- Notifications
You must be signed in to change notification settings - Fork914
feat: enable GitHub OAuth2 login by default on new deployments#16662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
66e0aff to2788eb5CompareNote: before merging, I need to update the embedded GitHub Client ID. I'm still waiting for the app to be properly set up on our side. |
dannykopping commentedFeb 24, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@hugodutka how will users using this embedded client ID? Each GitHub app needs a unique callback URL as far as I understand, so I'm not sure how this will work. EDIT: nevermind, seems like theredirect URI can be customised. |
hugodutka commentedFeb 24, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@dannykopping we’ll be using thedevice flow here, which I implemented support for a couple of days ago:#16585. This doesn’t use a callback URL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The change looks OK to me mechanically, and the device flow is convenient. What happens to new deployments where GitHub is not accessible though? It looks like this will be enabled and useless to the admin.
codersdk/deployment.go Outdated
| Name: "OAuth2 GitHub Default Provider", | ||
| Description: "Enable the default GitHub OAuth2 provider managed by Coder.", | ||
| Flag: "oauth2-github-default-provider", | ||
| Env: "CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
nit: for consistency, this should have the_ENABLE suffix. This isnot a blocking change though.
cli/server_test.go Outdated
| t.Run("NewDeployment", func(t *testing.T) { | ||
| runGitHubProviderTest(t, testCase{ | ||
| githubEnabled: true, | ||
| createUserPreStart: false, | ||
| createUserPostRestart: true, | ||
| }) | ||
| }) | ||
| t.Run("ExistingDeployment", func(t *testing.T) { | ||
| runGitHubProviderTest(t, testCase{ | ||
| githubEnabled: false, | ||
| createUserPreStart: true, | ||
| createUserPostRestart: false, | ||
| }) | ||
| }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Can you also add a test case as follows:
- GIVEN an existing deployment with 0 users and
CODER_OAUTH2_GITHUB_{CLIENT_ID,CLIENT_SECRET}set - WHEN coder starts
- THEN the new "default" GitHub OAuth2 provider isnot enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think there's also an argument to be made against enabling this by default if OIDC login is enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'd rather not make this logic dependent on OIDC config. I think it's not intuitive that setting one up would disable the other.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
:D It sounds like there's an argument against then. Let's leave it out of this PR so!
cli/server.go Outdated
| params.clientID = "Iv23liSBHklRMBNx5lk9" | ||
| params.allowEveryone = true | ||
| params.deviceFlow = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Can this be extracted to ahighly visible variable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
What do you consider highly visible? Package level global constant? Just asking to avoid further back and forth on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Something like that, yeah. We should need to go searching to find the default client ID.
I assume OAuth2 device flow doesn't require a client secret?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
That's right, it doesn't require a client secret.
What do you mean by not accessible? As in the deployment is airgapped? |
Not necessarily; there have been multiple instances in the past where state actors have blocked GitHub. Or it could be blocked at the corporate network level. What would you say is the best course of action in this case? |
@johnstcn I don't think this would be very common. I think just allowing the admins to disable the default via an env variable is enough in these cases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Approving pending comments regarding conditionally disabling if existing OAuth2/OIDC authn methods are configured.
eb41f65 to032150dCompare1a67ae7 todfd49d0Compare9a15225 to407cdd3CompareAddressed the feedback and updated the embedded client ID. Should be ready to merge once the base branch is merged. |
dfd49d0 to3b36025Compare407cdd3 to071d6ccCompare071d6cc to1720441Compare1720441 to297e90bCompared3a56ae intomainUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Third and final PR to address#16230.
This PR enables GitHub OAuth2 login by default on new deployments. Combined with#16629, this will allow the first admin user to sign up with GitHub rather than email and password.
We take care not to enable the default on deployments that would upgrade to a Coder version with this change.
To disable the default provider an admin can set the
CODER_OAUTH2_GITHUB_DEFAULT_PROVIDERenv variable to false.