feat: Add OAuth2 authentication flow for Coder#151
Merged
buenos-nachos merged 13 commits intomainfrom Oct 15, 2025
Merged
Conversation
f0ssel
commented
Oct 12, 2025
plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
Outdated
Show resolved
Hide resolved
plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
Outdated
Show resolved
Hide resolved
plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAuthProvider.tsx
Outdated
Show resolved
Hide resolved
blink-so
bot
force-pushed
the
f0ssel/oauth2
branch
from
c46c81d to
cc948e0
Compare
f0ssel
commented
Oct 13, 2025
Comment on lines
136
to
142
| accessUrl: 'https://dev.coder.com', | ||
| }, | ||
|
|
||
| oauth: { | ||
| clientId: '09cd00cf-9517-401c-9601-3712f187b53c', | ||
| backendUrl: 'http://localhost:7007', | ||
| }, |
Contributor
Author
There was a problem hiding this comment.
I've been having trouble piping config from appConfig data into the frontend apps, so this is still hard coded to get things working for now.
f0ssel
commented
Oct 13, 2025
Comment on lines
26
to
29
| oauth: { | ||
| clientId: '09cd00cf-9517-401c-9601-3712f187b53c', | ||
| backendUrl: 'http://localhost:7007', | ||
| }, |
Contributor
Author
There was a problem hiding this comment.
Same appConfig issue here
f0ssel
commented
Oct 13, 2025
Comment on lines
+8
to
+13
| coder: | ||
| deployment: | ||
| accessUrl: https://dev.coder.com | ||
| oauth: | ||
| clientId: ${CODER_OAUTH_CLIENT_ID:-backstage} | ||
| clientSecret: ${CODER_OAUTH_CLIENT_SECRET:-change-me} |
Contributor
Author
There was a problem hiding this comment.
Not sure if this should be here or somewhere else, but is useful for development.
blink-so
bot
force-pushed
the
f0ssel/oauth2
branch
from
aa81e22 to
1c4b44d
Compare
Added OAuth2 sign-in capability to the Coder Backstage plugin, allowing users to authenticate via Coder's OAuth2 provider instead of manually entering tokens. Frontend changes: - Added 'Sign in with Coder' OAuth2 button to CoderAuthInputForm - OAuth button opens popup window for better UX - PostMessage-based token exchange between popup and parent window - Configurable via appConfig.oauth.clientId and appConfig.oauth.backendUrl - Falls back to manual token entry if needed Backend changes: - Created new backend plugin (@coder/backstage-plugin-coder-backend) - Handles OAuth2 callback at /api/auth/coder/oauth/callback - Exchanges authorization codes for access tokens - Returns tokens to frontend via postMessage - Configurable OAuth credentials via app-config (coder.oauth.*) Key features: - Clean separation between frontend and backend concerns - Secure token exchange with configurable backend URL validation - Maintains existing manual token entry as fallback option
f0ssel
commented
Oct 13, 2025
|
|
||
| coder: | ||
| deployment: | ||
| accessUrl: https://dev.coder.com |
f0ssel
commented
Oct 14, 2025
Comment on lines
+1
to
+28
| export interface Config { | ||
| /** | ||
| * @visibility frontend | ||
| */ | ||
| coder: { | ||
| /** | ||
| * @deepVisibility frontend | ||
| */ | ||
| deployment: { | ||
| accessUrl: string; | ||
| }; | ||
|
|
||
| /** | ||
| * @visibility frontend | ||
| */ | ||
| oauth: { | ||
| /** | ||
| * @visibility frontend | ||
| */ | ||
| clientId: string; | ||
|
|
||
| /** | ||
| * @visibility secret | ||
| */ | ||
| clientSecret: string; | ||
| }; | ||
| }; | ||
| } |
Contributor
Author
There was a problem hiding this comment.
Very cool I had no clue how to do this lol
buenos-nachos
approved these changes
Oct 15, 2025
Contributor
buenos-nachos
left a comment
buenos-nachos
left a comment
There was a problem hiding this comment.
Approving so this can get merged in. We tested out a few different flows, and while the backend doesn't have any tests yet, we do still feel reasonably sure that things work
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added OAuth2 sign-in button to CoderAuthInputForm allowing users to
authenticate via Coder's OAuth2 provider instead of manually entering tokens.
Created new backend plugin (@coder/backstage-plugin-coder-backend) to handle
OAuth2 callback flow, exchange authorization codes for access tokens, and
securely communicate tokens back to the frontend via postMessage.
Screen.Recording.2025-10-12.at.5.17.55.PM.mov