-**Increased security**

- Centralize source code and other data onto private servers or cloud services instead of local developers' machines.

- Manage users and groups with[SSO](./admin/users/oidc-auth.md) and[Role-based access controlled (RBAC)](./admin/users/groups-roles.md#roles).

- Manage users and groups with[SSO](./admin/users/oidc-auth/index.md) and[Role-based access controlled (RBAC)](./admin/users/groups-roles.md#roles).

-**Improved compatibility**

Use[`external-auth`](../reference/cli/external-auth.md) in the Coder CLI to access a token within the workspace:

Use[`external-auth`](../../reference/cli/external-auth.md) in the Coder CLI to access a token within the workspace:

coder external-auth access-token<USER_DEFINED_ID>

Visit the[JFrog Artifactory](../admin/integrations/jfrog-artifactory.md) guide for instructions on how to set up for JFrog Artifactory.

Visit the[JFrog Artifactory](../../admin/integrations/jfrog-artifactory.md) guide for instructions on how to set up for JFrog Artifactory.

- Enable fine-grained access to specific repositories or a subset of

permissions for security.



1. Adjust the GitHub app permissions. You can use more or fewer permissions than

are listed here, this example allows users to clone

repositories:



| Name| Permission| Description|

|---------------|--------------|--------------------------------------------------------|

1. Install the App for your organization. You may select a subset of

repositories to grant access to.



provider. The Coder control plane and workspaces will need network connectivity

to the git provider.

-[GitHub Enterprise](../external-auth.md#github-enterprise)

-[GitLab](../external-auth.md#gitlab-self-managed)

-[BitBucket](../external-auth.md#bitbucket-server)

-[Other Providers](../external-auth.md#self-managed-git-providers)

-[GitHub Enterprise](../external-auth/index.md#github-enterprise)

-[GitLab](../external-auth/index.md#gitlab-self-managed)

-[BitBucket](../external-auth/index.md#bitbucket-server)

-[Other Providers](../external-auth/index.md#self-managed-git-providers)

This module is usable by JFrog self-hosted (on-premises) Artifactory as it

requires configuring a custom integration. This integration benefits from Coder's[external-auth](../../admin/external-auth.md) feature allows each user to authenticate with Artifactory using an OAuth flow and issues user-scoped tokens to each user.

requires configuring a custom integration. This integration benefits from Coder's[external-auth](../external-auth/index.md) feature allows each user to authenticate with Artifactory using an OAuth flow and issues user-scoped tokens to each user.

To set this up, follow these steps:

environment variables in a manner consistent with your Coder deployment. Replace `JFROG_URL` with your JFrog Artifactory base URL:

The[`vault-github`](https://registry.coder.com/modules/vault-github) module is a Terraform module that allows you to

authenticate with Vault using a GitHub token. This module uses the existing

GitHub[external authentication](../external-auth.md) to get the token and authenticate with Vault.

GitHub[external authentication](../external-auth/index.md) to get the token and authenticate with Vault.

To use this module, add the following code to your Terraform configuration.

[Use environment variables to customize](../users/oidc-auth.md#oidc-login-customization)

[Use environment variables to customize](../users/oidc-auth/index.md#oidc-login-customization)

the text and icon on the OIDC button on the Sign In page.

-[**Authentication Providers**](https://coder.com/docs/admin/external-auth):

-[**Authentication Providers**](../../external-auth/index.md):

- Use icons for external authentication providers to make them recognizable.

You can set an icon for each provider by setting the

See[External Authentication](../external-auth.md) to set upgit authentication

See[External Authentication](../external-auth/index.md) to set upGit authentication

in your Coder deployment.

Toenable the`offline_access` scope which allowsfor the refresh token

Including the`offline_access` scopein the requested scopes ensures that the

By combining the`{"access_type":"offline"}` parameterin the OIDC Auth URL with

the`offline_access` scope, you can achieve the desired behavior of obtaining

-[OpenID Connect](./oidc-auth.md) (e.g. Okta, KeyCloak, PingFederate, Azure AD)

-[OpenID Connect](./oidc-auth/index.md) (e.g. Okta, KeyCloak, PingFederate, Azure AD)

-[GitHub](./github-auth.md) (or GitHub Enterprise)

To change the icon and text above the OpenID Connect button, see application

name and logo url in[appearance](../setup/appearance.md) settings.

name and logo url in[appearance](../../setup/appearance.md) settings.

By default, OIDC access tokens typically expire after a short period.

This is typically after one hour, but varies by provider.

Without refresh tokens, users will be automatically logged out when their access token expires.

Follow[Configure OIDC Refresh Tokens](./refresh-tokens.md) for provider-specific steps.

The general steps to configure persistent user sessions are:

1. Configure your Coder OIDC settings:

For most providers, add the`offline_access` scope:

For Google, add auth URL parameters (`CODER_OIDC_AUTH_URL_PARAMS`) too:

1. Configure your identity provider to issue refresh tokens.

1. After configuration, have users log out and back in once to obtain refresh tokens

Coder supports user provisioning and deprovisioning via SCIM 2.0 with header

authentication. Upon deactivation, users are

[suspended](./index.md#suspend-a-user) and are not deleted.

[Configure](../setup/index.md) your SCIM application with an auth key and supply

[suspended](../index.md#suspend-a-user) and are not deleted.

[Configure](../../setup/index.md) your SCIM application with an auth key and supply

it the Coder server.

-[Group Sync](./idp-sync.md)

-[Groups & Roles](./groups-roles.md)

-[Group Sync](../idp-sync.md)

-[Groups & Roles](../groups-roles.md)

-[Configure OIDC Refresh Tokens](./refresh-tokens.md)