public async findAllGitpodTokensOfUser(userId: string): Promise<GitpodToken[]> {
@@ -350,6 +355,83 @@ export class TypeORMUserDBImpl implements UserDB {
     public async findUserByName(name: string): Promise<User | undefined> {
         return (await this.getUserRepo()).findOne({ name });
     }
+
+    // OAuthAuthCodeRepository
+    // OAuthUserRepository
+    public async getUserByCredentials(identifier: string, password?: string, grantType?: GrantIdentifier, client?: OAuthClient): Promise<OAuthUser | undefined> {
+        const user = await this.findUserById(identifier);
+        if (user) {
+            return {
+                id: user.id,
+                name: user.name,
+            };
+        }
+        return;
+    }
+    public async extraAccessTokenFields?(user: OAuthUser): Promise<ExtraAccessTokenFields | undefined> {
+        // No extra fields in token
+        return;
+    }
+
+    // OAuthTokenRepository
+    async issueToken(client: OAuthClient, scopes: OAuthScope[], user?: OAuthUser): Promise<OAuthToken> {
+        const expiry = tokenExpiryInFuture.getEndDate();
+        return <OAuthToken>{
+            accessToken: crypto.randomBytes(30).toString('hex'),
+            accessTokenExpiresAt: expiry,
+            client,
+            user,
+            scopes: scopes,
+        };
+    }
+    async issueRefreshToken(accessToken: OAuthToken): Promise<OAuthToken> {
+        // NOTE(rl): this exists for the OAuth server code - Gitpod tokens are non-refreshable (atm)
+        accessToken.refreshToken = "refreshtokentoken";
+        accessToken.refreshTokenExpiresAt = new DateInterval("30d").getEndDate();
+        await this.persist(accessToken);
+        return accessToken;
+    }
+    async persist(accessToken: OAuthToken): Promise<void> {
+        const scopes = accessToken.scopes.map((s) => s.name);
+
+        // Does the token already exist?
+        var dbToken: GitpodToken & { user: DBUser };
+        const tokenHash = crypto.createHash('sha256').update(accessToken.accessToken, 'utf8').digest("hex");
+        const userAndToken = await this.findUserByGitpodToken(tokenHash);
+        if (userAndToken) {
+            // Yes, update it (~)
+            // NOTE(rl): as we don't support refresh tokens yet this is not really required 
+            // since the OAuth server lib calls issueRefreshToken immediately after issueToken
+            // We do not allow changes of name, type, user or scope.
+            dbToken = userAndToken.token as GitpodToken & { user: DBUser };
+            const repo = await this.getGitpodTokenRepo();
+            return repo.updateById(tokenHash, dbToken);
+        } else {
+            var user: MaybeUser;
+            if (accessToken.user) {
+                user = await this.findUserById(accessToken.user.id)
+            }
+            dbToken = {
+                tokenHash,
+                name: accessToken.client.id,
+                type: GitpodTokenType.MACHINE_AUTH_TOKEN,
+                user: user as DBUser,
+                scopes: scopes,
+                created: new Date().toISOString(),
+            };
+            return this.storeGitpodToken(dbToken);
+        }
+    }
+    async revoke(accessTokenToken: OAuthToken): Promise<void> {
+        const tokenHash = crypto.createHash('sha256').update(accessTokenToken.accessToken, 'utf8').digest("hex");
+        this.deleteGitpodToken(tokenHash)
+    }
+    async isRefreshTokenRevoked(refreshToken: OAuthToken): Promise<boolean> {
+        return Date.now() > (refreshToken.refreshTokenExpiresAt?.getTime() ?? 0);
+    }
+    async getByRefreshToken(refreshTokenToken: string): Promise<OAuthToken> {
+        throw new Error("Not implemented");
+    }
 }
 
 export class TransactionalUserDBImpl extends TypeORMUserDBImpl {
diff --git a/components/gitpod-db/src/user-db.ts b/components/gitpod-db/src/user-db.ts
index fc50469e6bede6..04e54b7963a522 100644
--- a/components/gitpod-db/src/user-db.ts
+++ b/components/gitpod-db/src/user-db.ts
@@ -4,15 +4,16 @@
  * See License-AGPL.txt in the project root for license information.
  */
 
-import { User, Identity, IdentityLookup, Token, TokenEntry, UserEnvVar, GitpodTokenType, GitpodToken } from "@gitpod/gitpod-protocol"
+import { GitpodToken, GitpodTokenType, Identity, IdentityLookup, Token, TokenEntry, User, UserEnvVar } from "@gitpod/gitpod-protocol";
 import { Without } from "@gitpod/gitpod-protocol/lib/util/without";
+import { OAuthTokenRepository, OAuthUserRepository } from "@jmondi/oauth2-server";
 import { Repository } from "typeorm";
 import { DBUser } from "./typeorm/entity/db-user";
 
 export type MaybeUser = User | undefined;
 
 export const UserDB = Symbol('UserDB');
-export interface UserDB {
+export interface UserDB extends OAuthUserRepository, OAuthTokenRepository {
     transaction<T>(code: (db: UserDB) => Promise<T>): Promise<T>;
 
     newUser(): Promise<User>;
@@ -107,10 +108,10 @@ export interface UserDB {
     deleteEnvVar(envVar: UserEnvVar): Promise<void>;
     getEnvVars(userId: string): Promise<UserEnvVar[]>;
 
-    findAllUsers(offset: number, limit: number, orderBy: keyof User, orderDir: "ASC" | "DESC", searchTerm?: string, minCreationDate?: Date, maxCreationDate?: Date, excludeBuiltinUsers?: boolean): Promise<{total: number, rows: User[]}>;
+    findAllUsers(offset: number, limit: number, orderBy: keyof User, orderDir: "ASC" | "DESC", searchTerm?: string, minCreationDate?: Date, maxCreationDate?: Date, excludeBuiltinUsers?: boolean): Promise<{ total: number, rows: User[] }>;
     findUserByName(name: string): Promise<User | undefined>;
 
-    findUserByGitpodToken(tokenHash: string, tokenType?: GitpodTokenType): Promise<{user: User, token: GitpodToken} | undefined>;
+    findUserByGitpodToken(tokenHash: string, tokenType?: GitpodTokenType): Promise<{ user: User, token: GitpodToken } | undefined>;
     findAllGitpodTokensOfUser(userId: string): Promise<GitpodToken[]>;
     storeGitpodToken(token: GitpodToken & { user: DBUser }): Promise<void>;
     deleteGitpodToken(tokenHash: string): Promise<void>;
diff --git a/components/gitpod-protocol/src/protocol.ts b/components/gitpod-protocol/src/protocol.ts
index f5e73b40ebe956..341afaeb02b19f 100644
--- a/components/gitpod-protocol/src/protocol.ts
+++ b/components/gitpod-protocol/src/protocol.ts
@@ -100,6 +100,9 @@ export interface AdditionalUserData {
     ideSettings?: IDESettings;
     // key is the name of the news, string the iso date when it was seen
     whatsNewSeen?: { [key: string]: string }
+    // key is the name of the OAuth client i.e. local app, string the iso date when it was approved
+    // TODO(rl): provide a management UX to allow rescinding of approval
+    oauthClientsApproved?: { [key: string]: string }
 }
 
 export interface EmailNotificationSettings {
diff --git a/components/local-app/README.md b/components/local-app/README.md
index 5ad942f40be8d4..abe44cedf2ef22 100644
--- a/components/local-app/README.md
+++ b/components/local-app/README.md
@@ -17,3 +17,18 @@ docker run --rm -it -v /tmp/dest:/out eu.gcr.io/gitpod-core-dev/build/local-app:
 cd components/local-app
 BROWSER= GITPOD_HOST=<URL-of-your-preview-env> go run main.go --mock-keyring run
 ```
+
+## To test the OAuth server
+NOTE: needs to done locally as we cannot open a browser URL within a Gitpod workspace terminal atm
+```
+cd ~/
+mkdir -p ~/tmp
+docker pull eu.gcr.io/gitpod-core-dev/dev/local-app:rl-oauth
+docker run --rm -it -v ~/tmp:/out eu.gcr.io/gitpod-core-dev/dev/local-app:rl-oauth
+# assuming you are running on OSX... (use local-app-windows.exe or local-app-linux as required)
+GITPOD_HOST=<URL-of-your-preview-env> ./tmp/local-app-darwin test
+```
+If successful it will output an OAuth token containing a Gitpod token e.g.:
+```
+{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjaWQiOiJHaXRwb2QgbG9jYWwgY29udHJvbCBjbGllbnQiLCJzY29wZSI6ImZ1bmN0aW9uOmdldFdvcmtzcGFjZSIsInN1YiI6IjNjMTcwZjg3LWI2MTUtNDUwNS04MDFiLTUxZjczMjc5MzI5MSIsImV4cCI6MTYyMTMzNTc0NywibmJmIjoxNjIxMjQ5MzQ3LCJpYXQiOjE2MjEyNDkzNDcsImp0aSI6IjdmYzJjZTdjOWUwNjA0MGE0ZTBmOWI1OTI0NTFiYzhhYzMyMWRhZWEzMmMzZmZiZTZmMWI4OTFmNDBmMSJ9.gLVuo2pqQNQM7JKlfl-L9FaxbyGjNzTy5RHulOrGMZQ", "expires_in":86400, "refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJncGxjdGwtMS4wIiwiYWNjZXNzX3Rva2VuX2lkIjoiN2ZjMmNlN2M5ZTA2MDQwYTRlMGY5YjU5MjQ1MWJjOGFjMzIxZGFlYTMyYzNmZmJlNmYxYjg5MWY0MGYxIiwicmVmcmVzaF90b2tlbl9pZCI6InJlZnJlc2h0b2tlbnRva2VuIiwic2NvcGUiOiJmdW5jdGlvbjpnZXRXb3Jrc3BhY2UiLCJ1c2VyX2lkIjoiM2MxNzBmODctYjYxNS00NTA1LTgwMWItNTFmNzMyNzkzMjkxIiwiZXhwaXJlX3RpbWUiOjE2MjM4NDEzNDcsImlhdCI6MTYyMTI0OTM0Nn0.ioLDJhzSwO-QmepMur_yl-WFqMCkFD_pY9pczLFqA1M", "scope":"function:getWorkspace", "token_type":"Bearer"}
