diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
index 48b5618dec653..2c046dc8d997c 100644
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@@ -3132,6 +3132,44 @@ const docTemplate = `{
}
}
},
+ "/organizations/{organization}/settings/idpsync/available-fields": {
+ "get": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": [
+ "application/json"
+ ],
+ "tags": [
+ "Enterprise"
+ ],
+ "summary": "Get the available organization idp sync claim fields",
+ "operationId": "get-the-available-organization-idp-sync-claim-fields",
+ "parameters": [
+ {
+ "type": "string",
+ "format": "uuid",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
"/organizations/{organization}/settings/idpsync/groups": {
"get": {
"security": [
@@ -3800,6 +3838,44 @@ const docTemplate = `{
}
}
},
+ "/settings/idpsync/available-fields": {
+ "get": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": [
+ "application/json"
+ ],
+ "tags": [
+ "Enterprise"
+ ],
+ "summary": "Get the available idp sync claim fields",
+ "operationId": "get-the-available-idp-sync-claim-fields",
+ "parameters": [
+ {
+ "type": "string",
+ "format": "uuid",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
"/settings/idpsync/organization": {
"get": {
"security": [
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
index d6aec54109316..4baae0c3568c3 100644
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@@ -2754,6 +2754,40 @@
}
}
},
+ "/organizations/{organization}/settings/idpsync/available-fields": {
+ "get": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": ["application/json"],
+ "tags": ["Enterprise"],
+ "summary": "Get the available organization idp sync claim fields",
+ "operationId": "get-the-available-organization-idp-sync-claim-fields",
+ "parameters": [
+ {
+ "type": "string",
+ "format": "uuid",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
"/organizations/{organization}/settings/idpsync/groups": {
"get": {
"security": [
@@ -3342,6 +3376,40 @@
}
}
},
+ "/settings/idpsync/available-fields": {
+ "get": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": ["application/json"],
+ "tags": ["Enterprise"],
+ "summary": "Get the available idp sync claim fields",
+ "operationId": "get-the-available-idp-sync-claim-fields",
+ "parameters": [
+ {
+ "type": "string",
+ "format": "uuid",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
"/settings/idpsync/organization": {
"get": {
"security": [
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
index 2a9c29b175dae..4845ff22288fe 100644
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@@ -3283,6 +3283,18 @@ func (q *querier) ListWorkspaceAgentPortShares(ctx context.Context, workspaceID
return q.db.ListWorkspaceAgentPortShares(ctx, workspaceID)
}
+func (q *querier) OIDCClaimFields(ctx context.Context, organizationID uuid.UUID) ([]string, error) {
+ resource := rbac.ResourceIdpsyncSettings
+ if organizationID != uuid.Nil {
+ resource = resource.InOrg(organizationID)
+ }
+
+ if err := q.authorizeContext(ctx, policy.ActionRead, resource); err != nil {
+ return nil, err
+ }
+ return q.db.OIDCClaimFields(ctx, organizationID)
+}
+
func (q *querier) OrganizationMembers(ctx context.Context, arg database.OrganizationMembersParams) ([]database.OrganizationMembersRow, error) {
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.OrganizationMembers)(ctx, arg)
}
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
index 978478e4709c5..2eb75f8b738c4 100644
--- a/coderd/database/dbauthz/dbauthz_test.go
+++ b/coderd/database/dbauthz/dbauthz_test.go
@@ -626,6 +626,13 @@ func (s *MethodTestSuite) TestLicense() {
}
func (s *MethodTestSuite) TestOrganization() {
