@kylecarbs and I just had a chat and decided we shouldn't completely disable the password login so the default Owner account can log in.

However, we can put it behind a backdoor (e.g. ?auth=password) so that users don't see an option to log in with a user/pass. Also, OIDC users wouldn't be able to log in with a password anyways

Implemented

With the following env vars set:

• CODER_OIDC_ISSUER_URL
• CODER_OIDC_EMAIL_DOMAIN
• CODER_OIDC_CLIENT_ID
• CODER_OIDC_CLIENT_SECRET
• CODER_PASSWORD_AUTH_HIDDEN=true
• CODER_OIDC_SIGN_IN_TEXT="Sign in with Gitea"
• CODER_OIDC_ICON_URL=https://gitea.io/images/gitea.png

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

I think we'll want to end up disabling password authentication instead of hiding it for security reasons. I'll review this later today!

@kylecarbs how would an owner/admin sign in if we disable password auth? As @bpmct proposed, we could put it behind ?password=password, or maybe better /login/admin. But ultimately that seems like an inconvenience. Maybe it's negligible though.

I think I'd prefer if we did a small "Login with Password" link at the bottom that would permit authenticating with a password. It's awkward to not allow it, since in emergency situations it would be required.

An alternative is to take the stance that owners/admins should be able to modify the deployment, so they could always disable this feature.

I think I'd prefer if we did a small "Login with Password" link at the bottom that would permit authenticating with a password. It's awkward to not allow it, since in emergency situations it would be required.

An alternative is to take the stance that owners/admins should be able to modify the deployment, so they could always disable this feature.

I can get behind a small link as long as it's clear that SSO is preferred. Many login forms tend to have both even if 99% of an organization's users use SSO

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

Oops sorry pushed the golden files update from a different computer

@normana10 seems like make gen isn't quite producing the same for you... want me to post a patch you can apply?

@kylecarbs

Feel free

I keep trying to run make gen and it does nothing

Then I do a make gen -B

And I get a:

$ make gen -B
panic: could not start resource: : dial unix /var/run/docker.sock: connect: connection refused

goroutine 1 [running]:
main.main()
	/Users/normana10/git/coder/coderd/database/gen/dump/main.go:23 +0xb25
exit status 2
make: *** [Makefile:461: coderd/database/dump.sql] Error 1

(On my Mac)

Which.... totally makes sense, I don't have Docker installed on my Mac

Buuuut, when I try the same on my Fedora computer it ends up erroring out with a:

...
../docs/api/workspaces.md 99ms
../docs/manifest.json 16ms
../coderd/apidoc/swagger.json 351ms
Done in 4.37s.
ERROR: The 'yq' dependency is required, but is not available.

ERROR: One or more dependencies are not available, check above log output for more details.
make: *** [Makefile:509: site/.prettierrc.yaml] Error 1

But... yq is definitely installed

@normana10 sorry the error is so unhelpful, you'll need to have yq v4 installed, either as yq4 or yq --version >= v4.

$ yq --version
yq version 4.2.0

🤷

Wait I just noticed that yq outside of nix-shell is v4 but inside it's v3 o.O

Just symlinked my install of yq to yq4 and make gen -B ran just fine

Pushing up now

That was a roller coaster but I think it's all good now? 👍

Thanks!

Woot woot. Thanks for pushing through @normana10 🥳

@normana10 can you merge in main then I'll merge this in ASAP! Thank you again for being patient, this was a controversial one for us.

@kylecarbs

Done

Sorry if I caused any issues 😬

@normana10 we're now using this on https://dev.coder.com 😎