NotificationsYou must be signed in to change notification settings
Fork913
Star10.1k

docs: update IdP group and role sync documentation for UI configuration#16315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

EdwardAngert merged 11 commits intomainfrom277-idp-sync-dash

Jan 31, 2025

Merged

docs: update IdP group and role sync documentation for UI configuration#16315

EdwardAngert merged 11 commits intomainfrom277-idp-sync-dash

Jan 31, 2025

Conversation

Copy link

Contributor

EdwardAngert commentedJan 28, 2025•
edited
Loading

closescoder/internal#277

to do:

deprecate server flag steps
bump down tab headings (remove from toc)
add dashboard steps for each

~~- [ ] re-org doc~~ partially complete, but this will need revisiting

preview

h3 tab titles

616592d

EdwardAngert added the docsArea: coder.com/docs label

Jan 28, 2025

EdwardAngert self-assigned this

Jan 28, 2025

EdwardAngert changed the title~~docs: Update docs for IDP group and role sync to reflect the ability to configure in the UI~~docs: update IDP group and role sync documentation for UI configuration

Jan 28, 2025

EdwardAngert mentioned this pull request

Jan 28, 2025

docs: adjust steps and add screenshots for orgs#16248

Merged

1 task

EdwardAngert added2 commits

January 28, 2025 21:55

proper caps for idp

97507db

server flags deprecated note

f4cf45f

EdwardAngert mentioned this pull request

Jan 28, 2025

Update docs for IDP group and role sync to reflect the ability to configure in the UIcoder/internal#277

Closed

EdwardAngert added2 commits

January 29, 2025 16:25

refresh adfs section

8ef4939

keycloak section md tweaks

b6cab0b

EdwardAngert commented

Jan 29, 2025

View reviewed changes

docs/admin/users/idp-sync.md

		authenticates using OIDC, the application requests offline access to the user's
		resources, including the ability to refresh access tokens without requiring the
		user to reauthenticate.
		The `access_type` parameter has two possible values: `online` and `offline`.

Copy link

ContributorAuthor

EdwardAngertJan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I tried looking for more information about this and foundhttps://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/openid_client

Based on that, there are other options and neitheronline noroffline are listed. Is this wording still accurate?

Copy link

Member

bpmctJan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Probably best revisiting this after merge too.

Copy link

Member

EmyrkJan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Those are the wrong docs, it will not be a terraform resource.

I cannot find the correct docs though. This is the best I found
https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/sessions/offline.html

Copy link

ContributorAuthor

EdwardAngertJan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

nice find@Emyrk !

I found the source of that page, then traced it back to thekeycloak docs - seems like it's the same info

glancing at their docs, the parameter isscope=offline_access and maybe notaccess_type, so it seems like it's still worth exploring our Keycloak section later

Clients can request an offline token by adding the parameterscope=offline_access when sending their authorization request to Keycloak.

that doc also links tohttps://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

Copy link

Member

EmyrkJan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It is worth explorig. The scope is different than the query param in the auth url.

The url param is defined in the OIDC spechttps://developers.google.com/identity/openid-connect/openid-connect. Unsure if it is an oauth thing, or an oidc thing.

The oauth library we use has it defined:
https://github.com/golang/oauth2/blob/master/oauth2.go#L109-L121

As for what the scope does, I am unsure. It might be related to the query param, idk 🤷‍♂️.

EdwardAngert commented

Jan 29, 2025

View reviewed changes

docs/admin/users/idp-sync.md

Comment on lines 610 to 612

		- `preferred_username`: You can use e.g. "Display Name" as required.
		- `email`: You can use e.g. the LDAP attribute "E-Mail-Addresses" as
		required.

Copy link

ContributorAuthor

EdwardAngertJan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

are these"Display Name" and"E-Mail-Addresses" values from somewhere? I'm trying to reword these points

Copy link

Member

bpmctJan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Probably worth cleaning up this section as a separate PR. Unsure who wrote it, we can usegit blame

EdwardAngert changed the title~~docs: update IDP group and role sync documentation for UI configuration~~docs: update IdP group and role sync documentation for UI configuration

Jan 29, 2025

EdwardAngert added3 commits

January 29, 2025 18:55

Merge remote-tracking branch 'origin/main' into 277-idp-sync-dash

1f56d58

confirm oidc sends claims; remove future versions notes

7900135

update dashboard steps and screenshots

050b9ea

EdwardAngert marked this pull request as ready for review

January 30, 2025 05:41

EdwardAngert requested review fromjaaydenh,Emyrk,bpmct andstirby

January 30, 2025 05:41

Emyrk reviewed

Jan 30, 2025

View reviewed changes

docs/admin/users/idp-sync.md Outdated

Comment on lines 50 to 51

		For deployments with multiple [organizations](./organizations.md), configure
		group sync at the organization level.

Copy link

Member

EmyrkJan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Even single org deployments have to configure it at the org level. They just configure it in the default org.

Copy link

Member

bpmctJan 31, 2025•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@jaaydenh Do single org deployments on the Standard license see this UI?

Copy link

ContributorAuthor

EdwardAngertJan 31, 2025•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

yeah:

we're trying to remind people that if you have more than one, configure it in the appropriate org. Let me see if I can rework this a little

Copy link

ContributorAuthor

EdwardAngertJan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

just in case, here's a screenshot of people see if they don't have a premium license

docs/admin/users/idp-sync.md

		authenticates using OIDC, the application requests offline access to the user's
		resources, including the ability to refresh access tokens without requiring the
		user to reauthenticate.
		The `access_type` parameter has two possible values: `online` and `offline`.