+```
\ No newline at end of file
diff --git a/components/local-app/go.mod b/components/local-app/go.mod
index ca433343df750a..3200ab15da53bc 100644
--- a/components/local-app/go.mod
+++ b/components/local-app/go.mod
@@ -3,6 +3,7 @@ module github.com/gitpod-io/local-app
 go 1.16
 
 require (
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
 	github.com/gitpod-io/gitpod/gitpod-protocol v0.0.0-00010101000000-000000000000
 	github.com/gitpod-io/gitpod/supervisor/api v0.0.0-00010101000000-000000000000
 	github.com/google/uuid v1.1.2
@@ -10,9 +11,10 @@ require (
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/kevinburke/ssh_config v1.1.0
 	github.com/sirupsen/logrus v1.7.0
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/urfave/cli/v2 v2.3.0
 	github.com/zalando/go-keyring v0.1.1
-	golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf
+	golang.org/x/oauth2 v0.0.0-20210201163806-010130855d6c // indirect
 	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 // indirect
 	google.golang.org/grpc v1.37.0
 	google.golang.org/protobuf v1.26.0 // indirect
diff --git a/components/local-app/go.sum b/components/local-app/go.sum
index 9297981a35fa82..990430d020141d 100644
--- a/components/local-app/go.sum
+++ b/components/local-app/go.sum
@@ -51,6 +51,8 @@ github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7h
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -161,6 +163,8 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5I
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
+github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/sourcegraph/jsonrpc2 v0.0.0-20200429184054-15c2290dcb37 h1:marA1XQDC7N870zmSFIoHZpIUduK80USeY0Rkuflgp4=
 github.com/sourcegraph/jsonrpc2 v0.0.0-20200429184054-15c2290dcb37/go.mod h1:ZafdZgk/axhT1cvZAPOhw+95nz2I/Ra5qMlU4gTRwIo=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
@@ -255,6 +259,7 @@ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20210201163806-010130855d6c h1:HiAZXo96zOhVhtFHchj/ojzoxCFiPrp9/j0GtS38V3g=
 golang.org/x/oauth2 v0.0.0-20210201163806-010130855d6c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -372,6 +377,7 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
diff --git a/components/local-app/main.go b/components/local-app/main.go
index 76c7b08beeb6ef..348dcc1b3c1e68 100644
--- a/components/local-app/main.go
+++ b/components/local-app/main.go
@@ -75,6 +75,13 @@ func main() {
 					},
 				},
 			},
+			{
+				Name: "test",
+				Action: func(c *cli.Context) error {
+					testOAuth(c.String("gitpod-host"))
+					return nil
+				},
+			},
 		},
 	}
 	err := app.Run(os.Args)
diff --git a/components/local-app/oauth.go b/components/local-app/oauth.go
new file mode 100644
index 00000000000000..92a9d26b31aa04
--- /dev/null
+++ b/components/local-app/oauth.go
@@ -0,0 +1,208 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"log"
+	"math/rand"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/skratchdot/open-golang/open"
+	"golang.org/x/oauth2"
+)
+
+// == PKCE
+func PkceInit() {
+	rand.Seed(time.Now().UnixNano())
+}
+
+//string of pkce allowed chars
+func PkceVerifier(length int) string {
+	if length > 128 {
+		length = 128
+	}
+	if length < 43 {
+		length = 43
+	}
+	const charset = "abcdefghijklmnopqrstuvwxyz" +
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~"
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+	return string(b)
+}
+
+// base64-URL-encoded SHA256 hash of verifier, per rfc 7636
+func PkceChallenge(verifier string) string {
+	sum := sha256.Sum256([]byte(verifier))
+	challenge := base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(sum[:])
+	return (challenge)
+}
+
+func testOAuth(gitpodHost string) error {
+	ctx := context.Background()
+	PkceInit()
+
+	rl, err := net.Listen("tcp", "localhost:64110")
+	if err != nil {
+		fmt.Printf("snap: can't listen: %s\n", err)
+		os.Exit(1)
+	}
+	defer rl.Close()
+
+	var (
+		errChan   = make(chan error, 1)
+		queryChan = make(chan url.Values, 1)
+	)
+
+	returnHandler := func(rw http.ResponseWriter, req *http.Request) {
+		log.Printf("RETURN:%s\n", req.URL.Query())
+		queryChan <- req.URL.Query()
+		io.WriteString(rw, `
+<html>
+	<head>
+    	<meta charset="utf-8">
+    	<title>Done</title>
+		<script>
+			if (window.opener) {
+				const message = new URLSearchParams(window.location.search).get("message");
+				window.opener.postMessage(message, "https://${window.location.hostname}");
+			} else {
+				console.log("This page was not opened by Gitpod.")
+				setTimeout("window.close();", 1000);
+			}
+		</script>
+	</head>
+	<body>
+		If this tab is not closed automatically, feel free to close it and proceed. <button type="button" onclick="window.open('', '_self', ''); window.close();">Close</button>
+	</body>
+</html>`)
+	}
+
+	returnServer := &http.Server{
+		Addr:    "localhost:0",
+		Handler: http.HandlerFunc(returnHandler),
+	}
+	go func() {
+		err := returnServer.Serve(rl)
+		if err != nil {
+			errChan <- err
+		}
+	}()
+	defer returnServer.Shutdown(ctx)
+
+	baseURL := gitpodHost
+	if baseURL == "" {
+		baseURL = "https://gitpod.io"
+	}
+	reqURL, err := url.Parse(baseURL)
+	if err != nil {
+		return err
+	}
+	authURL := *reqURL
+	authURL.Path = "/api/oauth/authorize"
+	tokenURL := *reqURL
+	tokenURL.Path = "/api/oauth/token"
+	conf := &oauth2.Config{
+		ClientID:     "gplctl-1.0",
+		ClientSecret: "gplctl-1.0-secret", // Required (even though it is marked as optional?!)
+		Scopes: []string{
+			"function:getWorkspace",
+			"function:listenForWorkspaceInstanceUpdates",
+			"resource:workspace::*::get",
+			"resource:workspaceInstance::*::get",
+		},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  authURL.String(),
+			TokenURL: tokenURL.String(),
+		},
+	}
+	responseTypeParam := oauth2.SetAuthURLParam("response_type", "code")
+	redirectURIParam := oauth2.SetAuthURLParam("redirect_uri", fmt.Sprintf("http://localhost:%d", rl.Addr().(*net.TCPAddr).Port))
+	codeChallengeMethodParam := oauth2.SetAuthURLParam("code_challenge_method", "S256")
+	codeVerifier := PkceVerifier(84)
+	codeChallengeParam := oauth2.SetAuthURLParam("code_challenge", PkceChallenge(codeVerifier))
+
+	// Redirect user to consent page to ask for permission
+	// for the scopes specified above.
+	authorizationURL := conf.AuthCodeURL("state", responseTypeParam, redirectURIParam, codeChallengeParam, codeChallengeMethodParam)
+	fmt.Printf("URL for the auth: %v\n", authorizationURL)
+
+	// open a browser window to the authorizationURL
+	err = open.Start(authorizationURL)
+	if err != nil {
+		fmt.Printf("snap: can't open browser to URL %s: %s\n", authorizationURL, err)
+		os.Exit(1)
+	}
+
+	var query url.Values
+	var code, approved string
+	select {
+	case <-ctx.Done():
+		fmt.Printf("DONE: %v\n", ctx.Err())
+		os.Exit(1)
+	case err = <-errChan:
+		fmt.Printf("ERR: %v\n", err)
+		os.Exit(1)
+	case query = <-queryChan:
+		code = query.Get("code")
+		approved = query.Get("approved")
+	}
+	fmt.Printf("code: %s, approved:%s\n", code, approved)
+
+	if approved == "no" {
+		log.Println("Client approval was not granted... exiting")
+		os.Exit(1)
+	}
+
+	// Use the authorization code that is pushed to the redirect
+	// URL. Exchange will do the handshake to retrieve the
+	// initial access token.
+	// We need to add the required PKCE param as well...
+	// NOTE: we do not currently support refreshing so using the client from conf.Client will fail when token expires (which technically it doesn't)
+	codeVerifierParam := oauth2.SetAuthURLParam("code_verifier", codeVerifier)
+	tok, err := conf.Exchange(ctx, code, codeVerifierParam, redirectURIParam)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	log.Printf("TOK: %#v\n", tok)
+
+	// Extract Gitpod token from OAuth token (JWT)
+	claims := jwt.MapClaims{}
+	parser := new(jwt.Parser)
+	gitpodToken, _, err := parser.ParseUnverified(tok.AccessToken, &claims)
+	if err != nil {
+		log.Fatal(err)
+	}
+	// gitpodToken, err := jwt.ParseWithClaims(tok.AccessToken, &claims, func(token *jwt.Token) (interface{}, error) {
+	// 	return []byte("secret secret secret"), nil
+	// })
+	// if err != nil {
+	// 	log.Fatal(err)
+	// }
+	// if !gitpodToken.Valid {
+	// 	log.Println("OAuth2 token invalid... exiting")
+	// 	os.Exit(1)
+	// }
+
+	log.Printf("Gitpod: %#v\n%#v\n", claims, gitpodToken)
+
+	// client := conf.Client(ctx, tok)
+	// client.Get("...")