+ s.Run("Deployment/OIDCClaimFields", s.Subtest(func(db database.Store, check *expects) {
+ check.Args(uuid.Nil).Asserts(rbac.ResourceIdpsyncSettings, policy.ActionRead).Returns([]string{})
+ }))
+ s.Run("Organization/OIDCClaimFields", s.Subtest(func(db database.Store, check *expects) {
+ id := uuid.New()
+ check.Args(id).Asserts(rbac.ResourceIdpsyncSettings.InOrg(id), policy.ActionRead).Returns([]string{})
+ }))
s.Run("ByOrganization/GetGroups", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
a := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
index 64310cf36445a..aed57e9284b3a 100644
--- a/coderd/database/dbmem/dbmem.go
+++ b/coderd/database/dbmem/dbmem.go
@@ -8409,6 +8409,35 @@ func (q *FakeQuerier) ListWorkspaceAgentPortShares(_ context.Context, workspaceI
return shares, nil
}
+func (q *FakeQuerier) OIDCClaimFields(_ context.Context, organizationID uuid.UUID) ([]string, error) {
+ orgMembers := q.getOrganizationMemberNoLock(organizationID)
+
+ var fields []string
+ for _, link := range q.userLinks {
+ if organizationID != uuid.Nil {
+ inOrg := slices.ContainsFunc(orgMembers, func(organizationMember database.OrganizationMember) bool {
+ return organizationMember.UserID == link.UserID
+ })
+ if !inOrg {
+ continue
+ }
+ }
+
+ if link.LoginType != database.LoginTypeOIDC {
+ continue
+ }
+
+ for k := range link.Claims.IDTokenClaims {
+ fields = append(fields, k)
+ }
+ for k := range link.Claims.UserInfoClaims {
+ fields = append(fields, k)
+ }
+ }
+
+ return slice.Unique(fields), nil
+}
+
func (q *FakeQuerier) OrganizationMembers(_ context.Context, arg database.OrganizationMembersParams) ([]database.OrganizationMembersRow, error) {
if err := validateDatabaseType(arg); err != nil {
return []database.OrganizationMembersRow{}, err
diff --git a/coderd/database/dbmetrics/querymetrics.go b/coderd/database/dbmetrics/querymetrics.go
index d03e481628991..32d3cce658525 100644
--- a/coderd/database/dbmetrics/querymetrics.go
+++ b/coderd/database/dbmetrics/querymetrics.go
@@ -2058,6 +2058,13 @@ func (m queryMetricsStore) ListWorkspaceAgentPortShares(ctx context.Context, wor
return r0, r1
}
+func (m queryMetricsStore) OIDCClaimFields(ctx context.Context, organizationID uuid.UUID) ([]string, error) {
+ start := time.Now()
+ r0, r1 := m.s.OIDCClaimFields(ctx, organizationID)
+ m.queryLatencies.WithLabelValues("OIDCClaimFields").Observe(time.Since(start).Seconds())
+ return r0, r1
+}
+
func (m queryMetricsStore) OrganizationMembers(ctx context.Context, arg database.OrganizationMembersParams) ([]database.OrganizationMembersRow, error) {
start := time.Now()
r0, r1 := m.s.OrganizationMembers(ctx, arg)
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
index 04bf967caf26b..d6c34411f8208 100644
--- a/coderd/database/dbmock/dbmock.go
+++ b/coderd/database/dbmock/dbmock.go
@@ -4359,6 +4359,21 @@ func (mr *MockStoreMockRecorder) ListWorkspaceAgentPortShares(arg0, arg1 any) *g
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListWorkspaceAgentPortShares", reflect.TypeOf((*MockStore)(nil).ListWorkspaceAgentPortShares), arg0, arg1)
}
+// OIDCClaimFields mocks base method.
+func (m *MockStore) OIDCClaimFields(arg0 context.Context, arg1 uuid.UUID) ([]string, error) {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "OIDCClaimFields", arg0, arg1)
+ ret0, _ := ret[0].([]string)
+ ret1, _ := ret[1].(error)
+ return ret0, ret1
+}
+
+// OIDCClaimFields indicates an expected call of OIDCClaimFields.
+func (mr *MockStoreMockRecorder) OIDCClaimFields(arg0, arg1 any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OIDCClaimFields", reflect.TypeOf((*MockStore)(nil).OIDCClaimFields), arg0, arg1)
+}
+
// OrganizationMembers mocks base method.
