- Notifications
You must be signed in to change notification settings - Fork914
docs: add more specific steps and information about oidc refresh tokens#18336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
ff568a1 to566fe99CompareCan we update the release notes to point to this documentation once it's merged? |
d3ac4ea toe69afa5CompareUh oh!
There was an error while loading.Please reload this page.
| By combining the`{"access_type":"offline"}` parameter in the OIDC Auth URL with | ||
| the`offline_access` scope, you can achieve the desired behavior of obtaining | ||
| refresh tokens for offline access to the user's resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think this corresponds to
CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline"}'which might be helpful as an example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@spikecurtis from what I can tell, we always add this.
Line 45 in3ddc7a9
| opts=append(opts,oauth2.AccessTypeOffline) |
Regardless of your config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It defaults, but an explicit value inCODER_OIDC_AUTH_URL_PARAMS overrides it.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| ###Refresh Tokens Not Working After Configuration Change | ||
| **Symptoms**: Hourly timeouts, even after adding`offline_access` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
So, aftersuccessfully configuring refresh tokens, users will get logged out early up to one more time. Once they reauthenticate they should get the refresh token---so if users are continuing to get "hourly timeouts" (plural), then refresh tokens are still misconfigured.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
added:
Users might get logged out again before the new configuration takes effect completely.
but I'm about to move it to the end of the next FAQ
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We actually had this same problem for external auth awhile back. Debugging it was a challenge, so I added this to the UI to indicate if refresh is enabled. Maybe we should do something similar for the prrimary auth
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| 1. Check that`offline_access` is included in your`CODER_OIDC_SCOPES` | ||
| 1. Verify users can stay logged in beyond Okta's access token lifetime (typically one hour) | ||
| 1. Monitor Coder logs for any OIDC refresh errors during token renewal |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If they have access to the database, and it is not encrypted, then they can check theuser_links table and verify that there are entries in theoauth_refresh_token column.
Getting these instructions doesn't need to block merging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think we should add something produce side in the UI that could tell if refresh is enabled at least on a per user basis.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| ###Refresh Tokens Not Working After Configuration Change | ||
| **Symptoms**: Hourly timeouts, even after adding`offline_access` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
added:
Users might get logged out again before the new configuration takes effect completely.
but I'm about to move it to the end of the next FAQ
Uh oh!
There was an error while loading.Please reload this page.
5c16079 intomainUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
closes#18307
relates to#18318
preview:
(not sure why@Emyrk 's photo is so huge there though)✔️to do:
convert some paragraphs to OLcalling this out of scope for now