+	os.Exit(0)
+	return nil
+}
diff --git a/components/server/package.json b/components/server/package.json
index b77e6ac260cc0d..b68c86e490f8ec 100644
--- a/components/server/package.json
+++ b/components/server/package.json
@@ -36,6 +36,7 @@
     "@gitpod/licensor": "0.1.5",
     "@gitpod/ws-manager": "0.1.5",
     "@google-cloud/storage": "^5.6.0",
+    "@jmondi/oauth2-server": "^1.1.0",
     "@octokit/rest": "16.35.0",
     "@probot/get-private-key": "^1.1.0",
     "amqplib": "^0.5.2",
diff --git a/components/server/src/container-module.ts b/components/server/src/container-module.ts
index 327d3a67f69218..d63d3b881e9126 100644
--- a/components/server/src/container-module.ts
+++ b/components/server/src/container-module.ts
@@ -74,6 +74,7 @@ import { IDEPluginServiceClient } from '@gitpod/content-service/lib/ideplugin_gr
 import { GitTokenScopeGuesser } from './workspace/git-token-scope-guesser';
 import { GitTokenValidator } from './workspace/git-token-validator';
 import { newAnalyticsWriterFromEnv, IAnalyticsWriter } from '@gitpod/gitpod-protocol/lib/util/analytics';
+import { OAuthController } from './oauth-server/oauth-controller';
 
 export const productionContainerModule = new ContainerModule((bind, unbind, isBound, rebind) => {
     bind(Env).toSelf().inSingletonScope();
@@ -188,4 +189,6 @@ export const productionContainerModule = new ContainerModule((bind, unbind, isBo
     bind(CodeSyncService).toSelf().inSingletonScope();
 
     bind(IAnalyticsWriter).toDynamicValue(newAnalyticsWriterFromEnv).inSingletonScope();
+    
+    bind(OAuthController).toSelf().inSingletonScope();
 });
diff --git a/components/server/src/env.ts b/components/server/src/env.ts
index 24dfb8660eb8b4..959d4a569484fb 100644
--- a/components/server/src/env.ts
+++ b/components/server/src/env.ts
@@ -86,6 +86,7 @@ export class Env extends AbstractComponentEnv {
     readonly devBranch = process.env.DEV_BRANCH || '';
 
     readonly enableLocalApp = process.env.ENABLE_LOCAL_APP === "true";
+    readonly enableOAuthServer = process.env.ENABLE_OAUTH_SERVER === "true";
 
     readonly authProviderConfigs = this.parseAuthProviderParamss();
 
@@ -201,4 +202,5 @@ export class Env extends AbstractComponentEnv {
 
     readonly runDbDeleter: boolean = getEnvVar('RUN_DB_DELETER', 'false') === 'true';
 
+    readonly oauthServerJWTSecret = getEnvVar("OAUTH_SERVER_JWT_SECRET")
 }
diff --git a/components/server/src/oauth-server/db.ts b/components/server/src/oauth-server/db.ts
new file mode 100644
index 00000000000000..e81839c3d74ec6
--- /dev/null
+++ b/components/server/src/oauth-server/db.ts
@@ -0,0 +1,49 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { OAuthClient, OAuthScope, OAuthToken } from "@jmondi/oauth2-server";
+import { ScopedResourceGuard } from "../auth/resource-access";
+
+/**
+* Currently (2021-05-15) we only support 1 client and a fixed set of scopes so hard-coding here is acceptable.
+* This will change in time, in which case we can move to using the DB.
+*/
+export interface InMemory {
+  clients: { [id: string]: OAuthClient };
+  tokens: { [id: string]: OAuthToken };
+  scopes: { [id: string]: OAuthScope };
+}
+
+// Scopes
+const getWorkspacesScope: OAuthScope = { name: "function:getWorkspaces" };
+const listenForWorkspaceInstanceUpdatesScope: OAuthScope = { name: "function:listenForWorkspaceInstanceUpdates" };
+const getWorkspaceResourceScope: OAuthScope = { name: "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "workspace", subjectID: "*", operations: ["get"] }) };
+const getWorkspaceInstanceResourceScope: OAuthScope = { name: "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "workspaceInstance", subjectID: "*", operations: ["get"] }) };
+
+// Clients
+const localAppClientID = 'gplctl-1.0';
+const localClient: OAuthClient = {
+  id: localAppClientID,
+  secret: `${localAppClientID}-secret`,
+  name: 'Gitpod local control client',
+  // TODO(rl) - allow port range/external specification
+  redirectUris: ['http://localhost:64110'],
+  allowedGrants: ['authorization_code'],
+  scopes: [getWorkspacesScope, listenForWorkspaceInstanceUpdatesScope, getWorkspaceResourceScope, getWorkspaceInstanceResourceScope],
+}
+
+export const inMemoryDatabase: InMemory = {
+  clients: {
+    [localClient.id]: localClient,
+  },
+  tokens: {},
+  scopes: {
+    [getWorkspacesScope.name]: getWorkspacesScope,
+    [listenForWorkspaceInstanceUpdatesScope.name]: listenForWorkspaceInstanceUpdatesScope,
+    [getWorkspaceResourceScope.name]: getWorkspaceResourceScope,
+    [getWorkspaceInstanceResourceScope.name]: getWorkspaceInstanceResourceScope,
+  },
+};
diff --git a/components/server/src/oauth-server/oauth-authorization-server.ts b/components/server/src/oauth-server/oauth-authorization-server.ts
new file mode 100644
index 00000000000000..61ea6f117a18c5
--- /dev/null
+++ b/components/server/src/oauth-server/oauth-authorization-server.ts
@@ -0,0 +1,32 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { AuthorizationServer, DateInterval, JwtService, OAuthAuthCodeRepository, OAuthTokenRepository, OAuthUserRepository } from "@jmondi/oauth2-server";
