C
Coder.com2w ago
Runawaytrain

Need different OIDC redirect URL from the `CODER_ACCESS_URL`

Continuation of my intro here The reason for this being I have two ways for users to access my environment. One is a direct domain (internal network -- foo.internal) and the other is an MFA authentication enforced domain (external network -- foo.external). Only authenticated users can traverse foo.external. This prohibits workspaces and the other Coder services because they cannot authenticate. As a result I must set the CODER_ACCESS_URL value to foo.internal. I'd also like users to be able to come in on foo.external. The issue here being when a user tries to log in via OIDC, the redirect URL is set to CODER_ACCESS_URL (which is foo.internal in this situation), not the desired incoming domain of foo.external. This leads to a State mismatched error when the user is redirected back to foo.internal/api/v2/users/oidc/callback..., despite coming in on foo.external. I see two potential solutions: 1. Being able to enable something like OIDC_DYNAMIC_REDIRECT which would use the incoming domain as the redirect URL. This would fix my issue and allow for users to come in on both foo.internal and foo.external. 2. Being able to set OIDC_REDIRECT_URL so I could choose, per-deployment, if I need a different redirect URL than CODER_ACCESS_URL. Going this route, I could fix the foo.external route (which is the far more important path in my deployment) and OIDC login would be broken for foo.internal. I've looked through all the docs and I haven't found any that address this issue. I'm not opposed to modifying the source code to put in some custom logic, but I am struggling to track down exactly where CODER_ACCESS_URL gets passed to the OIDC client configuration. I would greatly appreciate any feedback, input, or even a hint as to which file I should dig through. Thanks!
4 Replies
Codercord
Codercord2w ago
<#1329486878352867520>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Runawaytrain
RunawaytrainOP2w ago
To add a little bit more, I need OIDC login button send the user to /api/v2/users/oidc/callback?redirect=%2Fworkspaces which returns the built OIDC url with redirect_uri with value CODER_ACCESS_URL. I need to modify the value the api returns
Runawaytrain
RunawaytrainOP2w ago
It looks like this might be the line that generates the redirect url using CODER_ACCESS_URL https://github.com/coder/coder/blob/main/cli/server.go#L133
GitHub
coder/cli/server.go at main · coder/coder
Provision remote development environments via Terraform - coder/coder
Phorcys
Phorcys2w ago
this is a pretty specific use-case that the product doesn't currently support what you could do is set the access url to be foo.external, and then replace it in your templates let's say you're using one of our Docker templates, you can do something like this: 
resource "docker_container" "workspace" {
   # [...]
   entrypoint = ["sh", "-c", replace(coder_agent.main.init_script, "foo.external", "foo.internal")]
}
resource "docker_container" "workspace" {
   # [...]
   entrypoint = ["sh", "-c", replace(coder_agent.main.init_script, "foo.external", "foo.internal")]
}
you might want to do replace(replace(coder_agent.main.init_script, "/localhost|127\\.0\\.0\\.1/", "host.docker.internal"), "foo.external", "foo.internal") if it doesn't work but it shouldn't be necessary

Did you find this page helpful?