feat: add group mapping option for group sync (#6705)

* feat: add group mapping option for group sync * fixup! feat: add group mapping option for group sync
2025-07-06 15:41:45 +00:00 · 2023-03-21 14:25:45 -05:00
parent 120bc4b750
commit 00860cf1c8
12 changed files with 114 additions and 18 deletions
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@ -7138,6 +7138,9 @@ const docTemplate = `{
                        "type": "string"
                    }
                },
+                "group_mapping": {
+                    "type": "object"
+                },
                "groups_field": {
                    "type": "string"
                },
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@ -6392,6 +6392,9 @@
            "type": "string"
          }
        },
+        "group_mapping": {
+          "type": "object"
+        },
        "groups_field": {
          "type": "string"
        },
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -223,7 +223,12 @@ func New(options *Options) *API {
 		options.SSHConfig.HostnamePrefix = "coder."
 	}
 	if options.SetUserGroups == nil {
-		options.SetUserGroups = func(context.Context, database.Store, uuid.UUID, []string) error { return nil }
+		options.SetUserGroups = func(ctx context.Context, _ database.Store, id uuid.UUID, groups []string) error {
+			options.Logger.Warn(ctx, "attempted to assign OIDC groups without enterprise license",
+				slog.F("id", id), slog.F("groups", groups),
+			)
+			return nil
+		}
 	}
 	if options.TemplateScheduleStore == nil {
 		options.TemplateScheduleStore = schedule.NewAGPLTemplateScheduleStore()
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -481,6 +481,10 @@ type OIDCConfig struct {
 	// groups. If the group field is the empty string, then no group updates
 	// will ever come from the OIDC provider.
 	GroupField string
+	// GroupMapping controls how groups returned by the OIDC provider get mapped
+	// to groups within Coder.
+	// map[oidcGroupName]coderGroupName
+	GroupMapping map[string]string
 	// SignInText is the text to display on the OIDC login button
 	SignInText string
 	// IconURL points to the URL of an icon to display on the OIDC login button
@ -651,6 +655,11 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 						})
 						return
 					}
+
+					if mappedGroup, ok := api.OIDCConfig.GroupMapping[group]; ok {
+						group = mappedGroup
+					}
+
 					groups = append(groups, group)
 				}
 			} else {