closes#17375
from @ericpaulsen
> a prospect recently inquired about how our OAuth integration with
GitLab works, and I realized we do not have any information on
`GIT_ASKPASS` is used to retreive the OAuth token for users when they
run `git` operations.
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
## Issue
Closes#16875
Clarify how Coder authentication works with Git providers, particularly
the order of authentication methods used.
## Changes Made
I've updated the External Authentication documentation to:
1. Clarify that Coder first attempts to use external auth provider
tokens when available, and only defaults to SSH authentication if no
tokens are available
2. Add more detailed explanations about both authentication methods
3. Improve the description of how the `coder gitssh` command works with
existing and Coder-generated SSH keys
## Verification
Claude verified that this accurately describes the behavior of the
codebase by reviewing the `gitssh.go` implementation, which shows how
Coder handles SSH authentication as a fallback when external auth is not
available.
[preview](https://coder.com/docs/@16875-git-workspace-auth/admin/external-auth)
<sub>🤖 Generated with https://claude.ai/code</sub>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Ben Potter <me@bpmct.net>
Co-authored-by: M Atif Ali <atif@coder.com>
Co-authored-by: Bruno Quaresma <bruno@coder.com>
Co-authored-by: Kyle Carberry <kyle@coder.com>
Co-authored-by: Cian Johnston <cian@coder.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jon Ayers <jon@coder.com>
Co-authored-by: Hugo Dutka <hugo@coder.com>
Co-authored-by: Ethan <39577870+ethanndickson@users.noreply.github.com>
Co-authored-by: Michael Smith <throwawayclover@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>
## Summary
- Clarifies that the CODER_EXTERNAL_AUTH_0_ID value is used as part of
the OAuth callback URL path
- Adds explicit callback URL examples to GitLab and Bitbucket Server
sections
- Updates the GitHub OAuth app configuration instructions to be more
explicit
- Fixes the documentation mistake where it claimed this ID was only for
"internal reference"
## Test plan
- Documentation change only
- Verified consistency across all OAuth provider sections
Fixes#16851
[preview](https://coder.com/docs/@fix-external-auth-docs-16851/admin/external-auth)
<sub>🤖 Generated with [Claude Code](https://claude.ai/code)</sub>
---------
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
Co-authored-by: M Atif Ali <atif@coder.com>
from @NickSquangler
> ($customer) noticed when setting up external auth with Gitlab that the
command listed in the docs is in the incorrect order, as `coder
external-auth <USER_DEFINED_ID> access-token` should be `coder
external-auth access-token <USER_DEFINED_ID>`
[preview](https://coder.com/docs/@external-auth-access-token/admin/external-auth#workspace-cli)
<details><summary>coder external-auth access-token --help</summary>
```shell
coder external-auth access-token --help
coder v2.20.0+03b5012
USAGE:
coder external-auth access-token [flags] <provider>
Print auth for an external provider
Print an access-token for an external auth provider. The access-token will be validated and sent
to stdout with exit code 0. If a valid access-token cannot be obtained, the URL to authenticate
will be sent to stdout with exit code 1
- Ensure that the user is authenticated with GitHub before cloning.:
$ #!/usr/bin/env sh
OUTPUT=$(coder external-auth access-token github)
if [ $? -eq 0 ]; then
echo "Authenticated with GitHub"
else
echo "Please authenticate with GitHub:"
echo $OUTPUT
fi
- Obtain an extra property of an access token for additional metadata.:
$ coder external-auth access-token slack --extra "authed_user.id"
OPTIONS:
--extra string
Extract a field from the "extra" properties of the OAuth token.
———
Run `coder --help` for a list of global options.
```
</details>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
- [x] Mention Orgs is beta and add a link to get feedback
- [x] Add docs on new provisioner authentication architecture and
deprecate the old one
- [x] Add/update docs for IdP sync
- [x] Organization Sync
- [x] Group Sync
- [x] Role Sync
- [x] Modify `coder.com` codebase to add `Premium` and `Beta` pill, and
allow multiple pills: https://github.com/coder/coder.com/pull/638
- [x] Replace all mentions of "Enterprise" with "Premium" in docs
- [x] edit: change it to "Licensing"
- [x] Remove the enterprise page and change all links to
coder.com/pricing
- [x] Merge #14786
- [x] Add redirects for coder.com to redirect the `using-organizations`
guide to the new orgs one and /enterprise to /premium
https://github.com/coder/coder.com/pull/645
- [x] Custom roles
- [x] https://github.com/coder/coder/pull/14786
- [x] Remove all mentions of orgs experiment
- [x] Update in-product copy & links to link to the new docs pages
Anything I am missing?
---
[Preview
this](https://coder.com/docs/@orgs-licenses/admin/organizations)
---------
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Jaayden Halko <jaayden.halko@gmail.com>
* feat: allow external services to be authable
* Refactor external auth config structure for defaults
* Add support for new config properties
* Change the name of external auth
* Move externalauth -> external-auth
* Run gen
* Fix tests
* Fix MW tests
* Fix git auth redirect
* Fix lint
* Fix name
* Allow any ID
* Fix invalid type test
* Fix e2e tests
* Fix comments
* Fix colors
* Allow accepting any type as string
* Run gen
* Fix href
