Jun 27, 2025 · Jun 27, 2025
diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md

 ### Read-Only

 - `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
 - `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
 - `id` (String) The UUID of the workspace owner.
 - `login_type` (String) The type of login the user has.
 - `name` (String) The username of the user.
 - `oidc_access_token` (String) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
 - `session_token` (String) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
 - `ssh_public_key` (String) The user's generated SSH public key.

diff --git a/provider/externalauth.go b/provider/externalauth.go
 Type:        schema.TypeString,
 Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
 Computed:    true,
 Sensitive:   true,
 },
 "optional": {
 Type:        schema.TypeBool,
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
 Type:        schema.TypeString,
 Computed:    true,
 Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.",
 Sensitive:   true,
 },
 "oidc_access_token": {
 Type:     schema.TypeString,
 Computed: true,
 Description: "A valid OpenID Connect access token of the workspace owner. " +
 "This is only available if the workspace owner authenticated with OpenID Connect. " +
 "If a valid token cannot be obtained, this value will be an empty string.",
 Sensitive: true,
 },
 "login_type": {
 Type:        schema.TypeString,
Original file line number	Diff line number	Diff line change
Expand Up		@@ -39,4 +39,4 @@ data "coder_external_auth" "azure-identity" {

		### Read-Only

		- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
		- `access_token` (String, Sensitive) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -52,9 +52,9 @@ resource "coder_env" "git_author_email" {
		- `id` (String) The UUID of the workspace owner.
		- `login_type` (String) The type of login the user has.
		- `name` (String) The username of the user.
		- `oidc_access_token` (String) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
		- `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
		- `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
		- `session_token` (String) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
		- `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
		- `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
		- `ssh_public_key` (String) The user's generated SSH public key.

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -37,6 +37,7 @@ func externalAuthDataSource() *schema.Resource {
		Type: schema.TypeString,
		Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
		Computed: true,
		Sensitive: true,
		},
		"optional": {
		Type: schema.TypeBool,
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -113,13 +113,15 @@ func workspaceOwnerDataSource() *schema.Resource {
		Type: schema.TypeString,
		Computed: true,
		Description: "Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.",
		Sensitive: true,
		},
		"oidc_access_token": {
		Type: schema.TypeString,
		Computed: true,
		Description: "A valid OpenID Connect access token of the workspace owner. " +
		"This is only available if the workspace owner authenticated with OpenID Connect. " +
		"If a valid token cannot be obtained, this value will be an empty string.",
		Sensitive: true,
		},
		"login_type": {
		Type: schema.TypeString,
Expand Down