docs: add more specific steps and information about oidc refresh tokens #18336
Conversation
ff568a1 to
566fe99
Compare
|
Can we update the release notes to point to this documentation once it's merged? |
d3ac4ea to
e69afa5
Compare
|
|
||
| By combining the `{"access_type":"offline"}` parameter in the OIDC Auth URL with | ||
| the `offline_access` scope, you can achieve the desired behavior of obtaining | ||
| refresh tokens for offline access to the user's resources. |
There was a problem hiding this comment.
I think this corresponds to
CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline"}'which might be helpful as an example
There was a problem hiding this comment.
There was a problem hiding this comment.
It defaults, but an explicit value in CODER_OIDC_AUTH_URL_PARAMS overrides it.
|
|
||
| ### Refresh Tokens Not Working After Configuration Change | ||
|
|
||
| **Symptoms**: Hourly timeouts, even after adding `offline_access` |
There was a problem hiding this comment.
So, after successfully configuring refresh tokens, users will get logged out early up to one more time. Once they reauthenticate they should get the refresh token---so if users are continuing to get "hourly timeouts" (plural), then refresh tokens are still misconfigured.
There was a problem hiding this comment.
added:
Users might get logged out again before the new configuration takes effect completely.but I'm about to move it to the end of the next FAQ
There was a problem hiding this comment.
We actually had this same problem for external auth awhile back. Debugging it was a challenge, so I added this to the UI to indicate if refresh is enabled. Maybe we should do something similar for the prrimary auth
|
|
||
| 1. Check that `offline_access` is included in your `CODER_OIDC_SCOPES` | ||
| 1. Verify users can stay logged in beyond Okta's access token lifetime (typically one hour) | ||
| 1. Monitor Coder logs for any OIDC refresh errors during token renewal |
There was a problem hiding this comment.
If they have access to the database, and it is not encrypted, then they can check the user_links table and verify that there are entries in the oauth_refresh_token column.
Getting these instructions doesn't need to block merging.
There was a problem hiding this comment.
I think we should add something produce side in the UI that could tell if refresh is enabled at least on a per user basis.
|
|
||
| ### Refresh Tokens Not Working After Configuration Change | ||
|
|
||
| **Symptoms**: Hourly timeouts, even after adding `offline_access` |
There was a problem hiding this comment.
added:
Users might get logged out again before the new configuration takes effect completely.but I'm about to move it to the end of the next FAQ
closes #18307
relates to #18318
preview:
(not sure why @Emyrk 's photo is so huge there though)✔️to do:
convert some paragraphs to OLcalling this out of scope for now