func (m *MockStore) OrganizationMembers(arg0 context.Context, arg1 database.OrganizationMembersParams) ([]database.OrganizationMembersRow, error) {
m.ctrl.T.Helper()
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
index e687994778017..ff77012755fa2 100644
--- a/coderd/database/modelqueries.go
+++ b/coderd/database/modelqueries.go
@@ -3,6 +3,7 @@ package database
import (
"context"
"database/sql"
+ "encoding/json"
"fmt"
"strings"
@@ -527,3 +528,9 @@ func insertAuthorizedFilter(query string, replaceWith string) (string, error) {
filtered := strings.Replace(query, authorizedQueryPlaceholder, replaceWith, 1)
return filtered, nil
}
+
+// UpdateUserLinkRawJSON is a custom query for unit testing. Do not ever expose this
+func (q *sqlQuerier) UpdateUserLinkRawJSON(ctx context.Context, userID uuid.UUID, data json.RawMessage) error {
+ _, err := q.sdb.ExecContext(ctx, "UPDATE user_links SET claims = $2 WHERE user_id = $1", userID, data)
+ return err
+}
diff --git a/coderd/database/oidcclaims_test.go b/coderd/database/oidcclaims_test.go
new file mode 100644
index 0000000000000..85fd5b3df3812
--- /dev/null
+++ b/coderd/database/oidcclaims_test.go
@@ -0,0 +1,219 @@
+package database_test
+
+import (
+ "context"
+ "encoding/json"
+ "testing"
+
+ "github.com/google/uuid"
+ "github.com/stretchr/testify/require"
+
+ "github.com/coder/coder/v2/coderd/database"
+ "github.com/coder/coder/v2/coderd/database/dbfake"
+ "github.com/coder/coder/v2/coderd/database/dbgen"
+ "github.com/coder/coder/v2/coderd/database/dbtestutil"
+ "github.com/coder/coder/v2/coderd/util/slice"
+ "github.com/coder/coder/v2/testutil"
+)
+
+type extraKeys struct {
+ database.UserLinkClaims
+ Foo string `json:"foo"`
+}
+
+func TestOIDCClaims(t *testing.T) {
+ t.Parallel()
+
+ toJSON := func(a any) json.RawMessage {
+ b, _ := json.Marshal(a)
+ return b
+ }
+
+ db, _ := dbtestutil.NewDB(t)
+ g := userGenerator{t: t, db: db}
+
+ // https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_characters
+ alice := g.withLink(database.LoginTypeOIDC, toJSON(extraKeys{
+ UserLinkClaims: database.UserLinkClaims{
+ IDTokenClaims: map[string]interface{}{
+ "sub": "alice",
+ "alice-id": "from-bob",
+ },
+ UserInfoClaims: nil,
+ MergedClaims: map[string]interface{}{
+ "sub": "alice",
+ "alice-id": "from-bob",
+ },
+ },
+ // Always should be a no-op
+ Foo: "bar",
+ }))
+ bob := g.withLink(database.LoginTypeOIDC, toJSON(database.UserLinkClaims{
+ IDTokenClaims: map[string]interface{}{
+ "sub": "bob",
+ "bob-id": "from-bob",
+ "array": []string{
+ "a", "b", "c",
+ },
+ "map": map[string]interface{}{
+ "key": "value",
+ "foo": "bar",
+ },
+ "nil": nil,
+ },
+ UserInfoClaims: map[string]interface{}{
+ "sub": "bob",
+ "bob-info": []string{},
+ "number": 42,
+ },
+ MergedClaims: map[string]interface{}{
+ "sub": "bob",
+ "bob-info": []string{},
+ "number": 42,
+ "bob-id": "from-bob",
+ "array": []string{
+ "a", "b", "c",
+ },
+ "map": map[string]interface{}{
+ "key": "value",
+ "foo": "bar",
+ },
+ "nil": nil,
+ },
+ }))
+ charlie := g.withLink(database.LoginTypeOIDC, toJSON(database.UserLinkClaims{
+ IDTokenClaims: map[string]interface{}{
+ "sub": "charlie",
+ "charlie-id": "charlie",
+ },
+ UserInfoClaims: map[string]interface{}{
+ "sub": "charlie",
+ "charlie-info": "charlie",
+ },
+ MergedClaims: map[string]interface{}{
+ "sub": "charlie",
+ "charlie-id": "charlie",
+ "charlie-info": "charlie",
+ },
+ }))
+
+ // users that just try to cause problems, but should not affect the output of
+ // queries.
