Skip to content

fix: add proper OIDC user role validation #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

fix: add proper OIDC user role validation #247

wants to merge 4 commits into from

Conversation

angrycub
Copy link

When creating OIDC users, the provider was calling UpdateUserRoles even with empty roles due to the default schema value, causing the server error "User Role Field is set in the OIDC configuration".

OIDC users should get their roles exclusively from the OIDC provider's role mapping, not from explicit API calls. This fix:

  • Errors if explicit roles are provided for OIDC users
  • Skips role assignment entirely for OIDC users
  • Provides clear error messaging about OIDC role behavior

🤖 Generated with Claude Code

@angrycub @claude
fix: add proper OIDC user role validation
d8d4d6f 
When creating OIDC users, the provider was calling UpdateUserRoles
even with empty roles due to the default schema value, causing the
server error "User Role Field is set in the OIDC configuration".

OIDC users should get their roles exclusively from the OIDC provider's
role mapping, not from explicit API calls. This fix:

- Errors if explicit roles are provided for OIDC users
- Skips role assignment entirely for OIDC users
- Provides clear error messaging about OIDC role behavior

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@angrycub angrycub self-assigned this Aug 15, 2025
@angrycub angrycub added the go Pull requests that update Go code label Aug 15, 2025
ethanndickson
ethanndickson reviewed Aug 15, 2025
View reviewed changes
internal/provider/user_resource.go
Copy link
Member

@ethanndickson ethanndickson Aug 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update Read as well here, right? I don't have a Coder deployment w/ an IDP handy*, but I assume if you gave the user managed by Terraform roles via OIDC, Terraform would complain about config drift on every subsequent apply.

*For the same reason, we probably won't be able to have a test for this :( All our provider tests use a containerized coder, and adding a fake IDP for those tests sounds painful.

blink-so bot and others added 3 commits August 15, 2025 15:20
@blink-so @angrycub
fix: prevent config drift for OIDC users in Read function
e7df6a1 
Update the Read function to not populate roles from server response for OIDC users.
This prevents Terraform from detecting config drift when OIDC users have roles
assigned by the OIDC provider but an empty roles list in the Terraform config.

Addresses review comment about config drift in PR #247.

Co-authored-by: angrycub <464492+angrycub@users.noreply.github.com>
@blink-so @angrycub
refactor: improve code style with consistent negative conditions
9ecc2e1 
Update OIDC user role handling to use cleaner Go style:
- Use negative conditions (loginType != codersdk.LoginTypeOIDC) for better readability
- Simplify comments to be more concise and inline
- Maintain all existing validation logic and functionality

Co-authored-by: angrycub <464492+angrycub@users.noreply.github.com>
@blink-so @angrycub
style: run go fmt to fix formatting
2e40dab 
Fix formatting issues found by go fmt, specifically the closing brace
placement in the ImportState function.

Co-authored-by: angrycub <464492+angrycub@users.noreply.github.com>
@angrycub angrycub marked this pull request as ready for review August 15, 2025 21:07
@angrycub angrycub requested a review from ethanndickson August 15, 2025 21:07
@ethanndickson
Copy link
Member

Unfortunately, this won't work, as the API rejects user role updates based off:

if user.LoginType == database.LoginTypeOIDC && api.IDPSync.SiteRoleSyncEnabled()

Since it's possible to have an OIDC user who's roles are managed via the API, we'll instead go with a slightly different approach (in #250). That approach is similar to what we offer for members on the group resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ethanndickson ethanndickson Awaiting requested review from ethanndickson

Assignees

@angrycub angrycub

Labels
go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@angrycub @ethanndickson
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy