Skip to content

Create new OIDC user #7126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bpmct opened this issue Apr 13, 2023 · 3 comments
Closed

Create new OIDC user #7126

bpmct opened this issue Apr 13, 2023 · 3 comments
Assignees
@Emyrk

Comments

@bpmct
Copy link
Member

bpmct commented Apr 13, 2023
edited
Loading

We currently have https://coder.com/docs/v2/latest/cli/server#--oidc-allow-signups, but it's not particularly helpful since admins cannot manually add users as OIDC. We have this in Coder v1:

image

Related: #4505

Implementation notes

Open to other ideas, but I believe this should cover most cases.

  • If OIDC is enabled, add a type modal in the “add user” dropdown with built-in and OIDC. OIDC should be selected by default.
  • If GitHub OAuth is enabled, add a type modal in the “add user” dropdown with built-in and GitHub. GitHub should be selected by default, unless OIDC is also also enabled. In this case, OIDC should be the default.
  • Do not require the admin enter a password for these users. The “password” field should conditionally render, only if the type is “built-in.”

Bonus

We don’t have to do this as a part of this issue if it is difficult, but it helps customers secure their deployment, which is a part of this. If we don’t do this, let me know and I can extract it to another issue.

If —disable-password-auth is enabled, we should not allow built-in accounts to be created via the UI or API. The backdoor command to create an admin user (in the help text of that flag) must still work.
@matifali
Copy link
Member

Can we also somehow allow an OIDC user to log in to the same account with a password?

@bpmct bpmct added this to the ❓Sprint 2 milestone Jun 14, 2023
@ammario ammario removed this from the ❓Sprint 2 milestone Jun 29, 2023
@bpmct bpmct mentioned this issue Jul 7, 2023
Closed
@Emyrk Emyrk self-assigned this Jul 10, 2023
@Emyrk
Copy link
Member

Emyrk commented Jul 13, 2023
edited
Loading

@matifali I don't like the idea of having 2 authentication methods, feels confusing and a security issues imo.

Is there a benefit to the larger security surface of 2 auths? Like if you use OIDC to log in, you might forget password auth exists. If it does not actually provide value, we should prefer to lock things down.

The BE is also only designed for 1 login type atm. We would want to support multiple which is going to require schema changes and that will propagate to some UI pages. Is this worth the upside?

@Emyrk
Copy link
Member

Emyrk commented Aug 11, 2023

#9000

@Emyrk Emyrk closed this as completed Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Emyrk @ammario @matifali @bpmct