feat: add support for capturing id token returned by Azure OIDC login #20991
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6fef761 to
17683bf
Compare
bc89d5f to
2964b75
Compare
…DC_ID_TOKEN env var - Add oauth_id_token column to user_links table (migration 402) - Capture and store ID token during OIDC authentication - Implement token refresh with ID token preservation - Add obtainOIDCIdToken() function for token retrieval - Pass ID token to provisioner via proto metadata - Expose as CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN environment variable - Fix OAuthIdToken -> OAuthIDToken field naming (Go conventions) - Add OAuthIDToken to all UpdateUserLinkParams/InsertUserLinkParams structs - Update TypeScript and Go proto bindings - Regenerate database queries with correct column ordering This enables Azure OIDC authentication which requires the ID token for subsequent API calls.
2964b75 to
ab4366f
Compare
Contributor
|
I added some more discussion in the linked Slack thread. Not sure yet this is needed. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reported by ent customer on ticket 4688. related thread: https://codercom.slack.com/archives/C014JH42DBJ/p1763983935459739
This PR adds the
oauth_id_tokencolumn to theuser_linkstable and has Coder capture and store theid_tokenreturned by Azure as part of the OIDC login process to the new column. This is needed because Azure provides both anaccess_tokenandid_tokenvalue in it's response to coderd, but the access token is a v1 token which has an audience and issuer which corresponds to microsoft graph, while the id token is issued against the customer tenant.The reasoning behind this is the access token / v1 graph token is only able to be validated by microsoft, which means when other services within Coder make use of the Azure OIDC token, such as authenticating to Vault, this fails. Authenticating manually (decrypting TLS, capturing the
id_tokenfrom the Azure response) using theid_tokenworks as desired.Ref: https://github.com/coder/registry/blob/main/registry/coder/modules/vault-jwt/main.tf#L62 and https://github.com/coder/registry/blob/main/registry/coder/modules/vault-jwt/run.sh#L119
The second half of this is a Terraform provider update - coder/terraform-provider-coder#471