- Notifications
You must be signed in to change notification settings - Fork1.1k
feat: add support for capturing id token returned by Azure OIDC login#20991
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Draft
rowansmithau wants to merge3 commits intomainChoose a base branch
base:main
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
+429 −312
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
6fef761 to17683bfCompare…DC_ID_TOKEN env var- Add oauth_id_token column to user_links table (migration 402)- Capture and store ID token during OIDC authentication- Implement token refresh with ID token preservation- Add obtainOIDCIdToken() function for token retrieval- Pass ID token to provisioner via proto metadata- Expose as CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN environment variable- Fix OAuthIdToken -> OAuthIDToken field naming (Go conventions)- Add OAuthIDToken to all UpdateUserLinkParams/InsertUserLinkParams structs- Update TypeScript and Go proto bindings- Regenerate database queries with correct column orderingThis enables Azure OIDC authentication which requires the ID tokenfor subsequent API calls.
74eaa4e tobc89d5fComparebc89d5f to2964b75CompareSign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reported by ent customer on ticket 4688. related thread:https://codercom.slack.com/archives/C014JH42DBJ/p1763983935459739
This PR adds the
oauth_id_tokencolumn to theuser_linkstable and has Coder capture and store theid_tokenreturned by Azure as part of the OIDC login process to the new column. This is needed because Azure provides both anaccess_tokenandid_tokenvalue in it's response to coderd, but the access token is a v1 token which has an audience and issuer which corresponds to microsoft graph, while the id token is issued against the customer tenant.The reasoning behind this is the access token / v1 graph token is only able to be validated by microsoft, which means when other services within Coder make use of the Azure OIDC token, such as authenticating to Vault, this fails. Authenticating manually (decrypting TLS, capturing the
id_tokenfrom the Azure response) using theid_tokenworks as desired.Ref:https://github.com/coder/registry/blob/main/registry/coder/modules/vault-jwt/main.tf#L62 andhttps://github.com/coder/registry/blob/main/registry/coder/modules/vault-jwt/run.sh#L119
There will also be a Terraform provider update which will be used to facilitate the second half of this.