From 8e1ccf9f80810b79dc9bb79b9e9bc644c7703b34 Mon Sep 17 00:00:00 2001
From: Dean Sheather <dean@deansheather.com>
Date: Thu, 12 Jun 2025 05:02:08 +1000
Subject: [PATCH] chore: update IdP docs with Google quirks (#18318)

Following some issues we discovered on dogfood after merging #17878, we
think `prompt=consent` is required for refresh tokens to be sent by
Google every time you sign in.
---
 docs/admin/users/idp-sync.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md
index 123a5944c0..47ee36bad6 100644
--- a/docs/admin/users/idp-sync.md
+++ b/docs/admin/users/idp-sync.md
@@ -595,3 +595,15 @@ user is granted the necessary permissions to obtain refresh tokens.
 By combining the `{"access_type":"offline"}` parameter in the OIDC Auth URL with
 the `offline_access` scope, you can achieve the desired behavior of obtaining
 refresh tokens for offline access to the user's resources.
+
+### Google
+
+To ensure Coder receives a refresh token when users authenticate with Google
+directly, set the `prompt` to `consent` in the auth URL parameters. Without
+this, users will be logged out after 1 hour.
+
+In your Coder configuration:
+
+```shell
+CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}'
+```