Skip to content

chore: add warning log if misconfigured groups oidc #7874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 8, 2023
Merged

chore: add warning log if misconfigured groups oidc #7874

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e553d87
chore: add warning log if misconfigured groups oidc
Emyrk Jun 6, 2023
53c51e6
Push it to debug log
Emyrk Jun 6, 2023
2d3b335
Add docs
Emyrk Jun 6, 2023
e81a81b
Update cli help msg
Emyrk Jun 6, 2023
404370e
Make gen
Emyrk Jun 6, 2023
1e45b1f
Update golden
Emyrk Jun 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add docs
  • Loading branch information
@Emyrk
Emyrk committed Jun 6, 2023
commit 2d3b335873d4b79a2a8cedc374a2000649902eb5
11 changes: 10 additions & 1 deletion docs/admin/auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ CODER_TLS_CLIENT_KEY_FILE=/path/to/key.pem
If your OpenID Connect provider supports group claims, you can configure Coder
to synchronize groups in your auth provider to groups within Coder.

To enable group sync, ensure that the `groups` claim is set. If group sync is
To enable group sync, ensure that the `groups` claim is set by adding the correct scope to request. If group sync is
enabled, the user's groups will be controlled by the OIDC provider. This means
manual group additions/removals will be overwritten on the next login.

Expand All @@ -242,6 +242,15 @@ CODER_OIDC_SCOPES=openid,profile,email,groups
--oidc-scopes openid,profile,email,groups
```

With the `groups` scope requested, we also need to map the `groups` claim name. Coder recommends using `groups` for the claim name. This step is necessary if your **scope's name** is something other than `groups`.

```console
# as an environment variable
CODER_OIDC_GROUP_FIELD=groups
# as a flag
--oidc-group-field groups
```

On login, users will automatically be assigned to groups that have matching
names in Coder and removed from groups that the user no longer belongs to.

Expand Down