mirror of
https://github.com/coder/coder.git
synced 2025-07-13 21:36:50 +00:00
feat: synchronize oidc user roles (#8595)
* feat: oidc user role sync User roles come from oidc claims. Prevent manual user role changes if set. * allow mapping 1:many
This commit is contained in:
Steven Masley
GitHub
@ -40,6 +40,7 @@ const (
|
||||
FeatureBrowserOnly FeatureName = "browser_only"
|
||||
FeatureSCIM FeatureName = "scim"
|
||||
FeatureTemplateRBAC FeatureName = "template_rbac"
|
||||
FeatureUserRoleManagement FeatureName = "user_role_management"
|
||||
FeatureHighAvailability FeatureName = "high_availability"
|
||||
FeatureMultipleGitAuth FeatureName = "multiple_git_auth"
|
||||
FeatureExternalProvisionerDaemons FeatureName = "external_provisioner_daemons"
|
||||
@ -62,6 +63,7 @@ var FeatureNames = []FeatureName{
|
||||
FeatureAppearance,
|
||||
FeatureAdvancedTemplateScheduling,
|
||||
FeatureWorkspaceProxy,
|
||||
FeatureUserRoleManagement,
|
||||
}
|
||||
|
||||
// Humanize returns the feature name in a human-readable format.
|
||||
@ -258,21 +260,24 @@ type OAuth2GithubConfig struct {
|
||||
}
|
||||
|
||||
type OIDCConfig struct {
|
||||
AllowSignups clibase.Bool `json:"allow_signups" typescript:",notnull"`
|
||||
ClientID clibase.String `json:"client_id" typescript:",notnull"`
|
||||
ClientSecret clibase.String `json:"client_secret" typescript:",notnull"`
|
||||
EmailDomain clibase.StringArray `json:"email_domain" typescript:",notnull"`
|
||||
IssuerURL clibase.String `json:"issuer_url" typescript:",notnull"`
|
||||
Scopes clibase.StringArray `json:"scopes" typescript:",notnull"`
|
||||
IgnoreEmailVerified clibase.Bool `json:"ignore_email_verified" typescript:",notnull"`
|
||||
UsernameField clibase.String `json:"username_field" typescript:",notnull"`
|
||||
EmailField clibase.String `json:"email_field" typescript:",notnull"`
|
||||
AuthURLParams clibase.Struct[map[string]string] `json:"auth_url_params" typescript:",notnull"`
|
||||
IgnoreUserInfo clibase.Bool `json:"ignore_user_info" typescript:",notnull"`
|
||||
GroupField clibase.String `json:"groups_field" typescript:",notnull"`
|
||||
GroupMapping clibase.Struct[map[string]string] `json:"group_mapping" typescript:",notnull"`
|
||||
SignInText clibase.String `json:"sign_in_text" typescript:",notnull"`
|
||||
IconURL clibase.URL `json:"icon_url" typescript:",notnull"`
|
||||
AllowSignups clibase.Bool `json:"allow_signups" typescript:",notnull"`
|
||||
ClientID clibase.String `json:"client_id" typescript:",notnull"`
|
||||
ClientSecret clibase.String `json:"client_secret" typescript:",notnull"`
|
||||
EmailDomain clibase.StringArray `json:"email_domain" typescript:",notnull"`
|
||||
IssuerURL clibase.String `json:"issuer_url" typescript:",notnull"`
|
||||
Scopes clibase.StringArray `json:"scopes" typescript:",notnull"`
|
||||
IgnoreEmailVerified clibase.Bool `json:"ignore_email_verified" typescript:",notnull"`
|
||||
UsernameField clibase.String `json:"username_field" typescript:",notnull"`
|
||||
EmailField clibase.String `json:"email_field" typescript:",notnull"`
|
||||
AuthURLParams clibase.Struct[map[string]string] `json:"auth_url_params" typescript:",notnull"`
|
||||
IgnoreUserInfo clibase.Bool `json:"ignore_user_info" typescript:",notnull"`
|
||||
GroupField clibase.String `json:"groups_field" typescript:",notnull"`
|
||||
GroupMapping clibase.Struct[map[string]string] `json:"group_mapping" typescript:",notnull"`
|
||||
UserRoleField clibase.String `json:"user_role_field" typescript:",notnull"`
|
||||
UserRoleMapping clibase.Struct[map[string][]string] `json:"user_role_mapping" typescript:",notnull"`
|
||||
UserRolesDefault clibase.StringArray `json:"user_roles_default" typescript:",notnull"`
|
||||
SignInText clibase.String `json:"sign_in_text" typescript:",notnull"`
|
||||
IconURL clibase.URL `json:"icon_url" typescript:",notnull"`
|
||||
}
|
||||
|
||||
type TelemetryConfig struct {
|
||||
@ -1043,6 +1048,38 @@ when required by your organization's security policy.`,
|
||||
Group: &deploymentGroupOIDC,
|
||||
YAML: "groupMapping",
|
||||
},
|
||||
{
|
||||
Name: "OIDC User Role Field",
|
||||
Description: "This field must be set if using the user roles sync feature. Set this to the name of the claim used to store the user's role. The roles should be sent as an array of strings.",
|
||||
Flag: "oidc-user-role-field",
|
||||
Env: "CODER_OIDC_USER_ROLE_FIELD",
|
||||
// This value is intentionally blank. If this is empty, then OIDC user role
|
||||
// sync behavior is disabled.
|
||||
Default: "",
|
||||
Value: &c.OIDC.UserRoleField,
|
||||
Group: &deploymentGroupOIDC,
|
||||
YAML: "userRoleField",
|
||||
},
|
||||
{
|
||||
Name: "OIDC User Role Mapping",
|
||||
Description: "A map of the OIDC passed in user roles and the groups in Coder it should map to. This is useful if the group names do not match. If mapped to the empty string, the role will ignored.",
|
||||
Flag: "oidc-user-role-mapping",
|
||||
Env: "CODER_OIDC_USER_ROLE_MAPPING",
|
||||
Default: "{}",
|
||||
Value: &c.OIDC.UserRoleMapping,
|
||||
Group: &deploymentGroupOIDC,
|
||||
YAML: "userRoleMapping",
|
||||
},
|
||||
{
|
||||
Name: "OIDC User Role Default",
|
||||
Description: "If user role sync is enabled, these roles are always included for all authenticated users. The 'member' role is always assigned.",
|
||||
Flag: "oidc-user-role-default",
|
||||
Env: "CODER_OIDC_USER_ROLE_DEFAULT",
|
||||
Default: "",
|
||||
Value: &c.OIDC.UserRolesDefault,
|
||||
Group: &deploymentGroupOIDC,
|
||||
YAML: "userRoleDefault",
|
||||
},
|
||||
{
|
||||
Name: "OpenID Connect sign in text",
|
||||
Description: "The text to show on the OpenID Connect sign in button.",
|
||||
|
||||
Reference in New Issue
Block a user