grepdemos
diff --git a/‎cli/externalauth.go
+31-6 b/‎cli/externalauth.go
+31-6
diff --git a/‎coderd/apidoc/docs.go
+3 b/‎coderd/apidoc/docs.go
+3
diff --git a/‎coderd/apidoc/swagger.json
+3 b/‎coderd/apidoc/swagger.json
+3
diff --git a/‎coderd/workspaceagents.go
+10-10 b/‎coderd/workspaceagents.go
+10-10
diff --git a/‎codersdk/agentsdk/agentsdk.go
+7-6 b/‎codersdk/agentsdk/agentsdk.go
+7-6
diff --git a/‎docs/api/agents.md
+2 b/‎docs/api/agents.md
+2
diff --git a/‎docs/api/schemas.md
+10-8 b/‎docs/api/schemas.md
+10-8
@@ -28,6 +28,7 @@ func (r *RootCmd) externalAuth() *serpent.Command {
 
 func (r *RootCmd) externalAuthAccessToken() *serpent.Command {
 	var extra string
+	var full bool
 	return &serpent.Command{
 		Use:   "access-token <provider>",
 		Short: "Print auth for an external provider",
@@ -55,12 +56,22 @@ fi
 		Middleware: serpent.Chain(
 			serpent.RequireNArgs(1),
 		),
-		Options: serpent.OptionSet{{
-			Name:        "Extra",
-			Flag:        "extra",
-			Description: "Extract a field from the \"extra\" properties of the OAuth token.",
-			Value:       serpent.StringOf(&extra),
-		}},
+		Options: serpent.OptionSet{
+			{
+				Name:        "Extra",
+				Flag:        "extra",
+				Description: "Extract a field from the \"extra\" properties of the OAuth token.",
+				Value:       serpent.StringOf(&extra),
+			}, {
+				Name:          "Full",
+				Description:   "Print the full response from the external auth provider as json.",
+				Required:      false,
+				Flag:          "full",
+				FlagShorthand: "",
+				Default:       "false",
+				Value:         serpent.BoolOf(&full),
+			},
+		},
 
 		Handler: func(inv *serpent.Invocation) error {
 			ctx := inv.Context()
@@ -86,6 +97,20 @@ fi
 				}
 				return cliui.Canceled
 			}
+
+			if extra != "" && full {
+				return xerrors.Errorf("cannot specify both --extra and --full")
+			}
+
+			if full {
+				data, err := json.Marshal(extAuth)
+				if err != nil {
+					return xerrors.Errorf("marshal auth: %w", err)
+				}
+				_, _ = inv.Stdout.Write(data)
+				return nil
+			}
+
 			if extra != "" {
 				if extAuth.TokenExtra == nil {
 					return xerrors.Errorf("no extra properties found for token")
 
@@ -15,7 +15,6 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/sqlc-dev/pqtype"
 	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
 	"golang.org/x/mod/semver"
@@ -1991,7 +1990,7 @@ func (api *API) workspaceAgentsExternalAuth(rw http.ResponseWriter, r *http.Requ
 		})
 		return
 	}
-	resp, err := createExternalAuthResponse(externalAuthConfig.Type, externalAuthLink.OAuthAccessToken, externalAuthLink.OAuthExtra)
+	resp, err := createExternalAuthResponse(externalAuthConfig.Type, externalAuthLink)
 	if err != nil {
 		handleRetrying(http.StatusInternalServerError, codersdk.Response{
 			Message: "Failed to create external auth response.",
@@ -2064,7 +2063,7 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 		if !valid {
 			continue
 		}
-		resp, err := createExternalAuthResponse(externalAuthConfig.Type, externalAuthLink.OAuthAccessToken, externalAuthLink.OAuthExtra)
+		resp, err := createExternalAuthResponse(externalAuthConfig.Type, externalAuthLink)
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 				Message: "Failed to create external auth response.",
@@ -2080,33 +2079,34 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 // createExternalAuthResponse creates an ExternalAuthResponse based on the
 // provider type. This is to support legacy `/workspaceagents/me/gitauth`
 // which uses `Username` and `Password`.
-func createExternalAuthResponse(typ, token string, extra pqtype.NullRawMessage) (agentsdk.ExternalAuthResponse, error) {
+func createExternalAuthResponse(typ string, link database.ExternalAuthLink) (agentsdk.ExternalAuthResponse, error) {
 	var resp agentsdk.ExternalAuthResponse
 	switch typ {
 	case string(codersdk.EnhancedExternalAuthProviderGitLab):
 		// https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication
 		resp = agentsdk.ExternalAuthResponse{
 			Username: "oauth2",
-			Password: token,
+			Password: link.OAuthAccessToken,
 		}
 	case string(codersdk.EnhancedExternalAuthProviderBitBucketCloud), string(codersdk.EnhancedExternalAuthProviderBitBucketServer):
 		// The string "bitbucket" was a legacy parameter that needs to still be supported.
 		// https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/#Cloning-a-repository-with-an-access-token
 		resp = agentsdk.ExternalAuthResponse{
 			Username: "x-token-auth",
-			Password: token,
+			Password: link.OAuthAccessToken,
 		}
 	default:
 		resp = agentsdk.ExternalAuthResponse{
-			Username: token,
+			Username: link.OAuthAccessToken,
 		}
 	}
-	resp.AccessToken = token
+	resp.RefreshToken = link.OAuthRefreshToken
+	resp.AccessToken = link.OAuthAccessToken
 	resp.Type = typ
 
 	var err error
-	if extra.Valid {
-		err = json.Unmarshal(extra.RawMessage, &resp.TokenExtra)
+	if link.OAuthExtra.Valid {
+		err = json.Unmarshal(link.OAuthExtra.RawMessage, &resp.TokenExtra)
 	}
 	return resp, err
 }
 
@@ -561,15 +561,16 @@ func (c *Client) PostLogSource(ctx context.Context, req PostLogSource) (codersdk
 }
 
 type ExternalAuthResponse struct {
-	AccessToken string                 `json:"access_token"`
-	TokenExtra  map[string]interface{} `json:"token_extra"`
-	URL         string                 `json:"url"`
-	Type        string                 `json:"type"`
+	AccessToken  string                 `json:"access_token" table:"access_token"`
+	RefreshToken string                 `json:"refresh_token" table:"refresh_token"`
+	TokenExtra   map[string]interface{} `json:"token_extra" table:"-"`
+	URL          string                 `json:"url" table:"url"`
+	Type         string                 `json:"type" table:"type,default_sort"`
 
 	// Deprecated: Only supported on `/workspaceagents/me/gitauth`
 	// for backwards compatibility.
-	Username string `json:"username"`
-	Password string `json:"password"`
+	Username string `json:"username" table:"-"`
+	Password string `json:"password" table:"-"`
 }
 
 // ExternalAuthRequest is used to request an access token for a provider.