+import {
+  inMemoryClientRepository,
+  inMemoryScopeRepository
+} from "./repository";
+
+export const clientRepository = inMemoryClientRepository;
+const scopeRepository = inMemoryScopeRepository;
+
+export function createAuthorizationServer(authCodeRepository: OAuthAuthCodeRepository, userRepository: OAuthUserRepository, tokenRepository: OAuthTokenRepository, jwtSecret: string): AuthorizationServer {
+  const authorizationServer = new AuthorizationServer(
+    authCodeRepository,
+    clientRepository,
+    tokenRepository,
+    scopeRepository,
+    userRepository,
+    new JwtService(jwtSecret),
+    {
+      // Be explicit, communicate intent. Default is true but let's not assume that
+      requiresPKCE: true, 
+    }
+  );
+
+  authorizationServer.enableGrantType("authorization_code", new DateInterval('5m'));
+  return authorizationServer;
+}
diff --git a/components/server/src/oauth-server/oauth-controller.ts b/components/server/src/oauth-server/oauth-controller.ts
new file mode 100644
index 00000000000000..b54d003e6a9280
--- /dev/null
+++ b/components/server/src/oauth-server/oauth-controller.ts
@@ -0,0 +1,175 @@
+/**
+ * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { AuthCodeRepositoryDB } from '@gitpod/gitpod-db/lib/typeorm/auth-code-repository-db';
+import { UserDB } from '@gitpod/gitpod-db/lib/user-db';
+import { User } from "@gitpod/gitpod-protocol";
+import { log } from '@gitpod/gitpod-protocol/lib/util/logging';
+import { OAuthException, OAuthRequest, OAuthResponse } from "@jmondi/oauth2-server";
+import * as express from 'express';
+import { inject, injectable } from "inversify";
+import { Env } from "../env";
+import { clientRepository, createAuthorizationServer } from './oauth-authorization-server';
+
+@injectable()
+export class OAuthController {
+    @inject(Env) protected readonly env: Env;
+    @inject(UserDB) protected readonly userDb: UserDB;
+    @inject(AuthCodeRepositoryDB) protected readonly authCodeRepositoryDb: AuthCodeRepositoryDB;
+
+    private getValidUser(req: express.Request, res: express.Response): User | null {
+        if (!req.isAuthenticated() || !User.is(req.user)) {
+            const redirectTarget = encodeURIComponent(`${this.env.hostUrl}api${req.originalUrl}`);
+            const redirectTo = `${this.env.hostUrl}login?returnTo=${redirectTarget}`;
+            res.redirect(redirectTo)
+            return null;
+        }
+        const user = req.user as User;
+        if (!user) {
+            res.sendStatus(500);
+            return null;
+        }
+        if (user.blocked) {
+            res.sendStatus(403);
+            return null;
+        }
+        return user;
+    }
+
+    private async hasApproval(user: User, clientID: string, req: express.Request, res: express.Response): Promise<boolean> {
+        // Have they just authorized, or not, the local-app?
+        const wasApproved = req.query['approved'] || '';
+        if (wasApproved === 'no') {
+            const additionalData = user?.additionalData;
+            if (additionalData && additionalData.oauthClientsApproved) {
+                delete additionalData.oauthClientsApproved[clientID];
+                await this.userDb.updateUserPartial(user);
+            }
+
+            // Let the local app know they rejected the approval
+            const rt = req.query.redirect_uri;
+            if (!rt || !rt.startsWith("http://localhost:")) {
+                log.error(`/oauth/authorize: invalid returnTo URL: "${rt}"`)
+                res.sendStatus(400);
+                return false;
+            }
+            res.redirect(`${rt}/?approved=no`);
+            return false;
+        } else if (wasApproved == 'yes') {
+            const additionalData = user.additionalData = user.additionalData || {};
+            additionalData.oauthClientsApproved = {
+                ...additionalData.oauthClientsApproved,
+                [clientID]: new Date().toISOString()
+            }
+            await this.userDb.updateUserPartial(user);
+        } else {
+            const oauthClientsApproved = user?.additionalData?.oauthClientsApproved;
+            if (!oauthClientsApproved || !oauthClientsApproved[clientID]) {
+                const client = await clientRepository.getByIdentifier(clientID)
+                if (client) {
+                    const redirectTarget = encodeURIComponent(`${this.env.hostUrl}api${req.originalUrl}`);
+                    const redirectTo = `${this.env.hostUrl}oauth-approval?clientID=${client.id}&clientName=${client.name}&returnTo=${redirectTarget}`;
+                    res.redirect(redirectTo)
+                    return false;
+                } else {
+                    log.error(`/oauth/authorize unknown client id: "${clientID}"`)
+                    res.sendStatus(400);
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    get oauthRouter(): express.Router {
+        const router = express.Router();
+        if (!this.env.enableOAuthServer) {
+            log.warn('OAuth server disabled!')