+ problematics := []database.User{
+ g.withLink(database.LoginTypeOIDC, toJSON(database.UserLinkClaims{})), // null claims
+ g.withLink(database.LoginTypeOIDC, []byte(`{}`)), // empty claims
+ g.withLink(database.LoginTypeOIDC, []byte(`{"foo": "bar"}`)), // random keys
+ g.noLink(database.LoginTypeOIDC), // no link
+
+ g.withLink(database.LoginTypeGithub, toJSON(database.UserLinkClaims{
+ IDTokenClaims: map[string]interface{}{
+ "not": "allowed",
+ },
+ UserInfoClaims: map[string]interface{}{
+ "do-not": "look",
+ },
+ MergedClaims: map[string]interface{}{
+ "not": "allowed",
+ "do-not": "look",
+ },
+ })), // github should be omitted
+
+ // extra random users
+ g.noLink(database.LoginTypeGithub),
+ g.noLink(database.LoginTypePassword),
+ }
+
+ // Insert some orgs, users, and links
+ orgA := dbfake.Organization(t, db).Members(
+ append(problematics,
+ alice,
+ bob,
+ )...,
+ ).Do()
+ orgB := dbfake.Organization(t, db).Members(
+ append(problematics,
+ bob,
+ charlie,
+ )...,
+ ).Do()
+ orgC := dbfake.Organization(t, db).Members().Do()
+
+ // Verify the OIDC claim fields
+ always := []string{"array", "map", "nil", "number"}
+ expectA := append([]string{"sub", "alice-id", "bob-id", "bob-info"}, always...)
+ expectB := append([]string{"sub", "bob-id", "bob-info", "charlie-id", "charlie-info"}, always...)
+ requireClaims(t, db, orgA.Org.ID, expectA)
+ requireClaims(t, db, orgB.Org.ID, expectB)
+ requireClaims(t, db, orgC.Org.ID, []string{})
+ requireClaims(t, db, uuid.Nil, slice.Unique(append(expectA, expectB...)))
+}
+
+func requireClaims(t *testing.T, db database.Store, orgID uuid.UUID, want []string) {
+ t.Helper()
+
+ ctx := testutil.Context(t, testutil.WaitMedium)
+ got, err := db.OIDCClaimFields(ctx, orgID)
+ require.NoError(t, err)
+
+ require.ElementsMatch(t, want, got)
+}
+
+type userGenerator struct {
+ t *testing.T
+ db database.Store
+}
+
+func (g userGenerator) noLink(lt database.LoginType) database.User {
+ t := g.t
+ db := g.db
+
+ t.Helper()
+
+ u := dbgen.User(t, db, database.User{
+ LoginType: lt,
+ })
+ return u
+}
+
+func (g userGenerator) withLink(lt database.LoginType, rawJSON json.RawMessage) database.User {
+ t := g.t
+ db := g.db
+
+ user := g.noLink(lt)
+
+ link := dbgen.UserLink(t, db, database.UserLink{
+ UserID: user.ID,
+ LoginType: lt,
+ })
+
+ if sql, ok := db.(rawUpdater); ok {
+ // The only way to put arbitrary json into the db for testing edge cases.
+ // Making this a public API would be a mistake.
+ err := sql.UpdateUserLinkRawJSON(context.Background(), user.ID, rawJSON)
+ require.NoError(t, err)
+ } else {
+ // no need to test the json key logic in dbmem. Everything is type safe.
+ var claims database.UserLinkClaims
+ err := json.Unmarshal(rawJSON, &claims)
+ require.NoError(t, err)
+
+ _, err = db.UpdateUserLink(context.Background(), database.UpdateUserLinkParams{
+ OAuthAccessToken: link.OAuthAccessToken,
+ OAuthAccessTokenKeyID: link.OAuthAccessTokenKeyID,
+ OAuthRefreshToken: link.OAuthRefreshToken,
+ OAuthRefreshTokenKeyID: link.OAuthRefreshTokenKeyID,
+ OAuthExpiry: link.OAuthExpiry,
+ UserID: link.UserID,
+ LoginType: link.LoginType,
+ // The new claims
+ Claims: claims,
+ })
+ require.NoError(t, err)
+ }
+
+ return user
+}
+
+type rawUpdater interface {
+ UpdateUserLinkRawJSON(ctx context.Context, userID uuid.UUID, data json.RawMessage) error
+}
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
index b7652865447ad..49ba6fbf8496a 100644
--- a/coderd/database/querier.go
+++ b/coderd/database/querier.go
@@ -413,6 +413,9 @@ type sqlcQuerier interface {
ListProvisionerKeysByOrganization(ctx context.Context, organizationID uuid.UUID) ([]ProvisionerKey, error)
ListProvisionerKeysByOrganizationExcludeReserved(ctx context.Context, organizationID uuid.UUID) ([]ProvisionerKey, error)
ListWorkspaceAgentPortShares(ctx context.Context, workspaceID uuid.UUID) ([]WorkspaceAgentPortShare, error)
+ // OIDCClaimFields returns a list of distinct keys in the the merged_claims fields.
