feat(cli/server.go): allow the use of public OIDC clients

ThomasK33 · ThomasK33 · commit 6c7d77af0185 · 2025-02-07T12:50:23.000+01:00
Change-Id: Iadd85d40c2faa595a0498e25d3407a1f94b5c8a8
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/cli/server.go b/cli/server.go
@@ -694,7 +694,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				}
 			}
 
-			if vals.OIDC.ClientKeyFile != "" || vals.OIDC.ClientSecret != "" {
+			// As OIDC clients can be confidential or public,
+			// we should only check for a client id being set.
+			// The underlying library handles the case of no
+			// client secrets correctly. For more details on
+			// client types: https://oauth.net/2/client-types/
+			if vals.OIDC.ClientID != "" {
 				if vals.OIDC.IgnoreEmailVerified {
 					logger.Warn(ctx, "coder will not check email_verified for OIDC logins")
 				}
diff --git a/scripts/dev-oidc.sh b/scripts/dev-oidc.sh
@@ -49,7 +49,18 @@ cat <<EOF >/tmp/example-realm.json
       "baseUrl": "/coder",
       "redirectUris": ["*"],
       "secret": "coder"
-    }
+    },
+    {
+			"clientId": "coder-public",
+			"publicClient": true,
+			"directAccessGrantsEnabled": true,
+			"enabled": true,
+			"fullScopeAllowed": true,
+			"baseUrl": "/coder",
+			"redirectUris": [
+				"*"
+			]
+		}
   ]
 }
 EOF
@@ -79,6 +90,9 @@ hostname=$(hostname -f)
 export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder"
 export CODER_OIDC_CLIENT_ID=coder
 export CODER_OIDC_CLIENT_SECRET=coder
+# Comment out the two lines above, and comment in the line below,
+# to configure OIDC auth using a pulic client.
+# export CODER_OIDC_CLIENT_ID=coder-public
 export CODER_DEV_ACCESS_URL="http://${hostname}:8080"
 
 exec "${SCRIPT_DIR}/develop.sh" "$@"

Original file line number	Diff line number	Diff line change
`@@ -694,7 +694,12 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`694`	`694`	`}`
`695`	`695`	`}`
`696`	`696`
`697`		`- if vals.OIDC.ClientKeyFile != "" \|\| vals.OIDC.ClientSecret != "" {`
	`697`	`+ // As OIDC clients can be confidential or public,`
	`698`	`+ // we should only check for a client id being set.`
	`699`	`+ // The underlying library handles the case of no`
	`700`	`+ // client secrets correctly. For more details on`
	`701`	`+ // client types: https://oauth.net/2/client-types/`
	`702`	`+ if vals.OIDC.ClientID != "" {`
`698`	`703`	`if vals.OIDC.IgnoreEmailVerified {`
`699`	`704`	`logger.Warn(ctx, "coder will not check email_verified for OIDC logins")`
`700`	`705`	`}`