Skip to content

Commit efdaaa2

Browse files
EmyrkEmyrk
authored
chore: add oidc redirect url to override access url (#21521)
If a deployment has 2 domains, overriding the oidc url allows the oidc redirect to differ from the access_url response to #21500 **This config setting is hidden by default**
1 parent e5f64eb commit efdaaa2

8 files changed

Lines changed: 109 additions & 0 deletions

File tree

cli/server.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,15 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
137137
if err != nil {
138138
return nil, xerrors.Errorf("parse oidc oauth callback url: %w", err)
139139
}
140+
141+
if vals.OIDC.RedirectURL.String() != "" {
142+
redirectURL, err = vals.OIDC.RedirectURL.Value().Parse("/api/v2/users/oidc/callback")
143+
if err != nil {
144+
return nil, xerrors.Errorf("parse oidc redirect url %q", err)
145+
}
146+
logger.Warn(ctx, "custom OIDC redirect URL used instead of 'access_url', ensure this matches the value configured in your OIDC provider")
147+
}
148+
140149
// If the scopes contain 'groups', we enable group support.
141150
// Do not override any custom value set by the user.
142151
if slice.Contains(vals.OIDC.Scopes, "groups") && vals.OIDC.GroupField == "" {

cli/testdata/server-config.yaml.golden

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -421,6 +421,11 @@ oidc:
421421
# an insecure OIDC configuration. It is not recommended to use this flag.
422422
# (default: <unset>, type: bool)
423423
dangerousSkipIssuerChecks: false
424+
# Optional override of the default redirect url which uses the deployment's access
425+
# url. Useful in situations where a deployment has more than 1 domain. Using this
426+
# setting can also break OIDC, so use with caution.
427+
# (default: <unset>, type: url)
428+
oidc-redirect-url:
424429
# Telemetry is critical to our ability to improve Coder. We strip all personal
425430
# information before sending data to our servers. Please only disable telemetry
426431
# when required by your organization's security policy.

coderd/apidoc/docs.go

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

codersdk/deployment.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -818,6 +818,11 @@ type OIDCConfig struct {
818818
IconURL serpent.URL `json:"icon_url" typescript:",notnull"`
819819
SignupsDisabledText serpent.String `json:"signups_disabled_text" typescript:",notnull"`
820820
SkipIssuerChecks serpent.Bool `json:"skip_issuer_checks" typescript:",notnull"`
821+
822+
// RedirectURL is optional, defaulting to 'ACCESS_URL'. Only useful in niche
823+
// situations where the OIDC callback domain is different from the ACCESS_URL
824+
// domain.
825+
RedirectURL serpent.URL `json:"redirect_url" typescript:",notnull"`
821826
}
822827

823828
type TelemetryConfig struct {
@@ -2435,6 +2440,21 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
24352440
Group: &deploymentGroupOIDC,
24362441
YAML: "dangerousSkipIssuerChecks",
24372442
},
2443+
{
2444+
Name: "OIDC Redirect URL",
2445+
Description: "Optional override of the default redirect url which uses the deployment's access url. " +
2446+
"Useful in situations where a deployment has more than 1 domain. Using this setting can also break OIDC, so use with caution.",
2447+
Required: false,
2448+
Flag: "oidc-redirect-url",
2449+
Env: "CODER_OIDC_REDIRECT_URL",
2450+
YAML: "oidc-redirect-url",
2451+
Value: &c.OIDC.RedirectURL,
2452+
Group: &deploymentGroupOIDC,
2453+
UseInstead: nil,
2454+
// In most deployments, this setting can only complicate and break OIDC.
2455+
// So hide it, and only surface it to the small number of users that need it.
2456+
Hidden: true,
2457+
},
24382458
// Telemetry settings
24392459
telemetryEnable,
24402460
{

docs/reference/api/general.md

Lines changed: 13 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/schemas.md

Lines changed: 40 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

site/src/api/typesGenerated.ts

Lines changed: 6 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)