docs: update IdP group and role sync documentation for UI configuration #16315
Conversation
| authenticates using OIDC, the application requests offline access to the user's | ||
| resources, including the ability to refresh access tokens without requiring the | ||
| user to reauthenticate. | ||
| The `access_type` parameter has two possible values: `online` and `offline`. |
There was a problem hiding this comment.
I tried looking for more information about this and found https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/openid_client
Based on that, there are other options and neither online nor offline are listed. Is this wording still accurate?
There was a problem hiding this comment.
Probably best revisiting this after merge too.
There was a problem hiding this comment.
Those are the wrong docs, it will not be a terraform resource.
I cannot find the correct docs though. This is the best I found
https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/sessions/offline.html
There was a problem hiding this comment.
nice find @Emyrk !
I found the source of that page, then traced it back to the keycloak docs - seems like it's the same info
glancing at their docs, the parameter is scope=offline_access and maybe not access_type, so it seems like it's still worth exploring our Keycloak section later
Clients can request an offline token by adding the parameter
scope=offline_accesswhen sending their authorization request to Keycloak.
that doc also links to https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
There was a problem hiding this comment.
It is worth explorig. The scope is different than the query param in the auth url.
The url param is defined in the OIDC spec https://developers.google.com/identity/openid-connect/openid-connect. Unsure if it is an oauth thing, or an oidc thing.
The oauth library we use has it defined:
https://github.com/golang/oauth2/blob/master/oauth2.go#L109-L121
As for what the scope does, I am unsure. It might be related to the query param, idk 🤷♂️.
| - `preferred_username`: You can use e.g. "Display Name" as required. | ||
| - `email`: You can use e.g. the LDAP attribute "E-Mail-Addresses" as | ||
| required. |
There was a problem hiding this comment.
are these "Display Name" and "E-Mail-Addresses" values from somewhere? I'm trying to reword these points
There was a problem hiding this comment.
Probably worth cleaning up this section as a separate PR. Unsure who wrote it, we can use git blame
docs/admin/users/idp-sync.md
Outdated
| For deployments with multiple [organizations](./organizations.md), configure | ||
| group sync at the organization level. |
There was a problem hiding this comment.
Even single org deployments have to configure it at the org level. They just configure it in the default org.
There was a problem hiding this comment.
@jaaydenh Do single org deployments on the Standard license see this UI?
There was a problem hiding this comment.
yeah:
we're trying to remind people that if you have more than one, configure it in the appropriate org. Let me see if I can rework this a little
There was a problem hiding this comment.
just in case, here's a screenshot of people see if they don't have a premium license
| authenticates using OIDC, the application requests offline access to the user's | ||
| resources, including the ability to refresh access tokens without requiring the | ||
| user to reauthenticate. | ||
| The `access_type` parameter has two possible values: `online` and `offline`. |
There was a problem hiding this comment.
Those are the wrong docs, it will not be a terraform resource.
I cannot find the correct docs though. This is the best I found
https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/sessions/offline.html
closes coder/internal#277
to do:
- [ ] re-org docpartially complete, but this will need revisitingpreview