feat(cli/server.go): allow the use of public OIDC clients

ThomasK33 · ThomasK33 · commit 3c81344edbed · 2025-02-07T12:58:20.000+01:00
Change-Id: Iadd85d40c2faa595a0498e25d3407a1f94b5c8a8
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/cli/server.go b/cli/server.go
@@ -694,7 +694,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				}
 			}
 
-			if vals.OIDC.ClientKeyFile != "" || vals.OIDC.ClientSecret != "" {
+			// As OIDC clients can be confidential or public,
+			// we should only check for a client id being set.
+			// The underlying library handles the case of no
+			// client secrets correctly. For more details on
+			// client types: https://oauth.net/2/client-types/
+			if vals.OIDC.ClientID != "" {
 				if vals.OIDC.IgnoreEmailVerified {
 					logger.Warn(ctx, "coder will not check email_verified for OIDC logins")
 				}
diff --git a/scripts/dev-oidc.sh b/scripts/dev-oidc.sh
@@ -49,6 +49,17 @@ cat <<EOF >/tmp/example-realm.json
       "baseUrl": "/coder",
       "redirectUris": ["*"],
       "secret": "coder"
+    },
+    {
+      "clientId": "coder-public",
+      "publicClient": true,
+      "directAccessGrantsEnabled": true,
+      "enabled": true,
+      "fullScopeAllowed": true,
+      "baseUrl": "/coder",
+      "redirectUris": [
+        "*"
+      ]
     }
   ]
 }
@@ -79,6 +90,9 @@ hostname=$(hostname -f)
 export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder"
 export CODER_OIDC_CLIENT_ID=coder
 export CODER_OIDC_CLIENT_SECRET=coder
+# Comment out the two lines above, and comment in the line below,
+# to configure OIDC auth using a public client.
+# export CODER_OIDC_CLIENT_ID=coder-public
 export CODER_DEV_ACCESS_URL="http://${hostname}:8080"
 
 exec "${SCRIPT_DIR}/develop.sh" "$@"

Original file line number	Diff line number	Diff line change
`@@ -694,7 +694,12 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`694`	`694`	`}`
`695`	`695`	`}`
`696`	`696`
`697`		`- if vals.OIDC.ClientKeyFile != "" \|\| vals.OIDC.ClientSecret != "" {`
	`697`	`+ // As OIDC clients can be confidential or public,`
	`698`	`+ // we should only check for a client id being set.`
	`699`	`+ // The underlying library handles the case of no`
	`700`	`+ // client secrets correctly. For more details on`
	`701`	`+ // client types: https://oauth.net/2/client-types/`
	`702`	`+ if vals.OIDC.ClientID != "" {`
`698`	`703`	`if vals.OIDC.IgnoreEmailVerified {`
`699`	`704`	`logger.Warn(ctx, "coder will not check email_verified for OIDC logins")`
`700`	`705`	`}`