Role sync currently only works for site-wide roles. This functionality should remain, with the addition that organization roles can also be assigned.

oidcRoles should return []rbac.RoleIdentifier rather than []string to support organizational roles.

Given the "self serve" nature of organizations, org role assignment configuration might want to be deferred to org admins. So the current deployment wide config could remain, with an organization specific configuration extension.

Some debugging and visual tools to see which roles are available via the IDP would be required.

Deployment configuration to upgrade

Static role mapping

User role mapping is defined as a static OIDC_Role -> Coder Site Role. We either need to allow an organization context in the existing configuration option, or add a new config field to inject an organization role.