Runawaytrain
CCoder.com
•Created by Runawaytrain on 1/16/2025 in #help
Need different OIDC redirect URL from the `CODER_ACCESS_URL`
Continuation of my intro here
The reason for this being I have two ways for users to access my environment. One is a direct domain (internal network --
foo.internal) and the other is an MFA authentication enforced domain (external network -- foo.external). Only authenticated users can traverse foo.external. This prohibits workspaces and the other Coder services because they cannot authenticate. As a result I must set the CODER_ACCESS_URL value to foo.internal. I'd also like users to be able to come in on foo.external. The issue here being when a user tries to log in via OIDC, the redirect URL is set to CODER_ACCESS_URL (which is foo.internal in this situation), not the desired incoming domain of foo.external. This leads to a State mismatched error when the user is redirected back to foo.internal/api/v2/users/oidc/callback..., despite coming in on foo.external.
I see two potential solutions:
1. Being able to enable something like OIDC_DYNAMIC_REDIRECT which would use the incoming domain as the redirect URL. This would fix my issue and allow for users to come in on both foo.internal and foo.external.
2. Being able to set OIDC_REDIRECT_URL so I could choose, per-deployment, if I need a different redirect URL than CODER_ACCESS_URL. Going this route, I could fix the foo.external route (which is the far more important path in my deployment) and OIDC login would be broken for foo.internal.
I've looked through all the docs and I haven't found any that address this issue. I'm not opposed to modifying the source code to put in some custom logic, but I am struggling to track down exactly where CODER_ACCESS_URL gets passed to the OIDC client configuration. I would greatly appreciate any feedback, input, or even a hint as to which file I should dig through.
Thanks!8 replies