+            return router;
+        }
+
+        const authorizationServer = createAuthorizationServer(this.authCodeRepositoryDb, this.userDb, this.userDb, this.env.oauthServerJWTSecret);
+        router.get("/oauth/authorize", async (req: express.Request, res: express.Response) => {
+            const clientID = req.query.client_id;
+            if (!clientID) {
+                res.sendStatus(400);
+                return false;
+            }
+
+            const user = this.getValidUser(req, res);
+            if (!user) {
+                return;
+            }
+
+            // Check for approval of this client
+            if (!this.hasApproval(user, clientID, req, res)) {
+                return;
+            }
+
+            const request = new OAuthRequest(req);
+
+            try {
+                // Validate the HTTP request and return an AuthorizationRequest object.
+                const authRequest = await authorizationServer.validateAuthorizationRequest(request);
+
+                // Once the user has logged in set the user on the AuthorizationRequest
+                authRequest.user = { id: user.id }
+
+                // The user has approved the client so update the status
+                authRequest.isAuthorizationApproved = true;
+
+                // Return the HTTP redirect response
+                const oauthResponse = await authorizationServer.completeAuthorizationRequest(authRequest);
+                return handleResponse(req, res, oauthResponse);
+            } catch (e) {
+                handleError(e, res);
+            }
+        });
+
+        router.post("/oauth/token", async (req: express.Request, res: express.Response) => {
+            const response = new OAuthResponse(res);
+            try {
+                const oauthResponse = await authorizationServer.respondToAccessTokenRequest(req, response);
+                return handleResponse(req, res, oauthResponse);
+            } catch (e) {
+                handleError(e, res);
+                return;
+            }
+        });
+
+        function handleError(e: Error | undefined, res: express.Response) {
+            if (e instanceof OAuthException) {
+                res.status(e.status);
+                res.send({
+                    status: e.status,
+                    message: e.message,
+                    stack: e.stack,
+                });
+                return;
+            }
+            // Generic error
+            res.status(500)
+            res.send({
+                err: e
+            })
+        }
+
+        function handleResponse(req: express.Request, res: express.Response, response: OAuthResponse) {
+            if (response.status === 302) {
+                if (!response.headers.location) {
+                    throw new Error("missing redirect location");
+                }
+                res.set(response.headers);
+                res.redirect(response.headers.location);
+            } else {
+                res.set(response.headers);
+                res.status(response.status).send(response.body);
+            }
+        }
+
+        return router;
+    }
+}
\ No newline at end of file
diff --git a/components/server/src/oauth-server/repository.ts b/components/server/src/oauth-server/repository.ts
new file mode 100644
index 00000000000000..8311ed3932015a
--- /dev/null
+++ b/components/server/src/oauth-server/repository.ts
@@ -0,0 +1,47 @@
+/**
+ * Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { log } from '@gitpod/gitpod-protocol/lib/util/logging';
+import { GrantIdentifier, OAuthClient, OAuthClientRepository, OAuthScope, OAuthScopeRepository } from "@jmondi/oauth2-server";
+import { inMemoryDatabase } from "./db";
+
+/**
+* Currently (2021-05-15) we only support 1 client and a fixed set of scopes so using in-memory here is acceptable.
+* This will change in time, in which case we can move to using the DB.
+*/
+export const inMemoryClientRepository: OAuthClientRepository = {
+    async getByIdentifier(clientId: string): Promise<OAuthClient> {
+        return inMemoryDatabase.clients[clientId];
+    },
+
+    async isClientValid(grantType: GrantIdentifier, client: OAuthClient, clientSecret?: string): Promise<boolean> {
+        if (client.secret !== clientSecret) {
+            log.warn(`isClientValid: bad secret`)
+            return false;
+        }
+
+        if (!client.allowedGrants.includes(grantType)) {
+            log.warn(`isClientValid: bad grant`)
+            return false;
+        }
+
+        return true;
+    },
+};
+
+export const inMemoryScopeRepository: OAuthScopeRepository = {
+    async getAllByIdentifiers(scopeNames: string[]): Promise<OAuthScope[]> {
+        return Object.values(inMemoryDatabase.scopes).filter(scope => scopeNames.includes(scope.name));
+    },
+    async finalize(
+        scopes: OAuthScope[],
+        identifier: GrantIdentifier,
+        client: OAuthClient,
+        user_id?: string,
+    ): Promise<OAuthScope[]> {
+        return scopes;
+    },
+};
diff --git a/components/server/src/server.ts b/components/server/src/server.ts
index d3f461aa1aca3c..b760baafe3e6d3 100644
--- a/components/server/src/server.ts
+++ b/components/server/src/server.ts
@@ -39,6 +39,7 @@ import { BearerAuth } from './auth/bearer-authenticator';
 import { HostContextProvider } from './auth/host-context-provider';
 import { CodeSyncService } from './code-sync/code-sync-service';
 import { increaseHttpRequestCounter, observeHttpRequestDuration } from './prometheus-metrics';
+import { OAuthController } from './oauth-server/oauth-controller';
 
 @injectable()
 export class Server<C extends GitpodClient, S extends GitpodServer> {
@@ -67,6 +68,7 @@ export class Server<C extends GitpodClient, S extends GitpodServer> {
     @inject(BearerAuth) protected readonly bearerAuth: BearerAuth;
 
     @inject(HostContextProvider) protected readonly hostCtxProvider: HostContextProvider;
+    @inject(OAuthController) protected readonly oauthController: OAuthController;
 
     protected readonly eventEmitter = new EventEmitter();
     protected app?: express.Application;
@@ -254,6 +256,7 @@ export class Server<C extends GitpodClient, S extends GitpodServer> {
         app.use("/version", (req: express.Request, res: express.Response, next: express.NextFunction) => {
             res.send(this.env.version);
         });
+        app.use(this.oauthController.oauthRouter);
     }
 
     protected isAnsweredRequest(req: express.Request, res: express.Response) {
diff --git a/components/server/src/user/user-controller.ts b/components/server/src/user/user-controller.ts
index 5c0f04caf4a1d3..7bde880313787e 100644
--- a/components/server/src/user/user-controller.ts
+++ b/components/server/src/user/user-controller.ts
@@ -77,6 +77,7 @@ export class UserController {
                 const returnTo = this.getSafeReturnToParam(req);
                 const search = returnTo ? `returnTo=${returnTo}` : '';
                 const loginPageUrl = this.env.hostUrl.asLogin().with({ search }).toString();
+                log.info(`Redirecting to login ${loginPageUrl}`)
                 res.redirect(loginPageUrl);
                 return;
             }
@@ -85,7 +86,7 @@ export class UserController {
             try {
                 await saveSession(req);
             } catch (error) {
-                increaseLoginCounter("failed", "unkown")
+                increaseLoginCounter("failed", "unknown")
                 log.error(`Login failed due to session save error; redirecting to /sorry`, { req, error, clientInfo });
                 res.redirect(this.getSorryUrl("Login failed 🦄 Please try again"));
             }
@@ -255,8 +256,8 @@ export class UserController {
                     scopes: [
                         "function:getWorkspaces",
                         "function:listenForWorkspaceInstanceUpdates",
-                        "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "workspace", subjectID: "*", operations: ["get"]}),
-                        "resource:"+ScopedResourceGuard.marshalResourceScope({kind: "workspaceInstance", subjectID: "*", operations: ["get"]}),
+                        "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "workspace", subjectID: "*", operations: ["get"] }),
+                        "resource:" + ScopedResourceGuard.marshalResourceScope({ kind: "workspaceInstance", subjectID: "*", operations: ["get"] }),
                     ],
                     created: new Date().toISOString(),
                 };
@@ -452,7 +453,7 @@ export class UserController {
                 return;
             }
 
-            // The user has accepted the terms.
+            // The user has approved the terms.
             log.info(logContext, '(TOS) User did agree.', logPayload);
 
             if (TosFlow.WithIdentity.is(tosFlowInfo)) {
diff --git a/gitpod-ws.code-workspace b/gitpod-ws.code-workspace
index 31ab15c6f0fba1..0657eae2a77be8 100644
--- a/gitpod-ws.code-workspace
+++ b/gitpod-ws.code-workspace
@@ -10,6 +10,7 @@
       { "path": "components/gitpod-cli" },
       { "path": "components/image-builder" },
       { "path": "components/licensor" },
+      { "path": "components/local-app" },
       { "path": "components/registry-facade" },
       { "path": "components/service-waiter" },
       { "path": "components/supervisor" },
diff --git a/yarn.lock b/yarn.lock
index 949c8542995076..e09a5038fe7295 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3341,6 +3341,15 @@
     "@types/yargs" "^15.0.0"
     chalk "^4.0.0"
 
+"@jmondi/oauth2-server@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@jmondi/oauth2-server/-/oauth2-server-1.1.0.tgz#37014c4aceaee9b4559df224a4d3a743e66e5929"
+  integrity sha512-7UuliIJVnn3ISVEQ/CeRdKdY6gQb+RbOAlCZysdWytcvWNF+5Xb32ARbjOnzzLRzlh5ZxAKC5Zta0TZSKeXchg==
+  dependencies:
+    jsonwebtoken "^8.5.1"
+    ms "^2.1.3"
+    uri-js "^4.4.1"
+
 "@nodelib/fs.scandir@2.1.3":
   version "2.1.3"
   resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.3.tgz#3a582bdb53804c6ba6d146579c46e52130cf4a3b"
@@ -14675,7 +14684,7 @@ ms@2.1.2:
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
   integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==
 
-ms@^2.0.0:
+ms@^2.0.0, ms@^2.1.3:
   version "2.1.3"
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.3.tgz#574c8138ce1d2b5861f0b44579dbadd60c6615b2"
   integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==
@@ -20619,6 +20628,13 @@ uri-js@^4.2.2:
   dependencies:
     punycode "^2.1.0"
 
+uri-js@^4.4.1:
+  version "4.4.1"
+  resolved "https://registry.yarnpkg.com/uri-js/-/uri-js-4.4.1.tgz#9b1a52595225859e55f669d928f88c6c57f2a77e"
+  integrity sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==
+  dependencies:
+    punycode "^2.1.0"
+
 urix@^0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/urix/-/urix-0.1.0.tgz#da937f7a62e21fec1fd18d49b35c2935067a6c72"