Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

docs: add more specific steps and information about oidc refresh tokens#18336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
EdwardAngert wants to merge18 commits intomain
base:main
Choose a base branch
Loading
from18307-refresh-tokens

Conversation

EdwardAngert
Copy link
Contributor

@EdwardAngertEdwardAngert commentedJun 11, 2025
edited
Loading

closes#18307

relates to#18318

preview:

to do:

  • move keycloak
  • add ping federate and azure
  • edit text (possibly placeholders for now - I want to see how it all relates and edit it again. right now, there's a note about the same thing in every section in way that's not super helpful/necessary)
  • convert some paragraphs to OL calling this out of scope for now

Emyrk reacted with laugh emoji
@EdwardAngertEdwardAngert self-assigned thisJun 11, 2025
@EdwardAngertEdwardAngert added the docsArea: coder.com/docs labelJun 11, 2025
@Emyrk
Copy link
Member

preview (not sure why@Emyrk 's photo is so huge there though)

Yea, can we make my photo much smaller lol

EdwardAngert reacted with confused emoji

@sreya
Copy link
Collaborator

Yeah this is currentlydeployed lol. As handsome as@Emyrk is, can we remove the avatar?

EdwardAngert and ericpaulsen reacted with laugh emoji

@EdwardAngert
Copy link
ContributorAuthor

ooph thanks for catching@sreya

fixed by#18338

@sreya
Copy link
Collaborator

Can we update the release notes to point to this documentation once it's merged?


By combining the`{"access_type":"offline"}` parameter in the OIDC Auth URL with
the`offline_access` scope, you can achieve the desired behavior of obtaining
refresh tokens for offline access to the user's resources.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think this corresponds to

CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline"}'

which might be helpful as an example

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@spikecurtis from what I can tell, we always add this.

opts=append(opts,oauth2.AccessTypeOffline)

Regardless of your config

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It defaults, but an explicit value inCODER_OIDC_AUTH_URL_PARAMS overrides it.


###Refresh Tokens Not Working After Configuration Change

**Symptoms**: Hourly timeouts, even after adding`offline_access`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

So, aftersuccessfully configuring refresh tokens, users will get logged out early up to one more time. Once they reauthenticate they should get the refresh token---so if users are continuing to get "hourly timeouts" (plural), then refresh tokens are still misconfigured.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

added:

Users might get logged out again before the new configuration takes effect completely.

L176

but I'm about to move it to the end of the next FAQ

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We actually had this same problem for external auth awhile back. Debugging it was a challenge, so I added this to the UI to indicate if refresh is enabled. Maybe we should do something similar for the prrimary auth

Screenshot From 2025-06-16 07-03-44

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@Emyrk yeah, it would be very helpful. Added#18384

Emyrk reacted with heart emoji

To confirm that refresh tokens are working correctly:

1. Check that`offline_access` is included in your`CODER_OIDC_SCOPES`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

depends on the identity provider.

Suggested change
1. Checkthat`offline_access` is included inyour`CODER_OIDC_SCOPES`
1. Checkyour configuration as described above foryouridentity provider

To confirm that refresh tokens are working correctly:

1. Check that`offline_access` is included in your`CODER_OIDC_SCOPES`
1. Verify users can stay logged in beyond Okta's access token lifetime (typically one hour)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
1. Verify users can stay logged in beyondOkta's access token lifetime (typically one hour)
1. Verify users can stay logged in beyondyour provider's access token lifetime (typically one hour)


1. Check that`offline_access` is included in your`CODER_OIDC_SCOPES`
1. Verify users can stay logged in beyond Okta's access token lifetime (typically one hour)
1. Monitor Coder logs for any OIDC refresh errors during token renewal
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

If they have access to the database, and it is not encrypted, then they can check theuser_links table and verify that there are entries in theoauth_refresh_token column.

Getting these instructions doesn't need to block merging.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think we should add something produce side in the UI that could tell if refresh is enabled at least on a per user basis.


###Refresh Tokens Not Working After Configuration Change

**Symptoms**: Hourly timeouts, even after adding`offline_access`
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

added:

Users might get logged out again before the new configuration takes effect completely.

L176

but I'm about to move it to the end of the next FAQ

@EdwardAngertEdwardAngert marked this pull request as ready for reviewJune 13, 2025 18:59
@EdwardAngertEdwardAngert requested a review fromsreyaJune 13, 2025 18:59
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@spikecurtisspikecurtisspikecurtis approved these changes

@EmyrkEmyrkEmyrk approved these changes

@sreyasreyaAwaiting requested review from sreya

Requested changes must be addressed to merge this pull request.

Assignees

@EdwardAngertEdwardAngert

Labels
docsArea: coder.com/docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug Report: Missingoffline_access Scope Documentation and Default Configuration for OIDC Refresh Tokens
4 participants
@EdwardAngert@Emyrk@sreya@spikecurtis
[8]ページ先頭
©2009-2025 Movatter.jp