+ // This query is used to generate the list of available sync fields for idp sync settings.
+ OIDCClaimFields(ctx context.Context, organizationID uuid.UUID) ([]string, error)
// Arguments are optional with uuid.Nil to ignore.
// - Use just 'organization_id' to get all members of an org
// - Use just 'user_id' to get all orgs a user is a member of
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
index 94f108886ea60..09dd4c1fbc488 100644
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@@ -9846,6 +9846,49 @@ func (q *sqlQuerier) InsertUserLink(ctx context.Context, arg InsertUserLinkParam
return i, err
}
+const oIDCClaimFields = `-- name: OIDCClaimFields :many
+SELECT
+ DISTINCT jsonb_object_keys(claims->'merged_claims')
+FROM
+ user_links
+WHERE
+ -- Only return rows where the top level key exists
+ claims ? 'merged_claims' AND
+ -- 'null' is the default value for the id_token_claims field
+ -- jsonb 'null' is not the same as SQL NULL. Strip these out.
+ jsonb_typeof(claims->'merged_claims') != 'null' AND
+ login_type = 'oidc'
+ AND CASE WHEN $1 :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+ user_links.user_id = ANY(SELECT organization_members.user_id FROM organization_members WHERE organization_id = $1)
+ ELSE true
+ END
+`
+
+// OIDCClaimFields returns a list of distinct keys in the the merged_claims fields.
+// This query is used to generate the list of available sync fields for idp sync settings.
+func (q *sqlQuerier) OIDCClaimFields(ctx context.Context, organizationID uuid.UUID) ([]string, error) {
+ rows, err := q.db.QueryContext(ctx, oIDCClaimFields, organizationID)
+ if err != nil {
+ return nil, err
+ }
+ defer rows.Close()
+ var items []string
+ for rows.Next() {
+ var jsonb_object_keys string
+ if err := rows.Scan(&jsonb_object_keys); err != nil {
+ return nil, err
+ }
+ items = append(items, jsonb_object_keys)
+ }
+ if err := rows.Close(); err != nil {
+ return nil, err
+ }
+ if err := rows.Err(); err != nil {
+ return nil, err
+ }
+ return items, nil
+}
+
const updateUserLink = `-- name: UpdateUserLink :one
UPDATE
user_links
diff --git a/coderd/database/queries/user_links.sql b/coderd/database/queries/user_links.sql
index d0d52c3eac054..274193b0c8bf6 100644
--- a/coderd/database/queries/user_links.sql
+++ b/coderd/database/queries/user_links.sql
@@ -57,3 +57,24 @@ SET
claims = $6
WHERE
user_id = $7 AND login_type = $8 RETURNING *;
+
+
+-- name: OIDCClaimFields :many
+-- OIDCClaimFields returns a list of distinct keys in the the merged_claims fields.
+-- This query is used to generate the list of available sync fields for idp sync settings.
+SELECT
+ DISTINCT jsonb_object_keys(claims->'merged_claims')
+FROM
+ user_links
+WHERE
+ -- Only return rows where the top level key exists
+ claims ? 'merged_claims' AND
+ -- 'null' is the default value for the id_token_claims field
+ -- jsonb 'null' is not the same as SQL NULL. Strip these out.
+ jsonb_typeof(claims->'merged_claims') != 'null' AND
+ login_type = 'oidc'
+ AND CASE WHEN @organization_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
+ user_links.user_id = ANY(SELECT organization_members.user_id FROM organization_members WHERE organization_id = @organization_id)
+ ELSE true
+ END
+;
diff --git a/coderd/userauth.go b/coderd/userauth.go
index 44b8c15a5dba5..c5e95e44998b2 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -1395,13 +1395,6 @@ func mergeClaims(a, b map[string]interface{}) map[string]interface{} {
return c
}
-// OauthDebugContext provides helpful information for admins to debug
-// OAuth login issues.
