Skip to content

docs: update external auth to better explain process #16027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jan 7, 2025
Merged

docs: update external auth to better explain process #16027

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2db695b
docs: update external auth to better explain process (#15970)
ChristopherJTrent Jan 3, 2025
625f3ba
Merge remote-tracking branch 'origin/main' into 15970-external-auth-u…
EdwardAngert Jan 3, 2025
096326d
make lint/fmt
EdwardAngert Jan 3, 2025
85b8e36
md alignment
EdwardAngert Jan 3, 2025
cc0939a
external-auth intro from setup/index
EdwardAngert Jan 3, 2025
1cba651
Merge remote-tracking branch 'origin/main' into 15970-external-auth-u…
EdwardAngert Jan 6, 2025
e84811c
abc git providers
EdwardAngert Jan 6, 2025
b1f32b5
git providers to tabs
EdwardAngert Jan 6, 2025
1af84ed
Revert "git providers to tabs"
EdwardAngert Jan 6, 2025
1782454
parent heading to git providers
EdwardAngert Jan 6, 2025
db03ea0
highlight oauth provider in intro
EdwardAngert Jan 6, 2025
30a4221
inc suggestions from review
EdwardAngert Jan 7, 2025
411fb43
add issue link and align example variables
EdwardAngert Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
180 changes: 110 additions & 70 deletions docs/admin/external-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# External Authentication

Coder supports external authentication via OAuth2.0. This allows enabling any OAuth provider as well as integrations with Git providers, such as GitHub, GitLab, and Bitbucket.

External authentication can also be used to integrate with external services
like JFrog Artifactory and others.

To add an external authentication provider, you'll need to create an OAuth
application. The following providers are supported:

Expand All @@ -9,14 +14,15 @@ application. The following providers are supported:
- [Azure DevOps](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops)
- [Azure DevOps (via Entra ID)](https://learn.microsoft.com/en-us/entra/architecture/auth-oauth2)

The next step is to configure the Coder server to use the OAuth application by
setting the following environment variables:
## Configuration

After you create an OAuth application, set environment variables to configure the Coder server to use it:

```env
CODER_EXTERNAL_AUTH_0_ID="<USER_DEFINED_ID>"
CODER_EXTERNAL_AUTH_0_TYPE=<github|gitlab|azure-devops|bitbucket-cloud|bitbucket-server|etc>
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_ID=<OAuth app client ID>
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=<OAuth app client secret>

# Optionally, configure a custom display name and icon
CODER_EXTERNAL_AUTH_0_DISPLAY_NAME="Google Calendar"
Expand All @@ -27,62 +33,62 @@ The `CODER_EXTERNAL_AUTH_0_ID` environment variable is used for internal
reference. Therefore, it can be set arbitrarily (e.g., `primary-github` for your
GitHub provider).

## GitHub
Add the following code to any template to add a button to the workspace setup page which will allow you to authenticate with your provider:

> If you don't require fine-grained access control, it's easier to configure a
> GitHub OAuth app!
```tf
data "coder_external_auth" "<github|gitlab|azure-devops|bitbucket-cloud|bitbucket-server|etc>" {
id = "<USER_DEFINED_ID>"
}

1. [Create a GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app)
# Github Example (CODER_EXTERNAL_AUTH_0_ID="github-auth")
# makes a github authentication token available at data.coder_external_auth.github.access_token
data "coder_external_auth" "github" {
id = "github-auth"
}

- Set the callback URL to
`https://coder.example.com/external-auth/USER_DEFINED_ID/callback`.
- Deactivate Webhooks.
- Enable fine-grained access to specific repositories or a subset of
permissions for security.
```

![Register GitHub App](../images/admin/github-app-register.png)
Inside your Terraform code, you now have access to authentication variables. Reference the documentation for your chosen provider for more information on how to supply it with a token.

2. Adjust the GitHub App permissions. You can use more or less permissions than
are listed here, this is merely a suggestion that allows users to clone
repositories:
### Workspace CLI

![Adjust GitHub App Permissions](../images/admin/github-app-permissions.png)
Use `coder external-auth` to access a token within the workspace:

| Name | Permission | Description |
|---------------|--------------|--------------------------------------------------------|
| Contents | Read & Write | Grants access to code and commit statuses. |
| Pull requests | Read & Write | Grants access to create and update pull requests. |
| Workflows | Read & Write | Grants access to update files in `.github/workflows/`. |
| Metadata | Read-only | Grants access to metadata written by GitHub Apps. |
| Members | Read-only | Grants access to organization members and teams. |
```shell
coder external-auth <USER_DEFINED_ID> access-token
```

3. Install the App for your organization. You may select a subset of
repositories to grant access to.
## Git-provider specific env variables

![Install GitHub App](../images/admin/github-app-install.png)
### Azure DevOps

Azure DevOps requires the following environment variables:

```env
CODER_EXTERNAL_AUTH_0_ID="USER_DEFINED_ID"
CODER_EXTERNAL_AUTH_0_TYPE=github
CODER_EXTERNAL_AUTH_0_ID="primary-azure-devops"
CODER_EXTERNAL_AUTH_0_TYPE=azure-devops
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
# Ensure this value is your "Client Secret", not "App Secret"
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://app.vssps.visualstudio.com/oauth2/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://app.vssps.visualstudio.com/oauth2/token"
```

## GitHub Enterprise
### Azure DevOps (via Entra ID)

GitHub Enterprise requires the following environment variables:
Azure DevOps (via Entra ID) requires the following environment variables:

```env
CODER_EXTERNAL_AUTH_0_ID="primary-github"
CODER_EXTERNAL_AUTH_0_TYPE=github
CODER_EXTERNAL_AUTH_0_ID="primary-azure-devops"
CODER_EXTERNAL_AUTH_0_TYPE=azure-devops-entra
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_VALIDATE_URL="https://github.example.com/api/v3/user"
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://github.example.com/login/oauth/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://github.example.com/login/oauth/access_token"
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://login.microsoftonline.com/<TENANT ID>/oauth2/authorize"
```

## Bitbucket Server
> Note: Your app registration in Entra ID requires the `vso.code_write` scope

### Bitbucket Server

Bitbucket Server requires the following environment variables:

Expand All @@ -94,35 +100,50 @@ CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxx
CODER_EXTERNAL_AUTH_0_AUTH_URL=https://bitbucket.domain.com/rest/oauth2/latest/authorize
```

## Azure DevOps
### Gitea

Azure DevOps requires the following environment variables:
```env
CODER_EXTERNAL_AUTH_0_ID="gitea"
CODER_EXTERNAL_AUTH_0_TYPE=gitea
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
# If self managed, set the Auth URL to your Gitea instance
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://gitea.com/login/oauth/authorize"
```

The Redirect URI for Gitea should be
`https://coder.company.org/external-auth/gitea/callback`.

### GitHub

<blockquote class="admonition tip">

If you don't require fine-grained access control, it's easier to [configure a GitHub OAuth app](#configure-a-github-oauth-app).

</blockquote>

```env
CODER_EXTERNAL_AUTH_0_ID="primary-azure-devops"
CODER_EXTERNAL_AUTH_0_TYPE=azure-devops
CODER_EXTERNAL_AUTH_0_ID="USER_DEFINED_ID"
CODER_EXTERNAL_AUTH_0_TYPE=github
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
# Ensure this value is your "Client Secret", not "App Secret"
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://app.vssps.visualstudio.com/oauth2/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://app.vssps.visualstudio.com/oauth2/token"
```

## Azure DevOps (via Entra ID)
### GitHub Enterprise

Azure DevOps (via Entra ID) requires the following environment variables:
GitHub Enterprise requires the following environment variables:

```env
CODER_EXTERNAL_AUTH_0_ID="primary-azure-devops"
CODER_EXTERNAL_AUTH_0_TYPE=azure-devops-entra
CODER_EXTERNAL_AUTH_0_ID="primary-github"
CODER_EXTERNAL_AUTH_0_TYPE=github
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://login.microsoftonline.com/<TENANT ID>/oauth2/authorize"
CODER_EXTERNAL_AUTH_0_VALIDATE_URL="https://github.example.com/api/v3/user"
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://github.example.com/login/oauth/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://github.example.com/login/oauth/access_token"
```

> Note: Your app registration in Entra ID requires the `vso.code_write` scope

## GitLab self-managed
### GitLab self-managed

GitLab self-managed requires the following environment variables:

Expand All @@ -138,21 +159,11 @@ CODER_EXTERNAL_AUTH_0_TOKEN_URL="https://gitlab.company.org/oauth/token"
CODER_EXTERNAL_AUTH_0_REGEX=gitlab\.company\.org
```

## Gitea

```env
CODER_EXTERNAL_AUTH_0_ID="gitea"
CODER_EXTERNAL_AUTH_0_TYPE=gitea
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
# If self managed, set the Auth URL to your Gitea instance
CODER_EXTERNAL_AUTH_0_AUTH_URL="https://gitea.com/login/oauth/authorize"
```
### JFrog Artifactory

The Redirect URI for Gitea should be
`https://coder.company.org/external-auth/gitea/callback`.
Visit the [JFrog Artifactory](../admin/integrations/jfrog-artifactory.md) guide for instructions on how to set up for JFrog Artifactory.

## Self-managed git providers
## Self-managed Git providers

Custom authentication and token URLs should be used for self-managed Git
provider deployments.
Expand All @@ -166,10 +177,6 @@ CODER_EXTERNAL_AUTH_0_REGEX=github\.company\.org

> Note: The `REGEX` variable must be set if using a custom git domain.

## JFrog Artifactory

Visit the [JFrog Artifactory](../admin/integrations/jfrog-artifactory.md) guide for instructions on how to set up for JFrog Artifactory.

## Custom scopes

Optionally, you can request custom scopes:
Expand All @@ -178,6 +185,39 @@ Optionally, you can request custom scopes:
CODER_EXTERNAL_AUTH_0_SCOPES="repo:read repo:write write:gpg_key"
```

## OAuth provider

### Configure a GitHub OAuth app

1. [Create a GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app)

- Set the callback URL to
`https://coder.example.com/external-auth/USER_DEFINED_ID/callback`.
- Deactivate Webhooks.
- Enable fine-grained access to specific repositories or a subset of
permissions for security.

![Register GitHub App](../images/admin/github-app-register.png)

1. Adjust the GitHub app permissions. You can use more or fewer permissions than
are listed here, this example allows users to clone
repositories:

![Adjust GitHub App Permissions](../images/admin/github-app-permissions.png)

| Name | Permission | Description |
|---------------|--------------|--------------------------------------------------------|
| Contents | Read & Write | Grants access to code and commit statuses. |
| Pull requests | Read & Write | Grants access to create and update pull requests. |
| Workflows | Read & Write | Grants access to update files in `.github/workflows/`. |
| Metadata | Read-only | Grants access to metadata written by GitHub Apps. |
| Members | Read-only | Grants access to organization members and teams. |

1. Install the App for your organization. You may select a subset of
repositories to grant access to.

![Install GitHub App](../images/admin/github-app-install.png)

## Multiple External Providers

<blockquote class="info">
Expand Down
54 changes: 26 additions & 28 deletions docs/admin/setup/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ a wildcard subdomain that resolves to Coder (e.g. `*.coder.example.com`).
If you are providing TLS certificates directly to the Coder server, either

1. Use a single certificate and key for both the root and wildcard domains.
2. Configure multiple certificates and keys via
1. Configure multiple certificates and keys via
[`coder.tls.secretNames`](https://github.com/coder/coder/blob/main/helm/coder/values.yaml)
in the Helm Chart, or
[`--tls-cert-file`](../../reference/cli/server.md#--tls-cert-file) and
Expand All @@ -78,29 +78,27 @@ working directory prior to step 1.

1. Create the TLS secret in your Kubernetes cluster

```shell
kubectl create secret tls coder-tls -n <coder-namespace> --key="tls.key" --cert="tls.crt"
```
```shell
kubectl create secret tls coder-tls -n <coder-namespace> --key="tls.key" --cert="tls.crt"
```

> You can use a single certificate for the both the access URL and wildcard
> access URL. The certificate CN must match the wildcard domain, such as
> `*.example.coder.com`.
You can use a single certificate for the both the access URL and wildcard access URL. The certificate CN must match the wildcard domain, such as `*.example.coder.com`.

1. Reference the TLS secret in your Coder Helm chart values

```yaml
coder:
tls:
secretName:
- coder-tls

# Alternatively, if you use an Ingress controller to terminate TLS,
# set the following values:
ingress:
enable: true
secretName: coder-tls
wildcardSecretName: coder-tls
```
```yaml
coder:
tls:
secretName:
- coder-tls

# Alternatively, if you use an Ingress controller to terminate TLS,
# set the following values:
ingress:
enable: true
secretName: coder-tls
wildcardSecretName: coder-tls
```

## PostgreSQL Database

Expand All @@ -115,7 +113,7 @@ If you are using the built-in PostgreSQL deployment and need to use `psql` (aka
the PostgreSQL interactive terminal), output the connection URL with the
following command:

```console
```shell
coder server postgres-builtin-url
psql "postgres://coder@localhost:49627/coder?sslmode=disable&password=feU...yI1"
```
Expand All @@ -126,13 +124,13 @@ To migrate from the built-in database to an external database, follow these
steps:

1. Stop your Coder deployment.
2. Run `coder server postgres-builtin-serve` in a background terminal.
3. Run `coder server postgres-builtin-url` and copy its output command.
4. Run `pg_dump <built-in-connection-string> > coder.sql` to dump the internal
1. Run `coder server postgres-builtin-serve` in a background terminal.
1. Run `coder server postgres-builtin-url` and copy its output command.
1. Run `pg_dump <built-in-connection-string> > coder.sql` to dump the internal
database to a file.
5. Restore that content to an external database with
1. Restore that content to an external database with
`psql <external-connection-string> < coder.sql`.
6. Start your Coder deployment with
1. Start your Coder deployment with
`CODER_PG_CONNECTION_URL=<external-connection-string>`.

## Configuring Coder behind a proxy
Expand All @@ -144,7 +142,7 @@ To configure Coder behind a corporate proxy, set the environment variables
## External Authentication

Coder supports external authentication via OAuth2.0. This allows enabling
integrations with git providers, such as GitHub, GitLab, and Bitbucket etc.
integrations with Git providers, such as GitHub, GitLab, and Bitbucket.

External authentication can also be used to integrate with external services
like JFrog Artifactory and others.
Expand All @@ -154,5 +152,5 @@ more information.

## Up Next

- [Learn how to setup and manage templates](../templates/index.md)
- [Setup and manage templates](../templates/index.md)
- [Setup external provisioners](../provisioners.md)
Loading