Skip to content

Automatically sync roles from identity providers to Coder roles #7470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sharkymark opened this issue May 9, 2023 · 4 comments · Fixed by #8595
Closed

Automatically sync roles from identity providers to Coder roles #7470

sharkymark opened this issue May 9, 2023 · 4 comments · Fixed by #8595
Assignees
@Emyrk

Comments

@sharkymark
Copy link
Contributor

sharkymark commented May 9, 2023
edited by bpmct
Loading

A prospect would like to completely automate user additions to Coder.

Coder already automatically creates the user and syncs groups.

This 3rd component would automatically associate 1:N site-wide roles in Coder to a user. e.g., Template Admin, User Admin, Auditor, etc.
@bpmct bpmct added this to the ❓Sprint 2 milestone Jun 14, 2023
@bpmct bpmct mentioned this issue Jun 14, 2023
Closed
@bpmct
Copy link
Member

bpmct commented Jun 15, 2023

This is a key component to configuring a Coder deployment entirely as code, with no clickops, such as manually setting roles or creating the owner user.

As a part of this, we should add a way to start the coder server for the first time without showing the /setup to make a built-in user and instead rely on the identity provider to set a user as an "owner" within Coder.

If something breaks, the create-admin-user command can be used.

@ammario ammario removed this from the ❓Sprint 2 milestone Jun 29, 2023
@Emyrk Emyrk self-assigned this Jul 10, 2023
@Emyrk
Copy link
Member

Emyrk commented Jul 10, 2023

Right now we only sync groups on login, would this still be ok?

@coadler is this something we should be doing with SCIM instead of checking claims on an oauth login?

@bpmct
Copy link
Member

bpmct commented Jul 12, 2023
edited
Loading

Right now we only sync groups on login, would this still be ok?

This feels fine for the first iteration considering its the same behavior for groups and both are permissions-related.

However, can we also supporting mapping like we do for groups? (e.g. coder-admin role in IDP -> Owner role in Coder)

@Emyrk
Copy link
Member

Emyrk commented Jul 19, 2023

@bpmct I am only implementing site wide roles right now. We have org roles too, but we probably should not include those for now?

@Emyrk Emyrk mentioned this issue Jul 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: synchronize oidc user roles coder/coder
4 participants
@sharkymark @Emyrk @ammario @bpmct