beagleknight
diff --git a/‎.gitattributes
Lines changed: 3 additions & 0 deletions b/‎.gitattributes
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/server.go
Lines changed: 3 additions & 0 deletions b/‎cli/server.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 14 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 14 additions & 0 deletions
diff --git a/‎cli/testdata/coder_users_list_--output_json.golden
Lines changed: 4 additions & 2 deletions b/‎cli/testdata/coder_users_list_--output_json.golden
Lines changed: 4 additions & 2 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 14 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 18 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 18 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 9 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 1 addition & 0 deletions
@@ -1,5 +1,7 @@
 # Generated files
 coderd/apidoc/docs.go linguist-generated=true
+docs/api/*.md linguist-generated=true
+docs/cli/*.md linguist-generated=true
 coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
@@ -9,3 +11,4 @@ provisionersdk/proto/*.go linguist-generated=true
 *.tfstate.json linguist-generated=true
 *.tfstate.dot linguist-generated=true
 *.tfplan.dot linguist-generated=true
+
@@ -596,6 +596,9 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					IgnoreUserInfo:      cfg.OIDC.IgnoreUserInfo.Value(),
 					GroupField:          cfg.OIDC.GroupField.String(),
 					GroupMapping:        cfg.OIDC.GroupMapping.Value,
+					UserRoleField:       cfg.OIDC.UserRoleField.String(),
+					UserRoleMapping:     cfg.OIDC.UserRoleMapping.Value,
+					UserRolesDefault:    cfg.OIDC.UserRolesDefault.GetSlice(),
 					SignInText:          cfg.OIDC.SignInText.String(),
 					IconURL:             cfg.OIDC.IconURL.String(),
 					IgnoreEmailVerified: cfg.OIDC.IgnoreEmailVerified.Value(),
 
@@ -1095,6 +1095,8 @@ func TestServer(t *testing.T) {
 			require.False(t, deploymentConfig.Values.OIDC.IgnoreUserInfo.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupField.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupMapping.Value)
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleField.Value())
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleMapping.Value)
 			require.Equal(t, "OpenID Connect", deploymentConfig.Values.OIDC.SignInText.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.IconURL.Value())
 		})
 
@@ -337,6 +337,20 @@ can safely ignore these settings.
       --oidc-scopes string-array, $CODER_OIDC_SCOPES (default: openid,profile,email)
           Scopes to grant when authenticating with OIDC.
 
+      --oidc-user-role-default string-array, $CODER_OIDC_USER_ROLE_DEFAULT
+          If user role sync is enabled, these roles are always included for all
+          authenticated users. The 'member' role is always assigned.
+
+      --oidc-user-role-field string, $CODER_OIDC_USER_ROLE_FIELD
+          This field must be set if using the user roles sync feature. Set this
+          to the name of the claim used to store the user's role. The roles
+          should be sent as an array of strings.
+
+      --oidc-user-role-mapping struct[map[string][]string], $CODER_OIDC_USER_ROLE_MAPPING (default: {})
+          A map of the OIDC passed in user roles and the groups in Coder it
+          should map to. This is useful if the group names do not match. If
+          mapped to the empty string, the role will ignored.
+
       --oidc-username-field string, $CODER_OIDC_USERNAME_FIELD (default: preferred_username)
           OIDC claim field to use as the username.
 
 
@@ -15,7 +15,8 @@
         "display_name": "Owner"
       }
     ],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   },
   {
     "id": "[second user ID]",
@@ -28,6 +29,7 @@
       "[first org ID]"
     ],
     "roles": [],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   }
 ]
@@ -268,6 +268,20 @@ oidc:
   # for when OIDC providers only return group IDs.
   # (default: {}, type: struct[map[string]string])
   groupMapping: {}
+  # This field must be set if using the user roles sync feature. Set this to the
+  # name of the claim used to store the user's role. The roles should be sent as an
+  # array of strings.
+  # (default: <unset>, type: string)
+  userRoleField: ""
+  # A map of the OIDC passed in user roles and the groups in Coder it should map to.
+  # This is useful if the group names do not match. If mapped to the empty string,
+  # the role will ignored.
+  # (default: {}, type: struct[map[string][]string])
+  userRoleMapping: {}
+  # If user role sync is enabled, these roles are always included for all
+  # authenticated users. The 'member' role is always assigned.
+  # (default: <unset>, type: string-array)
+  userRoleDefault: []
   # The text to show on the OpenID Connect sign in button.
   # (default: OpenID Connect, type: string)
   signInText: OpenID Connect
 
@@ -124,6 +124,7 @@ type Options struct {
 	DERPMap                     *tailcfg.DERPMap
 	SwaggerEndpoint             bool
 	SetUserGroups               func(ctx context.Context, tx database.Store, userID uuid.UUID, groupNames []string) error
+	SetUserSiteRoles            func(ctx context.Context, tx database.Store, userID uuid.UUID, roles []string) error
 	TemplateScheduleStore       *atomic.Pointer[schedule.TemplateScheduleStore]
 	UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
 	// AppSecurityKey is the crypto key used to sign and encrypt tokens related to
@@ -258,6 +259,14 @@ func New(options *Options) *API {
 			return nil
 		}
 	}
+	if options.SetUserSiteRoles == nil {
+		options.SetUserSiteRoles = func(ctx context.Context, _ database.Store, userID uuid.UUID, roles []string) error {
+			options.Logger.Warn(ctx, "attempted to assign OIDC user roles without enterprise license",
+				slog.F("user_id", userID), slog.F("roles", roles),
+			)
+			return nil
+		}
+	}
 	if options.TemplateScheduleStore == nil {
 		options.TemplateScheduleStore = &atomic.Pointer[schedule.TemplateScheduleStore]{}
 	}
 
@@ -115,6 +115,7 @@ func User(user database.User, organizationIDs []uuid.UUID) codersdk.User {
 		OrganizationIDs: organizationIDs,
 		Roles:           make([]codersdk.Role, 0, len(user.RBACRoles)),
 		AvatarURL:       user.AvatarURL.String,
+		LoginType:       codersdk.LoginType(user.LoginType),
 	}
 
 	for _, roleName := range user.RBACRoles {
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@`
`15`	`15`	`"display_name": "Owner"`
`16`	`16`	`}`
`17`	`17`	`],`
`18`		`- "avatar_url": ""`
	`18`	`+ "avatar_url": "",`
	`19`	`+ "login_type": "password"`
`19`	`20`	`},`
`20`	`21`	`{`
`21`	`22`	`"id": "[second user ID]",`
`@@ -28,6 +29,7 @@`
`28`	`29`	`"[first org ID]"`
`29`	`30`	`],`
`30`	`31`	`"roles": [],`
`31`		`- "avatar_url": ""`
	`32`	`+ "avatar_url": "",`
	`33`	`+ "login_type": "password"`
`32`	`34`	`}`
`33`	`35`	`]`
Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,7 @@ func User(user database.User, organizationIDs []uuid.UUID) codersdk.User {`
`115`	`115`	`OrganizationIDs: organizationIDs,`
`116`	`116`	`Roles: make([]codersdk.Role, 0, len(user.RBACRoles)),`
`117`	`117`	`AvatarURL: user.AvatarURL.String,`
	`118`	`+ LoginType: codersdk.LoginType(user.LoginType),`
`118`	`119`	`}`
`119`	`120`
`120`	`121`	`for _, roleName := range user.RBACRoles {`