Actually enable org sync in the oidc flow

Emyrk · Emyrk · commit 16eb96e68310 · 2024-08-28T09:41:23.000-05:00
diff --git a/coderd/idpsync/organization.go b/coderd/idpsync/organization.go
@@ -29,7 +29,9 @@ func (s AGPLIDPSync) ParseOrganizationClaims(ctx context.Context, _ map[string]i
 
 type OrganizationParams struct {
 	// SyncEnabled if false will skip syncing the user's organizations.
-	SyncEnabled    bool
+	SyncEnabled bool
+	// IncludeDefault is primarily for single org deployments. It will ensure
+	// a user is always inserted into the default org.
 	IncludeDefault bool
 	// Organizations is the list of organizations the user should be a member of
 	// assuming syncing is turned on.
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -659,6 +659,11 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		AvatarURL:    ghUser.GetAvatarURL(),
 		Name:         normName,
 		DebugContext: OauthDebugContext{},
+		OrganizationSync: idpsync.OrganizationParams{
+			SyncEnabled:    false,
+			IncludeDefault: true,
+			Organizations:  []uuid.UUID{},
+		},
 	}).SetInitAuditRequest(func(params *audit.RequestParams) (*audit.Request[database.User], func()) {
 		return audit.InitRequest[database.User](rw, params)
 	})
@@ -1411,14 +1416,19 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 				}
 			}
 
+			// Even if org sync is disabled, single org deployments will always
+			// have this set to true.
+			orgIDs := []uuid.UUID{}
+			if params.OrganizationSync.IncludeDefault {
+				orgIDs = append(orgIDs, defaultOrganization.ID)
+			}
+
 			//nolint:gocritic
 			user, err = api.CreateUser(dbauthz.AsSystemRestricted(ctx), tx, CreateUserRequest{
 				CreateUserRequestWithOrgs: codersdk.CreateUserRequestWithOrgs{
-					Email:    params.Email,
-					Username: params.Username,
-					// TODO: Remove this, and only use organization sync from
-					// params
-					OrganizationIDs: []uuid.UUID{defaultOrganization.ID},
+					Email:           params.Email,
+					Username:        params.Username,
+					OrganizationIDs: orgIDs,
 				},
 				LoginType: params.LoginType,
 			})
@@ -1481,6 +1491,13 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 			}
 		}
 
+		// Only OIDC really supports syncing like this. At some point, we might
+		// want to move this configuration and allow github to allow do org syncing.
+		err = api.OIDCConfig.IDPSync.SyncOrganizations(ctx, tx, user, params.OrganizationSync)
+		if err != nil {
+			return xerrors.Errorf("sync organizations: %w", err)
+		}
+
 		// Ensure groups are correct.
 		// This places all groups into the default organization.
 		// To go multi-org, we need to add a mapping feature here to know which
