chore: update IdP docs with Google quirks (#18318)

deansheather · web-flow · commit 8e1ccf9f8081 · 2025-06-11T15:02:08.000-04:00
Following some issues we discovered on dogfood after merging #17878, we think `prompt=consent` is required for refresh tokens to be sent by Google every time you sign in.
diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md
@@ -595,3 +595,15 @@ user is granted the necessary permissions to obtain refresh tokens.
 By combining the `{"access_type":"offline"}` parameter in the OIDC Auth URL with
 the `offline_access` scope, you can achieve the desired behavior of obtaining
 refresh tokens for offline access to the user's resources.
+
+### Google
+
+To ensure Coder receives a refresh token when users authenticate with Google
+directly, set the `prompt` to `consent` in the auth URL parameters. Without
+this, users will be logged out after 1 hour.
+
+In your Coder configuration:
+
+```shell
+CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}'
+```
