coder · rowansmithau · Nov 25, 2025
diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md
@@ -21,7 +21,7 @@ data "coder_external_auth" "github" {
 }
 
 data "coder_external_auth" "azure-identity" {
-  id       = "azure-identiy"
+  id       = "azure-identity"
   optional = true
 }
 ```

diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
@@ -53,6 +53,7 @@ resource "coder_env" "git_author_email" {
 - `login_type` (String) The type of login the user has.
 - `name` (String) The username of the user.
 - `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
+- `oidc_id_token` (String, Sensitive) A valid OpenID Connect ID token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
 - `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `ssh_private_key` (String, Sensitive) The user's generated SSH private key.

diff --git a/docs/resources/app.md b/docs/resources/app.md
@@ -61,7 +61,7 @@ resource "coder_app" "vim" {
 
 ### Optional
 
-- `command` (String) A command to run in a terminal opening this app. In the web, this will open in a new tab. In the CLI, this will SSH and execute the command. Either `command` or `url` may be specified, but not both.
+- `command` (String) A command to run in a terminal opening this app. In the web, this will open in a new tab. In the CLI, this will SSH and execute the command. Either `command` or `url` may be specified, but not both. Conflicts with `subdomain`.
 - `display_name` (String) A display name to identify the app. Defaults to the slug.
 - `external` (Boolean) Specifies whether `url` is opened on the client machine instead of proxied through the workspace.
 - `group` (String) The name of a group that this app belongs to.

diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
@@ -54,6 +54,7 @@ func workspaceOwnerDataSource() *schema.Resource {
 
 			_ = rd.Set("session_token", os.Getenv("CODER_WORKSPACE_OWNER_SESSION_TOKEN"))
 			_ = rd.Set("oidc_access_token", os.Getenv("CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN"))
+			_ = rd.Set("oidc_id_token", os.Getenv("CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN"))
 
 			if loginType := os.Getenv("CODER_WORKSPACE_OWNER_LOGIN_TYPE"); loginType != "" {
 				_ = rd.Set("login_type", loginType)
@@ -123,6 +124,14 @@ func workspaceOwnerDataSource() *schema.Resource {
 					"If a valid token cannot be obtained, this value will be an empty string.",
 				Sensitive: true,
 			},
+			"oidc_id_token": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: "A valid OpenID Connect ID token of the workspace owner. " +
+					"This is only available if the workspace owner authenticated with OpenID Connect. " +
+					"If a valid token cannot be obtained, this value will be an empty string.",
+				Sensitive: true,
+			},
 			"login_type": {
 				Type:        schema.TypeString,
 				Computed:    true,

diff --git a/provider/workspace_owner_test.go b/provider/workspace_owner_test.go
@@ -33,6 +33,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 		t.Setenv("CODER_WORKSPACE_OWNER_GROUPS", `["group1", "group2"]`)
 		t.Setenv("CODER_WORKSPACE_OWNER_SESSION_TOKEN", `supersecret`)
 		t.Setenv("CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN", `alsosupersecret`)
+		t.Setenv("CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN", `yetanothersecret`)
 		t.Setenv("CODER_WORKSPACE_OWNER_LOGIN_TYPE", `github`)
 		t.Setenv("CODER_WORKSPACE_OWNER_RBAC_ROLES", `[{"name":"member","org_id":"00000000-0000-0000-0000-000000000000"}]`)
 
@@ -61,6 +62,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 					assert.Equal(t, `group2`, attrs["groups.1"])
 					assert.Equal(t, `supersecret`, attrs["session_token"])
 					assert.Equal(t, `alsosupersecret`, attrs["oidc_access_token"])
+					assert.Equal(t, `yetanothersecret`, attrs["oidc_id_token"])
 					assert.Equal(t, `github`, attrs["login_type"])
 					assert.Equal(t, `member`, attrs["rbac_roles.0.name"])
 					assert.Equal(t, `00000000-0000-0000-0000-000000000000`, attrs["rbac_roles.0.org_id"])
@@ -79,6 +81,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 			"CODER_WORKSPACE_OWNER_SESSION_TOKEN",
 			"CODER_WORKSPACE_OWNER_GROUPS",
 			"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN",
+			"CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN",
 			"CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY",
 			"CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY",
 			"CODER_WORKSPACE_OWNER_LOGIN_TYPE",
@@ -112,6 +115,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 					assert.Empty(t, attrs["groups.0"])
 					assert.Empty(t, attrs["session_token"])
 					assert.Empty(t, attrs["oidc_access_token"])
+					assert.Empty(t, attrs["oidc_id_token"])
 					assert.Empty(t, attrs["login_type"])
 					assert.Empty(t, attrs["rbac_roles.0"])
 					return nil