coder
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 10 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 7 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 7 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/oauthpki/oidcpki.go
Lines changed: 12 additions & 4 deletions b/‎coderd/oauthpki/oidcpki.go
Lines changed: 12 additions & 4 deletions
diff --git a/‎coderd/oauthpki/okidcpki_test.go
Lines changed: 9 additions & 3 deletions b/‎coderd/oauthpki/okidcpki_test.go
Lines changed: 9 additions & 3 deletions
diff --git a/‎docs/api/general.md
Lines changed: 2 additions & 0 deletions b/‎docs/api/general.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/api/schemas.md
Lines changed: 30 additions & 22 deletions b/‎docs/api/schemas.md
Lines changed: 30 additions & 22 deletions
diff --git a/‎docs/cli/server.md
Lines changed: 18 additions & 0 deletions b/‎docs/cli/server.md
Lines changed: 18 additions & 0 deletions
diff --git a/‎enterprise/cli/testdata/coder_server_--help.golden
Lines changed: 10 additions & 0 deletions b/‎enterprise/cli/testdata/coder_server_--help.golden
Lines changed: 10 additions & 0 deletions
@@ -304,9 +304,19 @@ can safely ignore these settings.
       --oidc-auth-url-params struct[map[string]string], $CODER_OIDC_AUTH_URL_PARAMS (default: {"access_type": "offline"})
           OIDC auth URL parameters to pass to the upstream provider.
 
+      --oidc-client-cert-file string, $CODER_OIDC_CLIENT_CERT_FILE
+          Pem encoded certificate file to use for oauth2 PKI/JWT authorization.
+          The public certificate that accompanies oidc-client-key-file. A
+          standard x509 certificate is expected.
+
       --oidc-client-id string, $CODER_OIDC_CLIENT_ID
           Client ID to use for Login with OIDC.
 
+      --oidc-client-key-file string, $CODER_OIDC_CLIENT_KEY_FILE
+          Pem encoded RSA private key to use for oauth2 PKI/JWT authorization.
+          This can be used instead of oidc-client-secret if your IDP supports
+          it.
+
       --oidc-client-secret string, $CODER_OIDC_CLIENT_SECRET
           Client secret to use for Login with OIDC.
 
 
@@ -3,7 +3,7 @@ package oauthpki
 import (
 	"context"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha1" //#nosec // Not used for cryptography.
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -92,6 +92,8 @@ func NewOauth2PKIConfig(params ConfigParams) (*Config, error) {
 	}
 
 	block, _ := pem.Decode(params.PemEncodedCert)
+	// Used as an identifier, not an actual cryptographic hash.
+	//nolint:gosec
 	hashed := sha1.Sum(block.Bytes)
 
 	return &Config{
@@ -196,7 +198,13 @@ func (src *jwtTokenSource) Token() (*oauth2.Token, error) {
 		"refresh_token":         {src.refreshToken},
 	}
 	// Using params based auth
-	resp, err := cli.PostForm(src.cfg.tokenURL, v)
+	req, err := http.NewRequest("POST", src.cfg.tokenURL, strings.NewReader(v.Encode()))
+	if err != nil {
+		return nil, xerrors.Errorf("oauth2: make token refresh request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req = req.WithContext(src.ctx)
+	resp, err := cli.Do(req)
 	if err != nil {
 		return nil, xerrors.Errorf("oauth2: cannot get token: %w", err)
 	}
@@ -235,7 +243,7 @@ func (src *jwtTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	if unmarshalError != nil {
-		return nil, fmt.Errorf("oauth2: cannot unmarshal token: %v", err)
+		return nil, fmt.Errorf("oauth2: cannot unmarshal token: %w", err)
 	}
 
 	newToken := &oauth2.Token{
@@ -256,7 +264,7 @@ func (src *jwtTokenSource) Token() (*oauth2.Token, error) {
 		// decode returned id token to get expiry
 		claimSet, err := jws.Decode(v)
 		if err != nil {
-			return nil, fmt.Errorf("oauth2: error decoding JWT token: %v", err)
+			return nil, fmt.Errorf("oauth2: error decoding JWT token: %w", err)
 		}
 		newToken.Expiry = time.Unix(claimSet.Exp, 0)
 	}
 
@@ -84,6 +84,8 @@ B1B7CpkMU55hPP+7nsofCszNrMDXT8Z5w2a3zLKM
 // It runs an oauth2.Exchange method and hijacks the request to only check the
 // request side of the transaction.
 func TestAzureADPKIOIDC(t *testing.T) {
+	t.Parallel()
+
 	oauthCfg := &oauth2.Config{
 		ClientID: "random-client-id",
 		Endpoint: oauth2.Endpoint{
@@ -128,6 +130,8 @@ func TestAzureADPKIOIDC(t *testing.T) {
 // to prevent some regressions by running a full "e2e" oauth and asserting some
 // of the request values.
 func TestSavedAzureADPKIOIDC(t *testing.T) {
+	t.Parallel()
+
 	var (
 		stateString = "random-state"
 		oauth2Code  = base64.StdEncoding.EncodeToString([]byte("random-code"))
@@ -237,15 +241,17 @@ func TestSavedAzureADPKIOIDC(t *testing.T) {
 				}
 
 				return nil, xerrors.Errorf("not implemented")
-			}},
+			},
+		},
 	}
 	fakeCtx = oidc.ClientContext(context.Background(), fakeClient)
-	var _ = fakeCtx
+	_ = fakeCtx
 
 	// This simulates a client logging into the browser. The 307 redirect will
 	// make sure this goes through the full flow.
-	_, err = fakeClient.Get(pki.AuthCodeURL("state", oauth2.AccessTypeOffline))
+	resp, err := fakeClient.Get(pki.AuthCodeURL("state", oauth2.AccessTypeOffline))
 	require.NoError(t, err)
+	_ = resp.Body.Close()
 
 	require.True(t, initialExchange, "initial token exchange complete")
 	require.True(t, tokenRefreshed, "token was refreshed")
 
@@ -304,9 +304,19 @@ can safely ignore these settings.
       --oidc-auth-url-params struct[map[string]string], $CODER_OIDC_AUTH_URL_PARAMS (default: {"access_type": "offline"})
           OIDC auth URL parameters to pass to the upstream provider.
 
+      --oidc-client-cert-file string, $CODER_OIDC_CLIENT_CERT_FILE
+          Pem encoded certificate file to use for oauth2 PKI/JWT authorization.
+          The public certificate that accompanies oidc-client-key-file. A
+          standard x509 certificate is expected.
+
       --oidc-client-id string, $CODER_OIDC_CLIENT_ID
           Client ID to use for Login with OIDC.
 
+      --oidc-client-key-file string, $CODER_OIDC_CLIENT_KEY_FILE
+          Pem encoded RSA private key to use for oauth2 PKI/JWT authorization.
+          This can be used instead of oidc-client-secret if your IDP supports
+          it.
+
       --oidc-client-secret string, $CODER_OIDC_CLIENT_SECRET
           Client secret to use for Login with OIDC.