NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.6k

Commit6a67e2e

authored

feat(cli/server.go): allow the use of public OIDC clients (#16489)

Support public OIDC clients- Enables support for public OIDC clients by only checking for a clientID being set. This allows for confidential and public clients to be usedwith Coder's OIDC authentication.- Also adds a public client configuration to the development OIDC setupscript.Fixes#16135Change-Id: Iadd85d40c2faa595a0498e25d3407a1f94b5c8a8Signed-off-by: Thomas Kosiewski <tk@coder.com>Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent5845031 commit6a67e2eCopy full SHA for 6a67e2e

File tree

2 files changed

+20

-1

lines changed

cli
- server.go
scripts
- dev-oidc.sh

2 files changed

+20

-1

lines changed

`‎cli/server.go‎`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -694,7 +694,12 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`694`	`694`	`}`
`695`	`695`	`}`
`696`	`696`
`697`		`-ifvals.OIDC.ClientKeyFile!=""\|\|vals.OIDC.ClientSecret!="" {`
	`697`	`+// As OIDC clients can be confidential or public,`
	`698`	`+// we should only check for a client id being set.`
	`699`	`+// The underlying library handles the case of no`
	`700`	`+// client secrets correctly. For more details on`
	`701`	`+// client types: https://oauth.net/2/client-types/`
	`702`	`+ifvals.OIDC.ClientID!="" {`
`698`	`703`	`ifvals.OIDC.IgnoreEmailVerified {`
`699`	`704`	`logger.Warn(ctx,"coder will not check email_verified for OIDC logins")`
`700`	`705`	`}`

`‎scripts/dev-oidc.sh‎`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,17 @@ cat <<EOF >/tmp/example-realm.json`
`49`	`49`	`"baseUrl": "/coder",`
`50`	`50`	`"redirectUris": ["*"],`
`51`	`51`	`"secret": "coder"`
	`52`	`+ },`
	`53`	`+ {`
	`54`	`+ "clientId": "coder-public",`
	`55`	`+ "publicClient": true,`
	`56`	`+ "directAccessGrantsEnabled": true,`
	`57`	`+ "enabled": true,`
	`58`	`+ "fullScopeAllowed": true,`
	`59`	`+ "baseUrl": "/coder",`
	`60`	`+ "redirectUris": [`
	`61`	`+ "*"`
	`62`	`+ ]`
`52`	`63`	`}`
`53`	`64`	`]`
`54`	`65`	`}`
`@@ -79,6 +90,9 @@ hostname=$(hostname -f)`
`79`	`90`	`export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder"`
`80`	`91`	`export CODER_OIDC_CLIENT_ID=coder`
`81`	`92`	`export CODER_OIDC_CLIENT_SECRET=coder`
	`93`	`+# Comment out the two lines above, and comment in the line below,`
	`94`	`+# to configure OIDC auth using a public client.`
	`95`	`+# export CODER_OIDC_CLIENT_ID=coder-public`
`82`	`96`	`export CODER_DEV_ACCESS_URL="http://${hostname}:8080"`
`83`	`97`
`84`	`98`	`exec"${SCRIPT_DIR}/develop.sh""$@"`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6a67e2e

File tree

2 files changed

2 files changed

`‎cli/server.go‎`

`‎scripts/dev-oidc.sh‎`

0 commit comments