Authentication within Coder workspaces
Hi guys !
We have an issue with authentication within workspaces. Specifically, we are making a system where Coder is just of the tools, and we've setup an SSO auth scheme with Zitadel. As you can imagine, what we want to have is users authenticating just once into Zitadel, and then having access to our entire system. So within the workspace user should be able to pull his repositories from self-hosted GitLab, an in general have access to all his resources within our system without the need to re-authenticate from within workspace as well.
For that, we need to somehow pass an access token from Coder into workspace. We know we can do that with the
coder_workspace data source, owner_oidc_access_token attribute, but this only works on workspace startup. How do we refresh the access token after it expires? Right now, we have to restart workspace to get a new valid access token.
Another possible solution is to use external auth providers, but there is no Zitadel integration, and anyway, as far as I understand intended use-case for this is to authenticate workspace with third party apps, not the ones we host in our system.10 Replies
Category: Help needed
Product: Coder OSS (v2)
What platform are you hosting Coder OSS (v2) on?
Please see if https://coder.com/docs/v2/latest/admin/external-auth#native-git-authentication-will-auto-refresh-tokens answers your question.
External Auth - Coder v2 Docs
Learn how connect Coder with external auth providers
Hey, sorry for the late response, I was on vacation.
The docs you've linked talk about integration with external auth providers, specifically the section you mentioned seems to talk about git. However, we are using Zitadel, and would like to authenticate against it, and fetch the access token, but it is not listed as one of the supported providers?
Am I missing something? How would you suggest I integrate Zitadel and Coder workspace?
Any OAUth provider is supported
Does Zitadel suppport OAuth2?
https://zitadel.com/docs/examples/identity-proxy/oauth2-proxy
https://zitadel.com/docs/guides/integrate/login/oidc/device-authorization
ZITADEL Docs
OAuth2-proxy is a project which allows services to delegate the authentication flow to a IDP, for example ZITADEL
ZITADEL Docs
ZITADEL implements device authorization as per RFC 8628. This document demonstrates its use.
Coder supports integrating with any OAuth2 provider given you set the following variables as per https://coder.com/docs/v2/latest/admin/external-auth#multiple-external-providers-enterprise
and
https://zitadel.com/docs/apis/openidoauth/endpoints
Create an OAUTH app in Zitadel with callback url as
https://coder.example.com/external-auth/zitadel/callback
and set the following env variables.
ZITADEL Docs
OpenID Connect 1.0 Discovery
External Auth - Coder v2 Docs
Learn how connect Coder with external auth providers
Hi @relja if you can test and confirm the above proposed settings. We would be happy to document the integration instructions.
Hey @Atif , I'm testing this right now. It worked on Friday, however now when I try to login prior to workspace creation the pop-up is stuck, not showing "Successful login" text.
Also, token wasn't being refreshed on Friday either.
I'll keep you posted !
PS: I think it's a great idea to document this, because from the External Auth docs I've read, it wasn't clear to me that workspace auth integrates with every OAuth provider. I thought only GitHub, GitLab, BitBucket & Azure DevOps were supported.
Okay, so this seems to work, however there are some hiccups.
I've created a web app in Zitadel, and integrated Coder workspaces as you mentioned. I can obtain the valid (refreshed) access token by running the following in workspace
I've also put
inside the template, to force user to authenticate prior to workspace creation. I don't know how else to force user to authenticate?
This works fine the first time, however, the next day when I try to create another workspace the button isn't there anymore. If I create the workspace without authentication nontheless, build fails
Regarding yesterdays problem, I was only able to solve it by completely re-installing coder and crucially, wiping the database clean !
@relja That message means the token was refreshed, but still failed validation. If you can check the network logs maybe, there might be some more error context.
What endpoint are you using for validating?
Again, I have the same issue, where the pop-up which is supposed to log me into zitadel, is just blank.
I checked the logs of the pop-up. Request to
https://<coder-domain>/api/v2/external-auth/zitadel-testing returns 500 code.
Validation endpoint: https://<zitadel-domain>/oidc/v1/userinfo