@kylecarbs and I just had a chat and decided we shouldn't completely disable the password login so the defaultOwner account can log in.

However, we can put it behind a backdoor (e.g.?auth=password) so that users don't see an option to log in with a user/pass. Also, OIDC users wouldn't be able to log in with a password anyways

Implemented

With the following env vars set:

• CODER_OIDC_ISSUER_URL
• CODER_OIDC_EMAIL_DOMAIN
• CODER_OIDC_CLIENT_ID
• CODER_OIDC_CLIENT_SECRET
• CODER_PASSWORD_AUTH_HIDDEN=true
• CODER_OIDC_SIGN_IN_TEXT="Sign in with Gitea"
• CODER_OIDC_ICON_URL=https://gitea.io/images/gitea.png

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

I think we'll want to end up disabling password authentication instead of hiding it for security reasons. I'll review this later today!

@kylecarbs how would an owner/admin sign in if we disable password auth? As@bpmct proposed, we could put it behind?password=password, or maybe better/login/admin. But ultimately that seems like an inconvenience. Maybe it's negligible though.

I think I'd prefer if we did a small "Login with Password" link at the bottom that would permit authenticating with a password. It's awkward to not allow it, since in emergency situations it would be required.

An alternative is to take the stance that owners/admins should be able to modify the deployment, so they could always disable this feature.

I think I'd prefer if we did a small "Login with Password" link at the bottom that would permit authenticating with a password. It's awkward to not allow it, since in emergency situations it would be required.

An alternative is to take the stance that owners/admins should be able to modify the deployment, so they could always disable this feature.

I can get behind a small link as long as it's clear that SSO is preferred. Many login forms tend to have both even if 99% of an organization's users use SSO

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

Oops sorry pushed the golden files update from a different computer

@normana10 seems likemake gen isn't quite producing the same for you... want me to post a patch you can apply?

@kylecarbs

Feel free

I keep trying to runmake gen and it does nothing

Then I do amake gen -B

And I get a:

$ make gen -Bpanic: could not start resource: : dial unix /var/run/docker.sock: connect: connection refusedgoroutine 1 [running]:main.main()/Users/normana10/git/coder/coderd/database/gen/dump/main.go:23 +0xb25exit status 2make: *** [Makefile:461: coderd/database/dump.sql] Error 1

(On my Mac)

Which.... totally makes sense, I don't have Docker installed on my Mac

Buuuut, when I try the same on my Fedora computer it ends up erroring out with a:

...../docs/api/workspaces.md 99ms../docs/manifest.json 16ms../coderd/apidoc/swagger.json 351msDone in 4.37s.ERROR: The 'yq' dependency is required, but is not available.ERROR: One or more dependencies are not available, check above log output for more details.make: *** [Makefile:509: site/.prettierrc.yaml] Error 1

But...yq is definitely installed

@normana10 sorry the error is so unhelpful, you'll need to haveyq v4 installed, either asyq4 oryq --version >= v4.

$ yq --versionyq version 4.2.0

🤷

Wait I just noticed thatyqoutside of nix-shell is v4 butinside it's v3 o.O

Just symlinked my install ofyq toyq4 andmake gen -B ran just fine

Pushing up now

That was a roller coaster but I think it's all good now? 👍

Thanks!

Woot woot. Thanks for pushing through@normana10 🥳

@normana10 can you merge inmain then I'll merge this in ASAP! Thank you again for being patient, this was a controversial one for us.

@kylecarbs

Done

Sorry if I caused any issues 😬

@normana10 we're now using this onhttps://dev.coder.com 😎