C
Coder.com9mo ago
relja

Authentication within Coder workspaces

Hi guys ! We have an issue with authentication within workspaces. Specifically, we are making a system where Coder is just of the tools, and we've setup an SSO auth scheme with Zitadel. As you can imagine, what we want to have is users authenticating just once into Zitadel, and then having access to our entire system. So within the workspace user should be able to pull his repositories from self-hosted GitLab, an in general have access to all his resources within our system without the need to re-authenticate from within workspace as well. For that, we need to somehow pass an access token from Coder into workspace. We know we can do that with the coder_workspace data source, owner_oidc_access_token attribute, but this only works on workspace startup. How do we refresh the access token after it expires? Right now, we have to restart workspace to get a new valid access token. Another possible solution is to use external auth providers, but there is no Zitadel integration, and anyway, as far as I understand intended use-case for this is to authenticate workspace with third party apps, not the ones we host in our system.
10 Replies
Codercord
Codercord9mo ago
Category: Help needed Product: Coder OSS (v2) What platform are you hosting Coder OSS (v2) on?
Atif
Atif9mo ago
External Auth - Coder v2 Docs
Learn how connect Coder with external auth providers
relja
reljaOP9mo ago
Hey, sorry for the late response, I was on vacation. The docs you've linked talk about integration with external auth providers, specifically the section you mentioned seems to talk about git. However, we are using Zitadel, and would like to authenticate against it, and fetch the access token, but it is not listed as one of the supported providers? Am I missing something? How would you suggest I integrate Zitadel and Coder workspace?
Atif
Atif9mo ago
Any OAUth provider is supported Does Zitadel suppport OAuth2?
Atif
Atif9mo ago
ZITADEL Docs
OAuth2-proxy is a project which allows services to delegate the authentication flow to a IDP, for example ZITADEL
ZITADEL Docs
ZITADEL implements device authorization as per RFC 8628. This document demonstrates its use.
Atif
Atif9mo ago
Coder supports integrating with any OAuth2 provider given you set the following variables as per https://coder.com/docs/v2/latest/admin/external-auth#multiple-external-providers-enterprise and https://zitadel.com/docs/apis/openidoauth/endpoints Create an OAUTH app in Zitadel with callback url as https://coder.example.com/external-auth/zitadel/callback and set the following env variables.
CODER_EXTERNAL_AUTH_0_ID="zitadel"
CODER_EXTERNAL_AUTH_0_TYPE="zitadel"
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_VALIDATE_URL="{your_domain}/oidc/v1/userinfo"
CODER_EXTERNAL_AUTH_0_AUTH_URL="{your_domain}/oauth/v2/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL="{your_domain}/oauth/v2/token"
CODER_EXTERNAL_AUTH_0_ID="zitadel"
CODER_EXTERNAL_AUTH_0_TYPE="zitadel"
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_VALIDATE_URL="{your_domain}/oidc/v1/userinfo"
CODER_EXTERNAL_AUTH_0_AUTH_URL="{your_domain}/oauth/v2/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL="{your_domain}/oauth/v2/token"
ZITADEL Docs
OpenID Connect 1.0 Discovery
External Auth - Coder v2 Docs
Learn how connect Coder with external auth providers
Atif
Atif9mo ago
Hi @relja if you can test and confirm the above proposed settings. We would be happy to document the integration instructions.
relja
reljaOP8mo ago
Hey @Atif , I'm testing this right now. It worked on Friday, however now when I try to login prior to workspace creation the pop-up is stuck, not showing "Successful login" text. Also, token wasn't being refreshed on Friday either. I'll keep you posted ! PS: I think it's a great idea to document this, because from the External Auth docs I've read, it wasn't clear to me that workspace auth integrates with every OAuth provider. I thought only GitHub, GitLab, BitBucket & Azure DevOps were supported. Okay, so this seems to work, however there are some hiccups. I've created a web app in Zitadel, and integrated Coder workspaces as you mentioned. I can obtain the valid (refreshed) access token by running the following in workspace
curl "${CODER_AGENT_URL}"'api/v2/workspaceagents/me/external-auth?id=zitadel-testing' -H "Coder-Session-Token: ${CODER_AGENT_TOKEN}"
curl "${CODER_AGENT_URL}"'api/v2/workspaceagents/me/external-auth?id=zitadel-testing' -H "Coder-Session-Token: ${CODER_AGENT_TOKEN}"
I've also put
data "coder_external_auth" "zitadel-testing" {
id = "zitadel-testing"
}
data "coder_external_auth" "zitadel-testing" {
id = "zitadel-testing"
}
inside the template, to force user to authenticate prior to workspace creation. I don't know how else to force user to authenticate? This works fine the first time, however, the next day when I try to create another workspace the button isn't there anymore. If I create the workspace without authentication nontheless, build fails
Workspace build failed
refresh external auth link "zitadel-testing": validate external auth token
Workspace build failed
refresh external auth link "zitadel-testing": validate external auth token
Regarding yesterdays problem, I was only able to solve it by completely re-installing coder and crucially, wiping the database clean !
Emyrk
Emyrk8mo ago
@relja That message means the token was refreshed, but still failed validation. If you can check the network logs maybe, there might be some more error context. What endpoint are you using for validating?
relja
reljaOP8mo ago
Again, I have the same issue, where the pop-up which is supposed to log me into zitadel, is just blank. I checked the logs of the pop-up. Request to https://<coder-domain>/api/v2/external-auth/zitadel-testing returns 500 code. Validation endpoint: https://<zitadel-domain>/oidc/v1/userinfo
Want results from more Discord servers?
Add your server