-type OauthDebugContext struct {
- IDTokenClaims map[string]interface{} `json:"id_token_claims"`
- UserInfoClaims map[string]interface{} `json:"user_info_claims"`
-}
-
type oauthLoginParams struct {
User database.User
Link database.UserLink
diff --git a/codersdk/idpsync.go b/codersdk/idpsync.go
index 0226dc7f9eb5f..6d34714bc5833 100644
--- a/codersdk/idpsync.go
+++ b/codersdk/idpsync.go
@@ -137,3 +137,31 @@ func (c *Client) PatchOrganizationIDPSyncSettings(ctx context.Context, req Organ
var resp OrganizationSyncSettings
return resp, json.NewDecoder(res.Body).Decode(&resp)
}
+
+func (c *Client) GetAvailableIDPSyncFields(ctx context.Context) ([]string, error) {
+ res, err := c.Request(ctx, http.MethodGet, "/api/v2/settings/idpsync/available-fields", nil)
+ if err != nil {
+ return nil, xerrors.Errorf("make request: %w", err)
+ }
+ defer res.Body.Close()
+
+ if res.StatusCode != http.StatusOK {
+ return nil, ReadBodyAsError(res)
+ }
+ var resp []string
+ return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
+
+func (c *Client) GetOrganizationAvailableIDPSyncFields(ctx context.Context, orgID string) ([]string, error) {
+ res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/settings/idpsync/available-fields", orgID), nil)
+ if err != nil {
+ return nil, xerrors.Errorf("make request: %w", err)
+ }
+ defer res.Body.Close()
+
+ if res.StatusCode != http.StatusOK {
+ return nil, ReadBodyAsError(res)
+ }
+ var resp []string
+ return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
diff --git a/docs/reference/api/enterprise.md b/docs/reference/api/enterprise.md
index 53b50a460f875..d5bf44192fc00 100644
--- a/docs/reference/api/enterprise.md
+++ b/docs/reference/api/enterprise.md
@@ -1778,6 +1778,43 @@ curl -X DELETE http://coder-server:8080/api/v2/organizations/{organization}/prov
To perform this operation, you must be authenticated. [Learn more](authentication.md).
+## Get the available organization idp sync claim fields
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X GET http://coder-server:8080/api/v2/organizations/{organization}/settings/idpsync/available-fields \
+ -H 'Accept: application/json' \
+ -H 'Coder-Session-Token: API_KEY'
+```
+
+`GET /organizations/{organization}/settings/idpsync/available-fields`
+
+### Parameters
+
+| Name | In | Type | Required | Description |
+| -------------- | ---- | ------------ | -------- | --------------- |
+| `organization` | path | string(uuid) | true | Organization ID |
+
+### Example responses
+
+> 200 Response
+
+```json
+["string"]
+```
+
+### Responses
+
+| Status | Meaning | Description | Schema |
+| ------ | ------------------------------------------------------- | ----------- | --------------- |
+| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | array of string |
+
+Response Schema
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
+
## Get group IdP Sync settings by organization
### Code samples
@@ -2274,6 +2311,43 @@ curl -X PATCH http://coder-server:8080/api/v2/scim/v2/Users/{id} \
To perform this operation, you must be authenticated. [Learn more](authentication.md).
+## Get the available idp sync claim fields
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X GET http://coder-server:8080/api/v2/settings/idpsync/available-fields \
+ -H 'Accept: application/json' \
+ -H 'Coder-Session-Token: API_KEY'
+```
+
+`GET /settings/idpsync/available-fields`
+
+### Parameters
+
+| Name | In | Type | Required | Description |
+| -------------- | ---- | ------------ | -------- | --------------- |
+| `organization` | path | string(uuid) | true | Organization ID |
+
+### Example responses
+
+> 200 Response
+
+```json
+["string"]
+```
+
+### Responses
+
+| Status | Meaning | Description | Schema |
+| ------ | ------------------------------------------------------- | ----------- | --------------- |
+| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | array of string |
+
+Response Schema
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
+
## Get organization IdP Sync settings
### Code samples
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
index b7642f4835c3b..b9356bc5b8f92 100644
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@@ -291,9 +291,12 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
r.Use(
apiKeyMiddleware,
)
- r.Route("/settings/idpsync/organization", func(r chi.Router) {
- r.Get("/", api.organizationIDPSyncSettings)
- r.Patch("/", api.patchOrganizationIDPSyncSettings)
+ r.Route("/settings/idpsync", func(r chi.Router) {
+ r.Route("/organization", func(r chi.Router) {
+ r.Get("/", api.organizationIDPSyncSettings)
+ r.Patch("/", api.patchOrganizationIDPSyncSettings)
+ })
+ r.Get("/available-fields", api.deploymentIDPSyncClaimFields)
})
})
@@ -303,6 +306,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
httpmw.ExtractOrganizationParam(api.Database),
)
r.Route("/organizations/{organization}/settings", func(r chi.Router) {
+ r.Get("/idpsync/available-fields", api.organizationIDPSyncClaimFields)
r.Get("/idpsync/groups", api.groupIDPSyncSettings)
r.Patch("/idpsync/groups", api.patchGroupIDPSyncSettings)
r.Get("/idpsync/roles", api.roleIDPSyncSettings)
diff --git a/enterprise/coderd/idpsync.go b/enterprise/coderd/idpsync.go
index 0df64ffb86b4b..087266462df26 100644
--- a/enterprise/coderd/idpsync.go
+++ b/enterprise/coderd/idpsync.go
@@ -1,8 +1,11 @@
package coderd
import (
+ "fmt"
"net/http"
+ "github.com/google/uuid"
+
"github.com/coder/coder/v2/coderd/database/dbauthz"
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
@@ -259,3 +262,50 @@ func (api *API) patchOrganizationIDPSyncSettings(rw http.ResponseWriter, r *http
AssignDefault: settings.AssignDefault,
})
}
+
+// @Summary Get the available organization idp sync claim fields
+// @ID get-the-available-organization-idp-sync-claim-fields
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {array} string
+// @Router /organizations/{organization}/settings/idpsync/available-fields [get]
+func (api *API) organizationIDPSyncClaimFields(rw http.ResponseWriter, r *http.Request) {
+ org := httpmw.OrganizationParam(r)
+ api.idpSyncClaimFields(org.ID, rw, r)
+}
+
+// @Summary Get the available idp sync claim fields
+// @ID get-the-available-idp-sync-claim-fields
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {array} string
+// @Router /settings/idpsync/available-fields [get]
+func (api *API) deploymentIDPSyncClaimFields(rw http.ResponseWriter, r *http.Request) {
+ // nil uuid implies all organizations
+ api.idpSyncClaimFields(uuid.Nil, rw, r)
+}
+
+func (api *API) idpSyncClaimFields(orgID uuid.UUID, rw http.ResponseWriter, r *http.Request) {
+ ctx := r.Context()
+
+ fields, err := api.Database.OIDCClaimFields(ctx, orgID)
+ if httpapi.IsUnauthorizedError(err) {
+ // Give a helpful error. The user could read the org, so this does not
+ // leak anything.
+ httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+ Message: "You do not have permission to view the available IDP fields",
+ Detail: fmt.Sprintf("%s.read permission is required", rbac.ResourceIdpsyncSettings.Type),
+ })
+ return
+ }
+ if err != nil {
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ httpapi.Write(ctx, rw, http.StatusOK, fields)
+}
diff --git a/enterprise/coderd/userauth_test.go b/enterprise/coderd/userauth_test.go
index 47ed424055ece..28257078ebb36 100644
--- a/enterprise/coderd/userauth_test.go
+++ b/enterprise/coderd/userauth_test.go
@@ -165,6 +165,19 @@ func TestUserOIDC(t *testing.T) {
user, err := userClient.User(ctx, codersdk.Me)
require.NoError(t, err)
+ // Then: the available sync fields should be "email" and "organization"
+ fields, err := runner.AdminClient.GetAvailableIDPSyncFields(ctx)
+ require.NoError(t, err)
+ require.ElementsMatch(t, []string{
+ "aud", "exp", "iss", // Always included from jwt
+ "email", "organization",
+ }, fields)
+
+ // This should be the same as above
+ orgFields, err := runner.AdminClient.GetOrganizationAvailableIDPSyncFields(ctx, orgOne.ID.String())
+ require.NoError(t, err)
+ require.ElementsMatch(t, fields, orgFields)
+
// When: they are manually added to the fourth organization, a new sync
// should remove them.
_, err = runner.AdminClient.PostOrganizationMember(ctx, orgThree.ID, "alice")
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy