Skip to content

docs: add more specific steps and information about oidc refresh tokens #18336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 20 commits into from
Jun 16, 2025
Merged

docs: add more specific steps and information about oidc refresh tokens #18336

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
56158b8
add offline_access scope
EdwardAngert Jun 11, 2025
566fe99
md fixes and lots of offline_access notes
EdwardAngert Jun 11, 2025
2f07f99
Merge branch 'main' into 18307-refresh-tokens
EdwardAngert Jun 12, 2025
e69afa5
move external auth to own directory
EdwardAngert Jun 12, 2025
1030bd6
Merge branch 'main' into 18307-refresh-tokens
EdwardAngert Jun 12, 2025
7a92bde
relative link
EdwardAngert Jun 12, 2025
290b8ab
new refresh tokens doc
EdwardAngert Jun 12, 2025
2a816e6
Merge branch 'main' into 18307-refresh-tokens
EdwardAngert Jun 12, 2025
a92ad17
put the comma back
EdwardAngert Jun 12, 2025
cc0e46f
move refresh tokens to oidc
EdwardAngert Jun 13, 2025
d951736
add azure and pf, reorg doc
EdwardAngert Jun 13, 2025
0438aad
token config troubleshooting clarify
EdwardAngert Jun 13, 2025
bbbd751
md lint ignore heading levels
EdwardAngert Jun 13, 2025
2618ffa
remove from idp-sync
EdwardAngert Jun 13, 2025
4dedaf1
add configure section to oidc-auth
EdwardAngert Jun 13, 2025
5d863cc
Merge branch 'main' into 18307-refresh-tokens
EdwardAngert Jun 13, 2025
2ef836d
relative links
EdwardAngert Jun 13, 2025
f737eb5
remove note because it doesn't like being nested
EdwardAngert Jun 13, 2025
6ad5822
Merge branch 'main' into 18307-refresh-tokens
EdwardAngert Jun 16, 2025
1984341
separate general/google in troubleshooting
EdwardAngert Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
new refresh tokens doc
  • Loading branch information
@EdwardAngert
EdwardAngert committed Jun 12, 2025
commit 290b8ab136f7db33242926d3559a93c272bca091
62 changes: 62 additions & 0 deletions docs/admin/external-auth/refresh-tokens.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Configure OIDC refresh tokens

<div class="tabs">

## Google

To ensure Coder receives a refresh token when users authenticate with Google
directly, set the `prompt` to `consent` in the auth URL parameters. Without
this, users will be logged out after 1 hour.

In your Coder configuration:

```shell
CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}'
```

## Keycloak

The `access_type` parameter has two possible values: `online` and `offline`.
By default, the value is set to `offline`.

This means that when a user authenticates using OIDC, the application requests
offline access to the user's resources, including the ability to refresh access
tokens without requiring the user to reauthenticate.

To enable the `offline_access` scope which allows for the refresh token
functionality, you need to add it to the list of requested scopes during the
authentication flow.
Including the `offline_access` scope in the requested scopes ensures that the
user is granted the necessary permissions to obtain refresh tokens.

By combining the `{"access_type":"offline"}` parameter in the OIDC Auth URL with
the `offline_access` scope, you can achieve the desired behavior of obtaining
refresh tokens for offline access to the user's resources.

</div>

## Troubleshooting OIDC refresh tokens

### Users Are Logged Out Every Hour

**Symptoms**: Users experience session timeouts approximately every hour and must re-authenticate
**Cause**: Missing `offline_access` scope in `CODER_OIDC_SCOPES`
**Solution**:

1. Add `offline_access` to your `CODER_OIDC_SCOPES` configuration
1. Restart your Coder deployment
1. All existing users must logout and login once to receive refresh tokens

### Refresh Tokens Not Working After Configuration Change

**Symptoms**: Hourly timeouts, even after adding `offline_access`
**Cause**: Existing user sessions don't have refresh tokens stored
**Solution**: Users must logout and login again to get refresh tokens stored in the database

### Verify Refresh Token Configuration

To confirm that refresh tokens are working correctly:

1. Check that `offline_access` is included in your `CODER_OIDC_SCOPES`
1. Verify users can stay logged in beyond Okta's access token lifetime (typically one hour)
1. Monitor Coder logs for any OIDC refresh errors during token renewal
8 changes: 7 additions & 1 deletion docs/admin/users/idp-sync.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -517,7 +517,7 @@ Steps to troubleshoot.

## Provider-Specific Guides

Below are some details specific to individual OIDC providers.
<div class="tabs">

### Active Directory Federation Services (ADFS)

Expand Down Expand Up @@ -579,6 +579,8 @@ Below are some details specific to individual OIDC providers.

### Keycloak

<!-- copied in refresh-tokens.md. make changes there too. -->

The `access_type` parameter has two possible values: `online` and `offline`.
By default, the value is set to `offline`.

Expand All @@ -598,6 +600,8 @@ refresh tokens for offline access to the user's resources.

### Google

<!-- copied in refresh-tokens.md. make changes there too. -->

To ensure Coder receives a refresh token when users authenticate with Google
directly, set the `prompt` to `consent` in the auth URL parameters. Without
this, users will be logged out after 1 hour.
Expand All @@ -607,3 +611,5 @@ In your Coder configuration:
```shell
CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}'
```

</div>
9 changes: 8 additions & 1 deletion docs/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -590,7 +590,14 @@
"title": "External Authentication",
"description": "Learn how to configure external authentication",
"path": "./admin/external-auth/index.md",
"icon_path": "./images/icons/plug.svg"
"icon_path": "./images/icons/plug.svg",
"children": [
{
"title": "Configure OIDC refresh tokens",
"description": "How to configure OIDC refresh tokens"
"path": "./admin/external-auth/refresh-tokens.md"
}
]
},
{
"title": "Integrations",
Expand Down
Loading