From 3c81344edbed514499e108e59d05c295488d40e8 Mon Sep 17 00:00:00 2001
From: Thomas Kosiewski <tk@coder.com>
Date: Fri, 7 Feb 2025 12:50:23 +0100
Subject: [PATCH] feat(cli/server.go): allow the use of public OIDC clients

Change-Id: Iadd85d40c2faa595a0498e25d3407a1f94b5c8a8
Signed-off-by: Thomas Kosiewski <tk@coder.com>
---
 cli/server.go       |  7 ++++++-
 scripts/dev-oidc.sh | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/cli/server.go b/cli/server.go
index 41a957815fcd7..548f350bae9bc 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -694,7 +694,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				}
 			}
 
-			if vals.OIDC.ClientKeyFile != "" || vals.OIDC.ClientSecret != "" {
+			// As OIDC clients can be confidential or public,
+			// we should only check for a client id being set.
+			// The underlying library handles the case of no
+			// client secrets correctly. For more details on
+			// client types: https://oauth.net/2/client-types/
+			if vals.OIDC.ClientID != "" {
 				if vals.OIDC.IgnoreEmailVerified {
 					logger.Warn(ctx, "coder will not check email_verified for OIDC logins")
 				}
diff --git a/scripts/dev-oidc.sh b/scripts/dev-oidc.sh
index 6a6d6e08ac705..cf5a7e3c6964c 100755
--- a/scripts/dev-oidc.sh
+++ b/scripts/dev-oidc.sh
@@ -49,6 +49,17 @@ cat <<EOF >/tmp/example-realm.json
       "baseUrl": "/coder",
       "redirectUris": ["*"],
       "secret": "coder"
+    },
+    {
+      "clientId": "coder-public",
+      "publicClient": true,
+      "directAccessGrantsEnabled": true,
+      "enabled": true,
+      "fullScopeAllowed": true,
+      "baseUrl": "/coder",
+      "redirectUris": [
+        "*"
+      ]
     }
   ]
 }
@@ -79,6 +90,9 @@ hostname=$(hostname -f)
 export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder"
 export CODER_OIDC_CLIENT_ID=coder
 export CODER_OIDC_CLIENT_SECRET=coder
+# Comment out the two lines above, and comment in the line below,
+# to configure OIDC auth using a public client.
+# export CODER_OIDC_CLIENT_ID=coder-public
 export CODER_DEV_ACCESS_URL="http://${hostname}:8080"
 
 exec "${SCRIPT_DIR}/develop.sh" "$@"

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16489.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16489.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16489.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16489.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>