diff --git a/cli/server.go b/cli/server.go index 41a957815fcd7..548f350bae9bc 100644 --- a/cli/server.go +++ b/cli/server.go @@ -694,7 +694,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd. } } - if vals.OIDC.ClientKeyFile != "" || vals.OIDC.ClientSecret != "" { + // As OIDC clients can be confidential or public, + // we should only check for a client id being set. + // The underlying library handles the case of no + // client secrets correctly. For more details on + // client types: https://oauth.net/2/client-types/ + if vals.OIDC.ClientID != "" { if vals.OIDC.IgnoreEmailVerified { logger.Warn(ctx, "coder will not check email_verified for OIDC logins") } diff --git a/scripts/dev-oidc.sh b/scripts/dev-oidc.sh index 6a6d6e08ac705..cf5a7e3c6964c 100755 --- a/scripts/dev-oidc.sh +++ b/scripts/dev-oidc.sh @@ -49,6 +49,17 @@ cat </tmp/example-realm.json "baseUrl": "/coder", "redirectUris": ["*"], "secret": "coder" + }, + { + "clientId": "coder-public", + "publicClient": true, + "directAccessGrantsEnabled": true, + "enabled": true, + "fullScopeAllowed": true, + "baseUrl": "/coder", + "redirectUris": [ + "*" + ] } ] } @@ -79,6 +90,9 @@ hostname=$(hostname -f) export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder" export CODER_OIDC_CLIENT_ID=coder export CODER_OIDC_CLIENT_SECRET=coder +# Comment out the two lines above, and comment in the line below, +# to configure OIDC auth using a public client. +# export CODER_OIDC_CLIENT_ID=coder-public export CODER_DEV_ACCESS_URL="http://${hostname}:8080" exec "${SCRIPT_DIR}/develop.sh" "$@" pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy