Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: synchronize oidc user roles #8595

Merged
merged 22 commits into from
Jul 24, 2023
Merged

feat: synchronize oidc user roles #8595

merged 22 commits into from
Jul 24, 2023

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Jul 19, 2023
edited

Closes #7470

What this does

Pulls the user's roles from the OIDC claims. Works almost identically to the group sync.

Role mapping is 1:many. So 1 role in OIDC can map to multiple coder roles.

--oidc-user-role-mapping='{"TemplateAuthors":["template-admin","user-admin"]}'

A new entitlement was added to control this feature

Behaviors

  • If you log in, but the roles claim is missing you will be demoted to a member. This is because there is no way to tell between an empty list claim and a missing claim. So turning on this feature with a bad OIDC config could revert all members on the site to members.
  • If you try to manually update an OIDC user's roles with this turned on, you will get an error.

Edit roles

You cannot manually assign roles to OIDC users since it is now controlled by this user role sync.

Screenshot from 2023-07-19 14-27-31

Users page

(@BrunoQuaresma might want to style this later)

Screenshot from 2023-07-19 16-06-17

Screenshot from 2023-07-19 16-06-37

Log message if extra roles provided

[API] 2023-07-19 17:30:42.248 [debu]  coderd.userauth: OIDC roles ignored in assignment  user_id=5b775ca4-4d4a-4f3f-964e-356b9634f040  request_id=659d77bd-a472-4142-a9af-2ebbf6397fbf ignored=[TemplateAuthors]  assigned=[]

@Emyrk
feat: oidc user role sync
81feea5 
User roles come from oidc claims. Prevent manual user role changes
if set.
@Emyrk Emyrk changed the title feat: oidc user role sync feat: synchronize oidc user roles Jul 19, 2023
Emyrk
Emyrk commented Jul 19, 2023
View reviewed changes
codersdk/users.go
@@ -45,6 +45,7 @@ type User struct {
OrganizationIDs []uuid.UUID `json:"organization_ids" format:"uuid"`
Roles []Role `json:"roles"`
AvatarURL string `json:"avatar_url" format:"uri"`
LoginType LoginType `json:"login_type"`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am adding LoginType to the /users struct.

This issue is being resolved soon with some open PRs I have: #5002

With this change, only admins can read users, so exposing this field is ok.
This solves some UI issues with this PR on not allowing role changing, and showing login type here: #8346

@Emyrk Emyrk marked this pull request as ready for review July 19, 2023 20:24
@Emyrk Emyrk requested a review from coadler July 20, 2023 17:31
coadler
coadler approved these changes Jul 21, 2023
View reviewed changes
coderd/userauth.go Outdated Show resolved Hide resolved
codersdk/deployment.go Outdated Show resolved Hide resolved
@Emyrk Emyrk merged commit f827829 into main Jul 24, 2023
22 checks passed
@Emyrk Emyrk deleted the stevenmasley/oidc_role_sync branch July 24, 2023 12:34
@github-actions github-actions bot locked and limited conversation to collaborators Jul 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@coadler coadler coadler approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Automatically sync roles from identity providers to Coder roles
2 participants
@Emyrk @coadler