From b75669ebf20828dbd3261d1d54da0ad903392301 Mon Sep 17 00:00:00 2001
From: Garrett Delfosse <delfossegarrett@gmail.com>
Date: Fri, 12 Sep 2025 18:48:35 +0000
Subject: [PATCH 01/12] chore: fix dev server config

---
 app-config.yaml     |  3 +--
 package.json        |  7 ++---
 scripts/dev-init.sh |  7 +++--
 yarn.lock           | 63 ++++++++++++++++++++++++++-------------------
 4 files changed, 44 insertions(+), 36 deletions(-)
 mode change 100644 => 100755 scripts/dev-init.sh

diff --git a/app-config.yaml b/app-config.yaml
index 3dc58953..286b634f 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -15,8 +15,7 @@ backend:
   baseUrl: http://localhost:7007
   listen:
     port: 7007
-    # Uncomment the following host directive to bind to specific interfaces
-    # host: 127.0.0.1
+    host: localhost
   csp:
     connect-src: ["'self'", 'http:', 'https:']
     # Content-Security-Policy directives follow the Helmet format: https://helmetjs.github.io/#reference
diff --git a/package.json b/package.json
index 74a5bfa8..cef9c62a 100644
--- a/package.json
+++ b/package.json
@@ -6,8 +6,8 @@
     "node": "18 || 20"
   },
   "scripts": {
-    "dev": "concurrently \"yarn dev-init\" \"yarn start\" \"yarn start-backend\"",
-    "dev-init": "/bin/bash ./scripts/dev-init.sh",
+    "dev": "yarn dev-init && concurrently --names \"react,backend\" -c \"green,blue\" \"yarn start\" \"yarn start-backend\"",
+    "dev-init": "./scripts/dev-init.sh",
     "start": "yarn workspace app start",
     "start-backend": "yarn workspace backend start",
     "build:backend": "yarn workspace backend build",
@@ -55,5 +55,6 @@
     "*.{json,md}": [
       "prettier --write"
     ]
-  }
+  },
+  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }
diff --git a/scripts/dev-init.sh b/scripts/dev-init.sh
old mode 100644
new mode 100755
index c505e619..774291b2
--- a/scripts/dev-init.sh
+++ b/scripts/dev-init.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Run a basic postgreSQL container on localhost:5555 with basic username and password
+# Run a basic postgreSQL container on localhost:5432 with basic username and password
 CONTAINER_NAME="backstage_db"
 
 # Check if the container is already running
@@ -11,10 +11,9 @@ else
     docker run --name $CONTAINER_NAME \
         -e POSTGRES_PASSWORD=postgres \
         -e POSTGRES_USER=postgres \
-        -p 5555:5432 \
-        -v backstage_data:/var/lib/postgresql/data \
+        -p 5432:5432 \
         -d postgres
     echo "Container $CONTAINER_NAME started."
 fi
 
-echo "Running backend on http://localhost:7007"
+echo "Running postgres db on localhost:5432"
diff --git a/yarn.lock b/yarn.lock
index c287f84a..abbe5a5c 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8718,12 +8718,10 @@
   resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.7.tgz#50ae4353eaaddc04044279812f52c8c65857dbcb"
   integrity sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==
 
-"@types/react-dom@*", "@types/react-dom@^18.0.0":
-  version "18.3.0"
-  resolved "https://registry.yarnpkg.com/@types/react-dom/-/react-dom-18.3.0.tgz#0cbc818755d87066ab6ca74fbedb2547d74a82b0"
-  integrity sha512-EhwApuTmMBmXuFOikhQLIBUn6uFg81SwLMOAUgodJF14SOBOCMdU04gDoYi0WOJJHD144TL32z4yDqCW3dnkQg==
-  dependencies:
-    "@types/react" "*"
+"@types/react-dom@*", "@types/react-dom@^18", "@types/react-dom@^18.0.0":
+  version "18.3.7"
+  resolved "https://registry.yarnpkg.com/@types/react-dom/-/react-dom-18.3.7.tgz#b89ddf2cd83b4feafcc4e2ea41afdfb95a0d194f"
+  integrity sha512-MEe3UeoENYVFXzoXEWsvcpg6ZvlrFNlOQ7EOsvhI3CfAXwzPfO8Qwuxd40nepsYKqyyVQnTdEfv68q91yLcKrQ==
 
 "@types/react-redux@^7.1.20":
   version "7.1.33"
@@ -8756,21 +8754,12 @@
   dependencies:
     "@types/react" "*"
 
-"@types/react@*", "@types/react@^16.13.1 || ^17.0.0 || ^18.0.0":
-  version "18.3.2"
-  resolved "https://registry.yarnpkg.com/@types/react/-/react-18.3.2.tgz#462ae4904973bc212fa910424d901e3d137dbfcd"
-  integrity sha512-Btgg89dAnqD4vV7R3hlwOxgqobUQKgx3MmrQRi0yYbs/P0ym8XozIAlkqVilPqHQwXs4e9Tf63rrCgl58BcO4w==
-  dependencies:
-    "@types/prop-types" "*"
-    csstype "^3.0.2"
-
-"@types/react@^16.13.1 || ^17.0.0":
-  version "17.0.80"
-  resolved "https://registry.yarnpkg.com/@types/react/-/react-17.0.80.tgz#a5dfc351d6a41257eb592d73d3a85d3b7dbcbb41"
-  integrity sha512-LrgHIu2lEtIo8M7d1FcI3BdwXWoRQwMoXOZ7+dPTW0lYREjmlHl3P0U1VD0i/9tppOuv8/sam7sOjx34TxSFbA==
+"@types/react@*", "@types/react@^16.13.1 || ^17.0.0", "@types/react@^16.13.1 || ^17.0.0 || ^18.0.0", "@types/react@^18":
+  version "18.3.24"
+  resolved "https://registry.yarnpkg.com/@types/react/-/react-18.3.24.tgz#f6a5a4c613242dfe3af0dcee2b4ec47b92d9b6bd"
+  integrity sha512-0dLEBsA1kI3OezMBF8nSsb7Nk19ZnsyE1LLhB8r27KbgU5H4pvuqZLdtE+aUkJVoXgTVuA+iLIwmZ0TuK4tx6A==
   dependencies:
     "@types/prop-types" "*"
-    "@types/scheduler" "^0.16"
     csstype "^3.0.2"
 
 "@types/request@^2.47.1", "@types/request@^2.48.8":
@@ -8800,11 +8789,6 @@
   resolved "https://registry.yarnpkg.com/@types/retry/-/retry-0.12.0.tgz#2b35eccfcee7d38cd72ad99232fbd58bffb3c84d"
   integrity sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA==
 
-"@types/scheduler@^0.16":
-  version "0.16.8"
-  resolved "https://registry.yarnpkg.com/@types/scheduler/-/scheduler-0.16.8.tgz#ce5ace04cfeabe7ef87c0091e50752e36707deff"
-  integrity sha512-WZLiwShhwLRmeV6zH+GkbOFT6Z6VklCItrDioxUnv+u4Ll+8vKeFySoFyK/0ctcRpOmwAicELfmys1sDc/Rw+A==
-
 "@types/semver@^7.3.12", "@types/semver@^7.5.0":
   version "7.5.7"
   resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.5.7.tgz#326f5fdda70d13580777bcaa1bc6fa772a5aef0e"
@@ -21927,7 +21911,16 @@ string-length@^4.0.1:
     char-regex "^1.0.2"
     strip-ansi "^6.0.0"
 
-"string-width-cjs@npm:string-width@^4.2.0", "string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
+"string-width-cjs@npm:string-width@^4.2.0":
+  version "4.2.3"
+  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
+  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
+  dependencies:
+    emoji-regex "^8.0.0"
+    is-fullwidth-code-point "^3.0.0"
+    strip-ansi "^6.0.1"
+
+"string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
   version "4.2.3"
   resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
   integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -22001,7 +21994,7 @@ string_decoder@~1.1.1:
   dependencies:
     safe-buffer "~5.1.0"
 
-"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+"strip-ansi-cjs@npm:strip-ansi@^6.0.1":
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
   integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -22015,6 +22008,13 @@ strip-ansi@5.2.0:
   dependencies:
     ansi-regex "^4.1.0"
 
+strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
+  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
+  dependencies:
+    ansi-regex "^5.0.1"
+
 strip-ansi@^7.0.1:
   version "7.1.0"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-7.1.0.tgz#d5b6568ca689d8561370b0707685d22434faff45"
@@ -23828,7 +23828,7 @@ wordwrap@^1.0.0:
   resolved "https://registry.yarnpkg.com/wordwrap/-/wordwrap-1.0.0.tgz#27584810891456a4171c8d0226441ade90cbcaeb"
   integrity sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==
 
-"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0", wrap-ansi@^7.0.0:
+"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0":
   version "7.0.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
   integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
@@ -23846,6 +23846,15 @@ wrap-ansi@^6.0.1:
     string-width "^4.1.0"
     strip-ansi "^6.0.0"
 
+wrap-ansi@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
+  integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
+  dependencies:
+    ansi-styles "^4.0.0"
+    string-width "^4.1.0"
+    strip-ansi "^6.0.0"
+
 wrap-ansi@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz#56dc22368ee570face1b49819975d9b9a5ead214"

From 04d9ab2aaff4ce26a93994411d1968f2eda44578 Mon Sep 17 00:00:00 2001
From: Garrett Delfosse <19379394+f0ssel@users.noreply.github.com>
Date: Mon, 13 Oct 2025 13:52:35 +0000
Subject: [PATCH 02/12] feat: Add OAuth2 authentication flow for Coder

Added OAuth2 sign-in capability to the Coder Backstage plugin, allowing
users to authenticate via Coder's OAuth2 provider instead of manually
entering tokens.

Frontend changes:
- Added 'Sign in with Coder' OAuth2 button to CoderAuthInputForm
- OAuth button opens popup window for better UX
- PostMessage-based token exchange between popup and parent window
- Configurable via appConfig.oauth.clientId and appConfig.oauth.backendUrl
- Falls back to manual token entry if needed

Backend changes:
- Created new backend plugin (@coder/backstage-plugin-coder-backend)
- Handles OAuth2 callback at /api/auth/coder/oauth/callback
- Exchanges authorization codes for access tokens
- Returns tokens to frontend via postMessage
- Configurable OAuth credentials via app-config (coder.oauth.*)

Key features:
- Clean separation between frontend and backend concerns
- Secure token exchange with configurable backend URL validation
- Maintains existing manual token entry as fallback option
---
 .prettierignore                               |   2 +
 app-config.yaml                               |   7 +
 .../app/src/components/catalog/EntityPage.tsx |   5 +
 packages/backend/package.json                 |   1 +
 packages/backend/src/index.ts                 |   9 ++
 .../.eslintrc.js                              |   1 +
 .../package.json                              |  49 +++++++
 .../src/index.ts                              |   7 +
 .../src/service/router.ts                     | 121 +++++++++++++++++
 plugins/backstage-plugin-coder/README.md      |   6 +
 .../backstage-plugin-coder/dev/DevPage.tsx    |   5 +
 .../CoderAuthForm/CoderAuthInputForm.tsx      | 122 ++++++++++++++++--
 .../CoderProvider/CoderAppConfigProvider.tsx  |   5 +
 plugins/backstage-plugin-coder/src/plugin.ts  |   7 +-
 14 files changed, 332 insertions(+), 15 deletions(-)
 create mode 100644 plugins/backstage-plugin-coder-backend/.eslintrc.js
 create mode 100644 plugins/backstage-plugin-coder-backend/package.json
 create mode 100644 plugins/backstage-plugin-coder-backend/src/index.ts
 create mode 100644 plugins/backstage-plugin-coder-backend/src/service/router.ts

diff --git a/.prettierignore b/.prettierignore
index dfb0f1cd..3b5fc9c8 100644
--- a/.prettierignore
+++ b/.prettierignore
@@ -2,3 +2,5 @@ dist
 dist-types
 coverage
 .vscode
+.coder.yaml
+app-config.local.yaml
\ No newline at end of file
diff --git a/app-config.yaml b/app-config.yaml
index 286b634f..6d11a74e 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -5,6 +5,13 @@ app:
 organization:
   name: Coder
 
+coder:
+  deployment:
+    accessUrl: https://dev.coder.com
+  oauth:
+    clientId: ${CODER_OAUTH_CLIENT_ID:-backstage}
+    clientSecret: ${CODER_OAUTH_CLIENT_SECRET:-change-me}
+
 backend:
   # Used for enabling authentication, secret is shared by all backend plugins
   # See https://backstage.io/docs/auth/service-to-service-auth for
diff --git a/packages/app/src/components/catalog/EntityPage.tsx b/packages/app/src/components/catalog/EntityPage.tsx
index 6c4f9df1..8cf92ca5 100644
--- a/packages/app/src/components/catalog/EntityPage.tsx
+++ b/packages/app/src/components/catalog/EntityPage.tsx
@@ -136,6 +136,11 @@ const coderAppConfig: CoderAppConfig = {
     accessUrl: 'https://dev.coder.com',
   },
 
+  oauth: {
+    clientId: '09cd00cf-9517-401c-9601-3712f187b53c',
+    backendUrl: 'http://localhost:7007',
+  },
+
   workspaces: {
     defaultTemplateName: 'devcontainers',
     defaultMode: 'manual',
diff --git a/packages/backend/package.json b/packages/backend/package.json
index c021564d..e0d8f3aa 100644
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -37,6 +37,7 @@
     "@backstage/plugin-search-backend-module-techdocs": "^0.1.13",
     "@backstage/plugin-search-backend-node": "^1.2.13",
     "@backstage/plugin-techdocs-backend": "^1.9.2",
+    "@coder/backstage-plugin-coder-backend": "0.0.0",
     "@coder/backstage-plugin-devcontainers-backend": "0.0.0",
     "app": "link:../app",
     "better-sqlite3": "^9.0.0",
diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
index 04c4ff93..57e39d2d 100644
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@@ -31,6 +31,7 @@ import search from './plugins/search';
 import { PluginEnvironment } from './types';
 import { ServerPermissionClient } from '@backstage/plugin-permission-node';
 import { DefaultIdentityClient } from '@backstage/plugin-auth-node';
+import { createRouter as createCoderRouter } from '@coder/backstage-plugin-coder-backend';
 
 function makeCreateEnv(config: Config) {
   const root = getRootLogger();
@@ -85,10 +86,18 @@ async function main() {
   const techdocsEnv = useHotMemoize(module, () => createEnv('techdocs'));
   const searchEnv = useHotMemoize(module, () => createEnv('search'));
   const appEnv = useHotMemoize(module, () => createEnv('app'));
+  const coderEnv = useHotMemoize(module, () => createEnv('coder'));
 
   const apiRouter = Router();
   apiRouter.use('/catalog', await catalog(catalogEnv));
   apiRouter.use('/scaffolder', await scaffolder(scaffolderEnv));
+  apiRouter.use(
+    '/auth/coder',
+    await createCoderRouter({
+      logger: coderEnv.logger,
+      config: coderEnv.config,
+    }),
+  );
   apiRouter.use('/auth', await auth(authEnv));
   apiRouter.use('/techdocs', await techdocs(techdocsEnv));
   apiRouter.use('/proxy', await proxy(proxyEnv));
diff --git a/plugins/backstage-plugin-coder-backend/.eslintrc.js b/plugins/backstage-plugin-coder-backend/.eslintrc.js
new file mode 100644
index 00000000..e2a53a6a
--- /dev/null
+++ b/plugins/backstage-plugin-coder-backend/.eslintrc.js
@@ -0,0 +1 @@
+module.exports = require('@backstage/cli/config/eslint-factory')(__dirname);
diff --git a/plugins/backstage-plugin-coder-backend/package.json b/plugins/backstage-plugin-coder-backend/package.json
new file mode 100644
index 00000000..361d4468
--- /dev/null
+++ b/plugins/backstage-plugin-coder-backend/package.json
@@ -0,0 +1,49 @@
+{
+  "name": "@coder/backstage-plugin-coder-backend",
+  "description": "Backend plugin for Coder OAuth2 authentication flow",
+  "version": "0.0.0",
+  "main": "src/index.ts",
+  "types": "src/index.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "backstage": {
+    "role": "backend-plugin"
+  },
+  "scripts": {
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "clean": "backstage-cli package clean",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "^0.20.1",
+    "@backstage/config": "^1.1.1",
+    "@backstage/errors": "^1.2.3",
+    "@types/express": "*",
+    "express": "^4.17.1",
+    "express-promise-router": "^4.1.0",
+    "winston": "^3.2.1",
+    "axios": "^1.6.8"
+  },
+  "devDependencies": {
+    "@backstage/cli": "^0.25.1",
+    "@types/supertest": "^2.0.12",
+    "supertest": "^6.2.4"
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "backstage",
+    "coder",
+    "oauth2",
+    "authentication"
+  ]
+}
diff --git a/plugins/backstage-plugin-coder-backend/src/index.ts b/plugins/backstage-plugin-coder-backend/src/index.ts
new file mode 100644
index 00000000..9f158c79
--- /dev/null
+++ b/plugins/backstage-plugin-coder-backend/src/index.ts
@@ -0,0 +1,7 @@
+/**
+ * Backend plugin for Coder OAuth2 authentication
+ *
+ * @packageDocumentation
+ */
+
+export { createRouter } from './service/router';
diff --git a/plugins/backstage-plugin-coder-backend/src/service/router.ts b/plugins/backstage-plugin-coder-backend/src/service/router.ts
new file mode 100644
index 00000000..1dceec87
--- /dev/null
+++ b/plugins/backstage-plugin-coder-backend/src/service/router.ts
@@ -0,0 +1,121 @@
+import { errorHandler } from '@backstage/backend-common';
+import { Config } from '@backstage/config';
+import express from 'express';
+import Router from 'express-promise-router';
+import { Logger } from 'winston';
+import axios from 'axios';
+
+export interface RouterOptions {
+  logger: Logger;
+  config: Config;
+}
+
+export async function createRouter(
+  options: RouterOptions,
+): Promise<express.Router> {
+  const { logger, config } = options;
+
+  const router = Router();
+  router.use(express.json());
+
+  // OAuth callback endpoint
+  router.get('/oauth/callback', async (req, res) => {
+    const { code, state } = req.query;
+
+    if (!code || typeof code !== 'string') {
+      logger.error('OAuth callback missing authorization code');
+      res.status(400).send('Missing authorization code');
+      return;
+    }
+
+    try {
+      // Get Coder configuration from coder.oauth
+      const coderConfig = config.getOptionalConfig('coder');
+
+      const accessUrl = coderConfig?.getString('deployment.accessUrl') || '';
+      const clientId = coderConfig?.getString('oauth.clientId') || 'backstage';
+      const clientSecret = coderConfig?.getString('oauth.clientSecret') || '';
+      const redirectUri = `${req.protocol}://${req.get(
+        'host',
+      )}/api/auth/coder/oauth/callback`;
+
+      // Exchange authorization code for access token
+      const tokenResponse = await axios.post(
+        `${accessUrl}/oauth2/tokens`,
+        new URLSearchParams({
+          grant_type: 'authorization_code',
+          code,
+          redirect_uri: redirectUri,
+          client_id: clientId,
+          client_secret: clientSecret,
+        }),
+        {
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+        },
+      );
+
+      const { access_token } = tokenResponse.data;
+
+      // Return HTML that sends the token to the opener window via postMessage
+      res.setHeader('Content-Security-Policy', "script-src 'unsafe-inline'");
+      res.send(`
+        <!DOCTYPE html>
+        <html>
+          <head>
+            <title>Authentication Successful</title>
+          </head>
+          <body>
+            <p>Authentication successful! This window will close automatically...</p>
+            <script>
+              (function() {
+                // Send token to opener window via postMessage
+                if (window.opener) {
+                  var targetOrigin;
+                  try {
+                    // Try to get the opener's origin
+                    targetOrigin = window.opener.location.origin;
+                  } catch (e) {
+                    // If we can't access it due to cross-origin, use wildcard
+                    // This is safe since we're only sending to our own opener
+                    targetOrigin = '*';
+                  }
+                  
+                  window.opener.postMessage(
+                    { type: 'coder-oauth-success', token: '${access_token}' },
+                    targetOrigin
+                  );
+                  setTimeout(function() { window.close(); }, 500);
+                } else {
+                  document.body.innerHTML = '<p>Authentication successful! You can close this window.</p>';
+                }
+              })();
+            </script>
+          </body>
+        </html>
+      `);
+
+      logger.info('OAuth authentication successful');
+      return;
+    } catch (error) {
+      logger.error('OAuth token exchange failed', error);
+      res
+        .status(500)
+        .send(
+          `<html><body><h1>Authentication failed</h1><p>${
+            error instanceof Error ? error.message : 'Unknown error'
+          }</p></body></html>`,
+        );
+      return;
+    }
+  });
+
+  router.get('/health', (_, response) => {
+    logger.info('Health check');
+    response.json({ status: 'ok' });
+  });
+
+  router.use(errorHandler());
+  return router;
+}
diff --git a/plugins/backstage-plugin-coder/README.md b/plugins/backstage-plugin-coder/README.md
index 5ccc64a5..84382507 100644
--- a/plugins/backstage-plugin-coder/README.md
+++ b/plugins/backstage-plugin-coder/README.md
@@ -59,6 +59,12 @@ the Dev Container.
        accessUrl: 'https://coder.example.com',
      },
 
+     // Optional: OAuth configuration for "Sign in with Coder" button
+     // Get the clientId from your Coder OAuth2 apps settings
+     oauth: {
+       clientId: 'your-oauth-client-id',
+     },
+
      // Set the default template (and parameters) for
      // catalog items. Individual properties can be overridden
      // by a repo's catalog-info.yaml file
diff --git a/plugins/backstage-plugin-coder/dev/DevPage.tsx b/plugins/backstage-plugin-coder/dev/DevPage.tsx
index abc24008..7a8843f9 100644
--- a/plugins/backstage-plugin-coder/dev/DevPage.tsx
+++ b/plugins/backstage-plugin-coder/dev/DevPage.tsx
@@ -23,6 +23,11 @@ const appConfig: CoderAppConfig = {
     accessUrl: 'https://dev.coder.com',
   },
 
+  oauth: {
+    clientId: '09cd00cf-9517-401c-9601-3712f187b53c',
+    backendUrl: 'http://localhost:7007',
+  },
+
   workspaces: {
     defaultTemplateName: 'devcontainers',
     defaultMode: 'manual',
diff --git a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
index ae527e28..afdeca40 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
@@ -1,4 +1,4 @@
-import React, { type FormEvent, useState } from 'react';
+import React, { type FormEvent, useState, useEffect } from 'react';
 import { useId } from '../../hooks/hookPolyfills';
 import {
   type CoderAuthStatus,
@@ -43,6 +43,37 @@ const useStyles = makeStyles(theme => ({
     marginLeft: 'auto',
     marginRight: 'auto',
   },
+
+  oauthSection: {
+    marginTop: theme.spacing(3),
+    marginBottom: theme.spacing(2),
+  },
+
+  oauthButton: {
+    display: 'block',
+    width: '100%',
+    maxWidth: '100%',
+  },
+
+  divider: {
+    display: 'flex',
+    alignItems: 'center',
+    textAlign: 'center',
+    marginTop: theme.spacing(2),
+    marginBottom: theme.spacing(2),
+
+    '&::before, &::after': {
+      content: '""',
+      flex: 1,
+      borderBottom: `1px solid ${theme.palette.divider}`,
+    },
+  },
+
+  dividerText: {
+    padding: `0 ${theme.spacing(1)}px`,
+    color: theme.palette.text.secondary,
+    fontSize: '0.875rem',
+  },
 }));
 
 export const CoderAuthInputForm = () => {
@@ -51,6 +82,28 @@ export const CoderAuthInputForm = () => {
   const appConfig = useCoderAppConfig();
   const { status, registerNewToken } = useInternalCoderAuth();
 
+  useEffect(() => {
+    const handleOAuthMessage = (event: MessageEvent) => {
+      // Verify the message is from our OAuth callback backend
+      const backendUrl = appConfig.oauth?.backendUrl;
+
+      // If backendUrl is configured, verify the origin matches
+      if (backendUrl) {
+        const backendOrigin = new URL(backendUrl).origin;
+        if (event.origin !== backendOrigin) {
+          return;
+        }
+      }
+
+      if (event.data?.type === 'coder-oauth-success' && event.data?.token) {
+        registerNewToken(event.data.token);
+      }
+    };
+
+    window.addEventListener('message', handleOAuthMessage);
+    return () => window.removeEventListener('message', handleOAuthMessage);
+  }, [registerNewToken, appConfig.oauth?.backendUrl]);
+
   const onSubmit = (event: FormEvent<HTMLFormElement>) => {
     event.preventDefault();
     const formData = Object.fromEntries(new FormData(event.currentTarget));
@@ -60,6 +113,32 @@ export const CoderAuthInputForm = () => {
     registerNewToken(newToken);
   };
 
+  const handleOAuthLogin = () => {
+    const authUrl = `${appConfig.deployment.accessUrl}/oauth2/authorize`;
+    const clientId = appConfig.oauth?.clientId || 'backstage';
+    const backendUrl =
+      appConfig.oauth?.backendUrl ||
+      `${window.location.protocol}//${window.location.hostname}:7007`;
+    const redirectUri = `${backendUrl}/api/auth/coder/oauth/callback`;
+    const state = btoa(JSON.stringify({ returnTo: window.location.pathname }));
+
+    const oauthUrl = `${authUrl}?client_id=${clientId}&redirect_uri=${encodeURIComponent(
+      redirectUri,
+    )}&response_type=code&state=${state}`;
+
+    // Open OAuth flow in popup window
+    const width = 600;
+    const height = 700;
+    const left = window.screen.width / 2 - width / 2;
+    const top = window.screen.height / 2 - height / 2;
+
+    window.open(
+      oauthUrl,
+      'Coder OAuth',
+      `width=${width},height=${height},left=${left},top=${top},popup=yes`,
+    );
+  };
+
   const formHeaderId = `${hookId}-form-header`;
   const legendId = `${hookId}-legend`;
   const authTokenInputId = `${hookId}-auth-token`;
@@ -77,20 +156,37 @@ export const CoderAuthInputForm = () => {
 
       <div>
         <CoderLogo className={styles.coderLogo} />
-        <p>
-          Link your Coder account to create remote workspaces. Please enter a
-          new token from your{' '}
-          <Link
-            to={`${appConfig.deployment.accessUrl}/cli-auth`}
-            target="_blank"
-          >
-            Coder deployment's token page
-            <VisuallyHidden> (link opens in new tab)</VisuallyHidden>
-          </Link>
-          .
-        </p>
+        <p>Link your Coder account to create remote workspaces.</p>
       </div>
 
+      <div className={styles.oauthSection}>
+        <LinkButton
+          disableRipple
+          to=""
+          component="button"
+          type="button"
+          color="primary"
+          variant="contained"
+          className={styles.oauthButton}
+          onClick={handleOAuthLogin}
+        >
+          Sign in with Coder
+        </LinkButton>
+      </div>
+
+      <div className={styles.divider}>
+        <span className={styles.dividerText}>OR</span>
+      </div>
+
+      <p>
+        Alternatively, enter a token from your{' '}
+        <Link to={`${appConfig.deployment.accessUrl}/cli-auth`} target="_blank">
+          Coder deployment's token page
+          <VisuallyHidden> (link opens in new tab)</VisuallyHidden>
+        </Link>
+        .
+      </p>
+
       <fieldset className={styles.authInputFieldset} aria-labelledby={legendId}>
         <legend hidden id={legendId}>
           Auth input
diff --git a/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx b/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
index e3422292..535312fa 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
@@ -10,6 +10,11 @@ export type CoderAppConfig = Readonly<{
     accessUrl: string;
   }>;
 
+  oauth?: Readonly<{
+    clientId?: string;
+    backendUrl?: string;
+  }>;
+
   // Type is meant to be used with YamlConfig from useCoderWorkspacesConfig;
   // not using a mapped type because there's just enough differences that
   // maintaining a relationship that way would be a nightmare of ternaries
diff --git a/plugins/backstage-plugin-coder/src/plugin.ts b/plugins/backstage-plugin-coder/src/plugin.ts
index d165c36f..2face723 100644
--- a/plugins/backstage-plugin-coder/src/plugin.ts
+++ b/plugins/backstage-plugin-coder/src/plugin.ts
@@ -1,5 +1,6 @@
 import {
   createPlugin,
+  createRoutableExtension,
   createComponentExtension,
   createApiFactory,
   discoveryApiRef,
@@ -15,7 +16,9 @@ import {
 
 export const coderPlugin = createPlugin({
   id: 'coder',
-  routes: { root: rootRouteRef },
+  routes: {
+    root: rootRouteRef,
+  },
   apis: [
     createApiFactory({
       api: urlSyncApiRef,
@@ -198,7 +201,7 @@ export { useCoderQuery } from './hooks/reactQueryWrappers';
 
 // Deliberately renamed so that end users don't have to be aware that there are
 // two different versions of the auth hook
-export { useEndUserCoderAuth as useCoderAuth } from './components/CoderProvider/CoderAuthProvider';
+export { useEndUserCoderAuth as useCoderAuth } from './components/CoderProvider';
 
 /**
  * General constants

From 9e09c3e0faec14f0fb9d4cca875ca32fc4168529 Mon Sep 17 00:00:00 2001
From: Garrett Delfosse <delfossegarrett@gmail.com>
Date: Mon, 13 Oct 2025 14:22:48 +0000
Subject: [PATCH 03/12] tsc

---
 plugins/backstage-plugin-coder-backend/src/service/router.ts | 2 +-
 plugins/backstage-plugin-coder/src/plugin.ts                 | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/plugins/backstage-plugin-coder-backend/src/service/router.ts b/plugins/backstage-plugin-coder-backend/src/service/router.ts
index 1dceec87..8008670c 100644
--- a/plugins/backstage-plugin-coder-backend/src/service/router.ts
+++ b/plugins/backstage-plugin-coder-backend/src/service/router.ts
@@ -20,7 +20,7 @@ export async function createRouter(
 
   // OAuth callback endpoint
   router.get('/oauth/callback', async (req, res) => {
-    const { code, state } = req.query;
+    const { code } = req.query;
 
     if (!code || typeof code !== 'string') {
       logger.error('OAuth callback missing authorization code');
diff --git a/plugins/backstage-plugin-coder/src/plugin.ts b/plugins/backstage-plugin-coder/src/plugin.ts
index 2face723..3f9fc49c 100644
--- a/plugins/backstage-plugin-coder/src/plugin.ts
+++ b/plugins/backstage-plugin-coder/src/plugin.ts
@@ -1,6 +1,5 @@
 import {
   createPlugin,
-  createRoutableExtension,
   createComponentExtension,
   createApiFactory,
   discoveryApiRef,

From f7c5cecf1940d0cfc1cd47f4b1f3fb03710feded Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Mon, 13 Oct 2025 23:21:15 -0400
Subject: [PATCH 04/12] fix: make clientId available via app-config file

---
 plugins/backstage-plugin-coder/config.d.ts  | 28 +++++++++++++++++++++
 plugins/backstage-plugin-coder/package.json |  8 +++---
 2 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 plugins/backstage-plugin-coder/config.d.ts

diff --git a/plugins/backstage-plugin-coder/config.d.ts b/plugins/backstage-plugin-coder/config.d.ts
new file mode 100644
index 00000000..90a396eb
--- /dev/null
+++ b/plugins/backstage-plugin-coder/config.d.ts
@@ -0,0 +1,28 @@
+export interface Config {
+  /**
+   * @visibility frontend
+   */
+  coder: {
+    /**
+     * @deepVisibility frontend
+     */
+    deployment: {
+      accessUrl: string;
+    };
+
+    /**
+     * @visibility frontend
+     */
+    oauth: {
+      /**
+       * @visibility frontend
+       */
+      clientId: string;
+
+      /**
+       * @visibility secret
+       */
+      clientSecret: string;
+    };
+  };
+}
diff --git a/plugins/backstage-plugin-coder/package.json b/plugins/backstage-plugin-coder/package.json
index 1d21b960..f92af0d7 100644
--- a/plugins/backstage-plugin-coder/package.json
+++ b/plugins/backstage-plugin-coder/package.json
@@ -63,7 +63,8 @@
     "msw": "^1.0.0"
   },
   "files": [
-    "dist"
+    "dist",
+    "config.d.ts"
   ],
   "keywords": [
     "backstage",
@@ -73,5 +74,6 @@
     "ide",
     "vscode",
     "jetbrains"
-  ]
-}
+  ],
+  "configSchema": "config.d.ts"
+}
\ No newline at end of file

From 6e50b247232fcc4790262563bb0c970d0f99a57f Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Mon, 13 Oct 2025 23:30:52 -0400
Subject: [PATCH 05/12] fix: format package.json file

---
 plugins/backstage-plugin-coder/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/backstage-plugin-coder/package.json b/plugins/backstage-plugin-coder/package.json
index f92af0d7..9dc60dec 100644
--- a/plugins/backstage-plugin-coder/package.json
+++ b/plugins/backstage-plugin-coder/package.json
@@ -76,4 +76,4 @@
     "jetbrains"
   ],
   "configSchema": "config.d.ts"
-}
\ No newline at end of file
+}

From 90695aee63a3faaec7548120f41946ffebe0ed33 Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Tue, 14 Oct 2025 00:48:51 -0400
Subject: [PATCH 06/12] fix: clean up CoderAuthInputForm

---
 .../app/src/components/catalog/EntityPage.tsx |   5 -
 .../backstage-plugin-coder/dev/DevPage.tsx    |   5 -
 .../CoderAuthForm/CoderAuthInputForm.tsx      | 236 +++++++++++-------
 .../CoderProvider/CoderAppConfigProvider.tsx  |   5 -
 4 files changed, 146 insertions(+), 105 deletions(-)

diff --git a/packages/app/src/components/catalog/EntityPage.tsx b/packages/app/src/components/catalog/EntityPage.tsx
index 8cf92ca5..6c4f9df1 100644
--- a/packages/app/src/components/catalog/EntityPage.tsx
+++ b/packages/app/src/components/catalog/EntityPage.tsx
@@ -136,11 +136,6 @@ const coderAppConfig: CoderAppConfig = {
     accessUrl: 'https://dev.coder.com',
   },
 
-  oauth: {
-    clientId: '09cd00cf-9517-401c-9601-3712f187b53c',
-    backendUrl: 'http://localhost:7007',
-  },
-
   workspaces: {
     defaultTemplateName: 'devcontainers',
     defaultMode: 'manual',
diff --git a/plugins/backstage-plugin-coder/dev/DevPage.tsx b/plugins/backstage-plugin-coder/dev/DevPage.tsx
index 7a8843f9..abc24008 100644
--- a/plugins/backstage-plugin-coder/dev/DevPage.tsx
+++ b/plugins/backstage-plugin-coder/dev/DevPage.tsx
@@ -23,11 +23,6 @@ const appConfig: CoderAppConfig = {
     accessUrl: 'https://dev.coder.com',
   },
 
-  oauth: {
-    clientId: '09cd00cf-9517-401c-9601-3712f187b53c',
-    backendUrl: 'http://localhost:7007',
-  },
-
   workspaces: {
     defaultTemplateName: 'devcontainers',
     defaultMode: 'manual',
diff --git a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
index afdeca40..7f5758f8 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
@@ -1,11 +1,10 @@
-import React, { type FormEvent, useState, useEffect } from 'react';
+import React, { useState, useEffect } from 'react';
 import { useId } from '../../hooks/hookPolyfills';
 import {
   type CoderAuthStatus,
   useCoderAppConfig,
   useInternalCoderAuth,
 } from '../CoderProvider';
-
 import { CoderLogo } from '../CoderLogo';
 import { Link, LinkButton } from '@backstage/core-components';
 import { VisuallyHidden } from '../VisuallyHidden';
@@ -13,6 +12,8 @@ import { makeStyles } from '@material-ui/core';
 import TextField from '@material-ui/core/TextField';
 import ErrorIcon from '@material-ui/icons/ErrorOutline';
 import SyncIcon from '@material-ui/icons/Sync';
+import { configApiRef, errorApiRef, useApi } from '@backstage/core-plugin-api';
+import { useUrlSync } from '../../hooks/useUrlSync';
 
 const useStyles = makeStyles(theme => ({
   formContainer: {
@@ -45,34 +46,47 @@ const useStyles = makeStyles(theme => ({
   },
 
   oauthSection: {
-    marginTop: theme.spacing(3),
-    marginBottom: theme.spacing(2),
+    paddingTop: theme.spacing(0.5),
+    paddingBottom: theme.spacing(0.5),
   },
 
   oauthButton: {
     display: 'block',
+    // Deliberately making this button bigger than the token button, because we
+    // want to start pushing users to use oauth as the default. The old token
+    // approach may end up getting deprecated
     width: '100%',
-    maxWidth: '100%',
   },
 
   divider: {
     display: 'flex',
     alignItems: 'center',
     textAlign: 'center',
-    marginTop: theme.spacing(2),
-    marginBottom: theme.spacing(2),
+    paddingTop: theme.spacing(2),
+    paddingBottom: theme.spacing(0.5),
 
     '&::before, &::after': {
       content: '""',
-      flex: 1,
+      flexGrow: 1,
       borderBottom: `1px solid ${theme.palette.divider}`,
     },
   },
 
   dividerText: {
+    textTransform: 'uppercase',
     padding: `0 ${theme.spacing(1)}px`,
     color: theme.palette.text.secondary,
-    fontSize: '0.875rem',
+    fontSize: '0.75rem',
+    fontWeight: 500,
+  },
+
+  tokenSection: {
+    paddingTop: `${theme.spacing(1.5)}px`,
+  },
+
+  tokenInstructions: {
+    margin: 0,
+    marginBottom: `-${theme.spacing(0.5)}px`,
   },
 }));
 
@@ -80,53 +94,80 @@ export const CoderAuthInputForm = () => {
   const hookId = useId();
   const styles = useStyles();
   const appConfig = useCoderAppConfig();
+  const urlSync = useUrlSync();
+  const configApi = useApi(configApiRef);
+  const errorApi = useApi(errorApiRef);
   const { status, registerNewToken } = useInternalCoderAuth();
 
+  const backendUrl = urlSync.state.baseUrl;
   useEffect(() => {
-    const handleOAuthMessage = (event: MessageEvent) => {
-      // Verify the message is from our OAuth callback backend
-      const backendUrl = appConfig.oauth?.backendUrl;
-
-      // If backendUrl is configured, verify the origin matches
-      if (backendUrl) {
-        const backendOrigin = new URL(backendUrl).origin;
-        if (event.origin !== backendOrigin) {
-          return;
-        }
+    if (!backendUrl) {
+      return undefined;
+    }
+
+    const onOauthMessage = (event: MessageEvent<unknown>): void => {
+      // Even though we're going to add the event listener to the window object
+      // directly, we still want to make sure that the event originated on the
+      // window, and wasn't received from a DOM node via event bubbling
+      if (event.target !== window) {
+        return;
       }
 
-      if (event.data?.type === 'coder-oauth-success' && event.data?.token) {
-        registerNewToken(event.data.token);
+      const backendOrigin = new URL(backendUrl).origin;
+      const originMismatch = event.origin !== backendOrigin;
+      if (originMismatch) {
+        return;
       }
-    };
 
-    window.addEventListener('message', handleOAuthMessage);
-    return () => window.removeEventListener('message', handleOAuthMessage);
-  }, [registerNewToken, appConfig.oauth?.backendUrl]);
-
-  const onSubmit = (event: FormEvent<HTMLFormElement>) => {
-    event.preventDefault();
-    const formData = Object.fromEntries(new FormData(event.currentTarget));
-    const newToken =
-      typeof formData.authToken === 'string' ? formData.authToken : '';
+      const { data } = event;
+      const messageIsOauthPayload =
+        typeof data === 'object' && data !== null && 'token' in data;
+      if (!messageIsOauthPayload) {
+        return;
+      }
+      // For some reason, TypeScript won't narrow properly if you move this
+      // check to the messageIsOauthPayload boolean
+      if (typeof data.token === 'string') {
+        registerNewToken(data.token);
+      }
+    };
 
-    registerNewToken(newToken);
-  };
+    window.addEventListener('message', onOauthMessage);
+    return () => window.removeEventListener('message', onOauthMessage);
+  }, [registerNewToken, backendUrl]);
 
   const handleOAuthLogin = () => {
-    const authUrl = `${appConfig.deployment.accessUrl}/oauth2/authorize`;
-    const clientId = appConfig.oauth?.clientId || 'backstage';
-    const backendUrl =
-      appConfig.oauth?.backendUrl ||
-      `${window.location.protocol}//${window.location.hostname}:7007`;
-    const redirectUri = `${backendUrl}/api/auth/coder/oauth/callback`;
-    const state = btoa(JSON.stringify({ returnTo: window.location.pathname }));
-
-    const oauthUrl = `${authUrl}?client_id=${clientId}&redirect_uri=${encodeURIComponent(
-      redirectUri,
-    )}&response_type=code&state=${state}`;
-
-    // Open OAuth flow in popup window
+    const clientId = configApi.getOptionalString('coder.oauth.clientId');
+    if (!clientId) {
+      errorApi.post(
+        {
+          name: 'Coder oauth clientId is missing',
+          message:
+            'Please see plugin documentation for how to add clientId to your Backstage deployment',
+        },
+        { hidden: false },
+      );
+      return;
+    }
+
+    const params = new URLSearchParams({
+      /**
+       * @todo See what we can do to move the state calculations to the backend.
+       * The state should actually be cryptographically generated and should
+       * have a high number of bits of entropy, too.
+       */
+      state: btoa(JSON.stringify({ returnTo: window.location.pathname })),
+      response_type: 'code',
+      client_id: clientId,
+      redirect_uri: encodeURIComponent(
+        `${backendUrl}/api/auth/coder/oauth/callback`,
+      ),
+    });
+
+    const oauthUrl = `${
+      appConfig.deployment.accessUrl
+    }/oauth2/authorize?${params.toString()}`;
+
     const width = 600;
     const height = 700;
     const left = window.screen.width / 2 - width / 2;
@@ -148,7 +189,14 @@ export const CoderAuthInputForm = () => {
     <form
       aria-labelledby={formHeaderId}
       className={styles.formContainer}
-      onSubmit={onSubmit}
+      onSubmit={event => {
+        event.preventDefault();
+        const formData = Object.fromEntries(new FormData(event.currentTarget));
+        const newToken =
+          typeof formData.authToken === 'string' ? formData.authToken : '';
+
+        registerNewToken(newToken);
+      }}
     >
       <h3 hidden id={formHeaderId}>
         Authenticate with Coder
@@ -170,56 +218,64 @@ export const CoderAuthInputForm = () => {
           className={styles.oauthButton}
           onClick={handleOAuthLogin}
         >
-          Sign in with Coder
+          Sign in with Coder OAuth
         </LinkButton>
       </div>
 
       <div className={styles.divider}>
-        <span className={styles.dividerText}>OR</span>
+        <span className={styles.dividerText}>or</span>
       </div>
 
-      <p>
-        Alternatively, enter a token from your{' '}
-        <Link to={`${appConfig.deployment.accessUrl}/cli-auth`} target="_blank">
-          Coder deployment's token page
-          <VisuallyHidden> (link opens in new tab)</VisuallyHidden>
-        </Link>
-        .
-      </p>
-
-      <fieldset className={styles.authInputFieldset} aria-labelledby={legendId}>
-        <legend hidden id={legendId}>
-          Auth input
-        </legend>
-
-        <TextField
-          // Adding the label prop directly to the TextField will place a label
-          // in the HTML, so sighted users are fine. But for some reason, it
-          // won't connect the label and input together, which breaks
-          // accessibility for screen readers. Need to wire up extra IDs, sadly.
-          label="Auth token"
-          InputLabelProps={{ htmlFor: authTokenInputId }}
-          InputProps={{ id: authTokenInputId }}
-          required
-          name="authToken"
-          type="password"
-          defaultValue=""
-          aria-errormessage={warningBannerId}
-          style={{ width: '100%' }}
-        />
-
-        <LinkButton
-          disableRipple
-          to=""
-          component="button"
-          type="submit"
-          color="primary"
-          variant="contained"
-          className={styles.authButton}
+      <div className={styles.tokenSection}>
+        <p className={styles.tokenInstructions}>
+          Enter a token from your{' '}
+          <Link
+            to={`${appConfig.deployment.accessUrl}/cli-auth`}
+            target="_blank"
+          >
+            Coder deployment's token page
+            <VisuallyHidden> (link opens in new tab)</VisuallyHidden>
+          </Link>
+          .
+        </p>
+
+        <fieldset
+          className={styles.authInputFieldset}
+          aria-labelledby={legendId}
         >
-          Authenticate
-        </LinkButton>
-      </fieldset>
+          <legend hidden id={legendId}>
+            Auth input
+          </legend>
+
+          <TextField
+            // Adding the label prop directly to the TextField will place a label
+            // in the HTML, so sighted users are fine. But for some reason, it
+            // won't connect the label and input together, which breaks
+            // accessibility for screen readers. Need to wire up extra IDs, sadly.
+            label="Auth token"
+            InputLabelProps={{ htmlFor: authTokenInputId }}
+            InputProps={{ id: authTokenInputId }}
+            required
+            name="authToken"
+            type="password"
+            defaultValue=""
+            aria-errormessage={warningBannerId}
+            style={{ width: '100%' }}
+          />
+
+          <LinkButton
+            disableRipple
+            to=""
+            component="button"
+            type="submit"
+            color="primary"
+            variant="contained"
+            className={styles.authButton}
+          >
+            Use token
+          </LinkButton>
+        </fieldset>
+      </div>
 
       {(status === 'invalid' || status === 'authenticating') && (
         <InvalidStatusNotifier authStatus={status} bannerId={warningBannerId} />
diff --git a/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx b/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
index 535312fa..e3422292 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderProvider/CoderAppConfigProvider.tsx
@@ -10,11 +10,6 @@ export type CoderAppConfig = Readonly<{
     accessUrl: string;
   }>;
 
-  oauth?: Readonly<{
-    clientId?: string;
-    backendUrl?: string;
-  }>;
-
   // Type is meant to be used with YamlConfig from useCoderWorkspacesConfig;
   // not using a mapped type because there's just enough differences that
   // maintaining a relationship that way would be a nightmare of ternaries

From 76bec6a5786110e4ea28a6c03b47f34339f5e9d6 Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Tue, 14 Oct 2025 00:59:17 -0400
Subject: [PATCH 07/12] fix: update URL serialization

---
 .../src/components/CoderAuthForm/CoderAuthInputForm.tsx   | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
index 7f5758f8..32722eb3 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthInputForm.tsx
@@ -159,17 +159,15 @@ export const CoderAuthInputForm = () => {
       state: btoa(JSON.stringify({ returnTo: window.location.pathname })),
       response_type: 'code',
       client_id: clientId,
-      redirect_uri: encodeURIComponent(
-        `${backendUrl}/api/auth/coder/oauth/callback`,
-      ),
+      redirect_uri: `${backendUrl}/api/auth/coder/oauth/callback`,
     });
 
     const oauthUrl = `${
       appConfig.deployment.accessUrl
     }/oauth2/authorize?${params.toString()}`;
 
-    const width = 600;
-    const height = 700;
+    const width = 800;
+    const height = 800;
     const left = window.screen.width / 2 - width / 2;
     const top = window.screen.height / 2 - height / 2;
 

From c77b45ff479515ed3fef8eae458e21a99061d7d6 Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Tue, 14 Oct 2025 01:25:21 -0400
Subject: [PATCH 08/12] refactor: clean up router

---
 .../src/service/router.ts                     | 73 +++++++++++--------
 1 file changed, 44 insertions(+), 29 deletions(-)

diff --git a/plugins/backstage-plugin-coder-backend/src/service/router.ts b/plugins/backstage-plugin-coder-backend/src/service/router.ts
index 8008670c..afdbdde8 100644
--- a/plugins/backstage-plugin-coder-backend/src/service/router.ts
+++ b/plugins/backstage-plugin-coder-backend/src/service/router.ts
@@ -3,7 +3,7 @@ import { Config } from '@backstage/config';
 import express from 'express';
 import Router from 'express-promise-router';
 import { Logger } from 'winston';
-import axios from 'axios';
+import axios, { type AxiosResponse } from 'axios';
 
 export interface RouterOptions {
   logger: Logger;
@@ -28,19 +28,18 @@ export async function createRouter(
       return;
     }
 
-    try {
-      // Get Coder configuration from coder.oauth
-      const coderConfig = config.getOptionalConfig('coder');
-
-      const accessUrl = coderConfig?.getString('deployment.accessUrl') || '';
-      const clientId = coderConfig?.getString('oauth.clientId') || 'backstage';
-      const clientSecret = coderConfig?.getString('oauth.clientSecret') || '';
-      const redirectUri = `${req.protocol}://${req.get(
-        'host',
-      )}/api/auth/coder/oauth/callback`;
+    const coderConfig = config.getOptionalConfig('coder');
+    const accessUrl = coderConfig?.getString('deployment.accessUrl') || '';
+    const clientId = coderConfig?.getString('oauth.clientId') || '';
+    const clientSecret = coderConfig?.getString('oauth.clientSecret') || '';
+    const redirectUri = `${req.protocol}://${req.get(
+      'host',
+    )}/api/auth/coder/oauth/callback`;
 
+    let tokenResponse: AxiosResponse<{ access_token?: string }, unknown>;
+    try {
       // Exchange authorization code for access token
-      const tokenResponse = await axios.post(
+      tokenResponse = await axios.post(
         `${accessUrl}/oauth2/tokens`,
         new URLSearchParams({
           grant_type: 'authorization_code',
@@ -55,12 +54,40 @@ export async function createRouter(
           },
         },
       );
+    } catch (error) {
+      logger.error('OAuth token exchange failed', error);
+      res
+        .status(500)
+        .send(
+          `<html><body><h1>Authentication failed</h1><p>${
+            error instanceof Error ? error.message : 'Unknown error'
+          }</p></body></html>`,
+        );
+      return;
+    }
 
-      const { access_token } = tokenResponse.data;
+    const { access_token } = tokenResponse.data;
+    if (!access_token) {
+      const message = 'Coder deployment did not respond with access token';
+      logger.error(message);
+      res.status(502).send(
+        `<!DOCTYPE html>
+          <html>
+           <head>
+            <title>Authentication Failed</title>
+          </head>
+          <body>
+            <h1>Authentication failed</h1>
+            <p>${message}</p>
+          </body>
+          </html>`,
+      );
+      return;
+    }
 
-      // Return HTML that sends the token to the opener window via postMessage
-      res.setHeader('Content-Security-Policy', "script-src 'unsafe-inline'");
-      res.send(`
+    // Return HTML that sends the token to the opener window via postMessage
+    res.setHeader('Content-Security-Policy', "script-src 'unsafe-inline'");
+    res.send(`
         <!DOCTYPE html>
         <html>
           <head>
@@ -96,19 +123,7 @@ export async function createRouter(
         </html>
       `);
 
-      logger.info('OAuth authentication successful');
-      return;
-    } catch (error) {
-      logger.error('OAuth token exchange failed', error);
-      res
-        .status(500)
-        .send(
-          `<html><body><h1>Authentication failed</h1><p>${
-            error instanceof Error ? error.message : 'Unknown error'
-          }</p></body></html>`,
-        );
-      return;
-    }
+    logger.info('OAuth authentication successful');
   });
 
   router.get('/health', (_, response) => {

From 5d451280b83fec60762c78c07c60a46f1522af6c Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Tue, 14 Oct 2025 12:08:13 -0400
Subject: [PATCH 09/12] fix: get all tests passing

---
 .../CoderAuthForm/CoderAuthForm.test.tsx      | 17 +++----
 .../CoderAuthFormCardWrapper.test.tsx         | 31 ++++--------
 .../src/testHelpers/setup.tsx                 | 47 +++++++++++--------
 3 files changed, 45 insertions(+), 50 deletions(-)

diff --git a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthForm.test.tsx b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthForm.test.tsx
index 79b263ca..bac58181 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthForm.test.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderAuthForm/CoderAuthForm.test.tsx
@@ -1,15 +1,13 @@
 import React from 'react';
 import { screen, waitFor } from '@testing-library/react';
 import userEvent from '@testing-library/user-event';
-import { CoderProviderWithMockAuth } from '../../testHelpers/setup';
+import { renderInCoderEnvironment } from '../../testHelpers/setup';
 import type { CoderAuth, CoderAuthStatus } from '../CoderProvider';
 import {
-  mockAppConfig,
   mockAuthStates,
   mockCoderAuthToken,
 } from '../../testHelpers/mockBackstageData';
 import { CoderAuthForm } from './CoderAuthForm';
-import { renderInTestApp } from '@backstage/test-utils';
 
 type RenderInputs = Readonly<{
   authStatus: CoderAuthStatus;
@@ -34,11 +32,10 @@ async function renderAuthWrapper({ authStatus }: RenderInputs) {
    * migration to React 18. Need to figure out where this issue is coming from,
    * and open an issue upstream if necessary
    */
-  const renderOutput = await renderInTestApp(
-    <CoderProviderWithMockAuth appConfig={mockAppConfig} auth={auth}>
-      <CoderAuthForm />
-    </CoderProviderWithMockAuth>,
-  );
+  const renderOutput = await renderInCoderEnvironment({
+    children: <CoderAuthForm />,
+    auth: auth,
+  });
 
   return { ...renderOutput, unlinkToken, registerNewToken };
 }
@@ -103,7 +100,7 @@ describe(`${CoderAuthForm.name}`, () => {
       }
     });
 
-    it('Lets the user submit a new token', async () => {
+    it('Lets the user submit a new access token', async () => {
       const { registerNewToken } = await renderAuthWrapper({
         authStatus: 'tokenMissing',
       });
@@ -117,7 +114,7 @@ describe(`${CoderAuthForm.name}`, () => {
        *    have to use a regex selector
        */
       const inputField = screen.getByLabelText(/Auth token/);
-      const submitButton = screen.getByRole('button', { name: 'Authenticate' });
+      const submitButton = screen.getByRole('button', { name: 'Use token' });
 
       const user = userEvent.setup();
       await user.click(inputField);
diff --git a/plugins/backstage-plugin-coder/src/components/CoderAuthFormCardWrapper/CoderAuthFormCardWrapper.test.tsx b/plugins/backstage-plugin-coder/src/components/CoderAuthFormCardWrapper/CoderAuthFormCardWrapper.test.tsx
index 2a0c7cb1..18c21039 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderAuthFormCardWrapper/CoderAuthFormCardWrapper.test.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderAuthFormCardWrapper/CoderAuthFormCardWrapper.test.tsx
@@ -1,13 +1,9 @@
 import React from 'react';
 import { screen } from '@testing-library/react';
-import { CoderProviderWithMockAuth } from '../../testHelpers/setup';
+import { renderInCoderEnvironment } from '../../testHelpers/setup';
 import type { CoderAuthStatus } from '../CoderProvider';
-import {
-  mockAppConfig,
-  mockAuthStates,
-} from '../../testHelpers/mockBackstageData';
+import { mockAuthStates } from '../../testHelpers/mockBackstageData';
 import { CoderAuthFormCardWrapper } from './CoderAuthFormCardWrapper';
-import { renderInTestApp } from '@backstage/test-utils';
 
 type RenderInputs = Readonly<{
   authStatus: CoderAuthStatus;
@@ -18,16 +14,14 @@ async function renderAuthWrapper({
   authStatus,
   childButtonText,
 }: RenderInputs) {
-  return renderInTestApp(
-    <CoderProviderWithMockAuth
-      appConfig={mockAppConfig}
-      auth={mockAuthStates[authStatus]}
-    >
+  return renderInCoderEnvironment({
+    children: (
       <CoderAuthFormCardWrapper>
         <button>{childButtonText}</button>
       </CoderAuthFormCardWrapper>
-    </CoderProviderWithMockAuth>,
-  );
+    ),
+    auth: mockAuthStates[authStatus],
+  });
 }
 
 describe(`${CoderAuthFormCardWrapper.name}`, () => {
@@ -91,14 +85,9 @@ describe(`${CoderAuthFormCardWrapper.name}`, () => {
     const button = await screen.findByRole('button', { name: buttonText });
 
     rerender(
-      <CoderProviderWithMockAuth
-        appConfig={mockAppConfig}
-        authStatus="distrusted"
-      >
-        <CoderAuthFormCardWrapper>
-          <button>{buttonText}</button>
-        </CoderAuthFormCardWrapper>
-      </CoderProviderWithMockAuth>,
+      <CoderAuthFormCardWrapper>
+        <button>{buttonText}</button>
+      </CoderAuthFormCardWrapper>,
     );
 
     // Assert that the button is gone after the re-render flushes
diff --git a/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx b/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx
index b7d3191a..56800acd 100644
--- a/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx
+++ b/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx
@@ -6,10 +6,11 @@ import {
   renderHook,
   waitFor,
   render,
+  RenderResult,
 } from '@testing-library/react';
 /* eslint-enable @backstage/no-undeclared-imports */
 
-import React from 'react';
+import React, { ReactElement, ReactNode } from 'react';
 import {
   type QueryClientConfig,
   QueryClient,
@@ -204,29 +205,37 @@ export async function renderInCoderEnvironment({
   entity = mockEntity,
   queryClient = getMockQueryClient(),
   appConfig = mockAppConfig,
-}: RenderInCoderEnvironmentInputs) {
-  const mainMarkup = (
-    <TestApiProvider apis={getMockApiList()}>
-      <EntityProvider entity={entity}>
-        <CoderProviderWithMockAuth
-          appConfig={appConfig}
-          auth={auth}
-          queryClient={queryClient}
-        >
-          {children}
-        </CoderProviderWithMockAuth>
-      </EntityProvider>
-    </TestApiProvider>
-  );
+}: RenderInCoderEnvironmentInputs): Promise<RenderResult> {
+  const apiList = getMockApiList();
+  const addDependencies = (node: ReactNode): ReactElement => {
+    return wrapInTestApp(
+      <TestApiProvider apis={apiList}>
+        <EntityProvider entity={entity}>
+          <CoderProviderWithMockAuth
+            appConfig={appConfig}
+            auth={auth}
+            queryClient={queryClient}
+          >
+            {node}
+          </CoderProviderWithMockAuth>
+        </EntityProvider>
+      </TestApiProvider>,
+    );
+  };
 
-  const wrapped = wrapInTestApp(mainMarkup) as unknown as typeof mainMarkup;
-  const renderOutput = render(wrapped);
-  const loadingIndicator = renderOutput.container.querySelector(
+  const { rerender, ...renderHelpers } = render(addDependencies(children));
+  const loadingIndicator = renderHelpers.container.querySelector(
     'div[data-testid="progress"]',
   );
 
   await waitFor(() => expect(loadingIndicator).not.toBeInTheDocument());
-  return renderOutput;
+
+  return {
+    ...renderHelpers,
+    rerender: newNode => {
+      rerender(addDependencies(newNode));
+    },
+  };
 }
 
 type InvertedPromiseResult<TData = unknown, TError = Error> = Readonly<{

From e6a2bd9540f78100f028229dbc4fe445fcfd0bf2 Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Tue, 14 Oct 2025 12:17:21 -0400
Subject: [PATCH 10/12] fix: update types for setup file

---
 plugins/backstage-plugin-coder/src/testHelpers/setup.tsx | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx b/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx
index 56800acd..f20afb97 100644
--- a/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx
+++ b/plugins/backstage-plugin-coder/src/testHelpers/setup.tsx
@@ -10,7 +10,7 @@ import {
 } from '@testing-library/react';
 /* eslint-enable @backstage/no-undeclared-imports */
 
-import React, { ReactElement, ReactNode } from 'react';
+import React, { type ReactElement, type ReactNode } from 'react';
 import {
   type QueryClientConfig,
   QueryClient,
@@ -31,7 +31,7 @@ import {
   mockAppConfig,
   mockEntity,
   mockAuthStates,
-  BackstageEntity,
+  type BackstageEntity,
   getMockApiList,
 } from './mockBackstageData';
 import { CoderErrorBoundary } from '../plugin';
@@ -232,8 +232,8 @@ export async function renderInCoderEnvironment({
 
   return {
     ...renderHelpers,
-    rerender: newNode => {
-      rerender(addDependencies(newNode));
+    rerender: newChildren => {
+      rerender(addDependencies(newChildren));
     },
   };
 }

From 216b4e5a8a6970428d297a66eefe9b9a0b5c0f80 Mon Sep 17 00:00:00 2001
From: Parkreiner <throwawayclover@gmail.com>
Date: Tue, 14 Oct 2025 13:32:11 -0400
Subject: [PATCH 11/12] fix: update coder logo

---
 .../src/components/CoderLogo/CoderLogo.tsx    | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/plugins/backstage-plugin-coder/src/components/CoderLogo/CoderLogo.tsx b/plugins/backstage-plugin-coder/src/components/CoderLogo/CoderLogo.tsx
index 7649a48f..2e6749f6 100644
--- a/plugins/backstage-plugin-coder/src/components/CoderLogo/CoderLogo.tsx
+++ b/plugins/backstage-plugin-coder/src/components/CoderLogo/CoderLogo.tsx
@@ -20,17 +20,21 @@ export const CoderLogo = ({
   return (
     <svg
       aria-hidden
-      className={`${styles.root} ${className}`}
-      viewBox="0 0 68 49"
       width="40"
+      height="20"
+      className={`${styles.root} ${className}`}
+      viewBox="0 0 426 200"
+      fill="none"
+      xmlns="http://www.w3.org/2000/svg"
       {...delegatedProps}
     >
-      <path d="M66.3575 21.3584C65.0024 21.3584 64.099 20.5638 64.099 18.9328V9.5647C64.099 3.58419 61.6353 0.280273 55.2705 0.280273H52.314V6.59536H53.2174C55.7222 6.59536 56.913 7.97547 56.913 10.443V18.7237C56.913 22.3203 57.9807 23.7841 60.3212 24.5369C57.9807 25.2479 56.913 26.7534 56.913 30.3501C56.913 32.3994 56.913 34.4486 56.913 36.4979C56.913 38.2126 56.913 39.8855 56.4613 41.6002C56.0097 43.1894 55.2705 44.695 54.244 45.9914C53.6691 46.7442 53.0121 47.3716 52.2729 47.9571V48.7935H55.2295C61.5942 48.7935 64.058 45.4896 64.058 39.5091V30.141C64.058 28.4681 64.9203 27.7153 66.3164 27.7153H68V21.4003H66.3575V21.3584Z" />
-      <path d="M46.2367 9.81532H37.1208C36.9155 9.81532 36.7512 9.64804 36.7512 9.43893V8.72796C36.7512 8.51885 36.9155 8.35156 37.1208 8.35156H46.2778C46.4831 8.35156 46.6473 8.51885 46.6473 8.72796V9.43893C46.6473 9.64804 46.442 9.81532 46.2367 9.81532Z" />
-      <path d="M47.7971 18.8485H41.145C40.9396 18.8485 40.7754 18.6812 40.7754 18.4721V17.7612C40.7754 17.5521 40.9396 17.3848 41.145 17.3848H47.7971C48.0024 17.3848 48.1667 17.5521 48.1667 17.7612V18.4721C48.1667 18.6394 48.0024 18.8485 47.7971 18.8485Z" />
-      <path d="M50.4251 14.3319H37.1208C36.9155 14.3319 36.7512 14.1646 36.7512 13.9555V13.2446C36.7512 13.0355 36.9155 12.8682 37.1208 12.8682H50.384C50.5894 12.8682 50.7536 13.0355 50.7536 13.2446V13.9555C50.7536 14.1228 50.6304 14.3319 50.4251 14.3319Z" />
-      <path d="M26.5677 11.8649C27.4711 11.8649 28.3744 11.9485 29.2368 12.1577V10.443C29.2368 8.0173 30.4686 6.59536 32.9324 6.59536H33.8358V0.280273H30.8793C24.5145 0.280273 22.0508 3.58419 22.0508 9.5647V12.6595C23.488 12.1577 25.0073 11.8649 26.5677 11.8649Z" />
-      <path d="M53.2174 34.6165C52.5603 29.3051 48.5362 24.872 43.3623 23.8683C41.9251 23.5755 40.4879 23.5337 39.0918 23.7847C39.0507 23.7847 39.0507 23.7428 39.0096 23.7428C36.7512 18.9333 31.9058 15.7549 26.6497 15.7549C21.3937 15.7549 16.5894 18.8497 14.2898 23.6592C14.2488 23.6592 14.2488 23.701 14.2077 23.701C12.7295 23.5337 11.2512 23.6174 9.77294 23.9938C4.68116 25.2484 0.821255 29.5979 0.123188 34.8674C0.0410628 35.4111 0 35.9548 0 36.4566C0 38.0459 1.06763 39.5096 2.62802 39.7187C4.55797 40.0115 6.24154 38.5059 6.20048 36.5821C6.20048 36.2894 6.20048 35.9548 6.24154 35.662C6.57004 32.9854 8.58212 30.7271 11.2101 30.0997C12.0314 29.8906 12.8526 29.8488 13.6328 29.9743C16.1377 30.3088 18.6014 29.0124 19.6691 26.754C20.4493 25.0811 21.6811 23.6174 23.3237 22.8228C25.1304 21.9445 27.1836 21.819 29.0724 22.4882C31.0435 23.1992 32.5217 24.7047 33.4251 26.5867C34.3695 28.4269 34.8212 29.7233 36.8333 29.9743C37.6546 30.0997 39.9541 30.0579 40.8164 30.0161C42.5 30.0161 44.1835 30.6016 45.3744 31.8144C46.1546 32.6509 46.7294 33.6964 46.9758 34.8674C47.3454 36.7494 46.8937 38.6314 45.785 40.0533C45.0048 41.057 43.9372 41.8098 42.7463 42.1444C42.1715 42.3117 41.5966 42.3535 41.0217 42.3535C40.6932 42.3535 40.2415 42.3535 39.7077 42.3535C38.0652 42.3535 34.5749 42.3535 31.9468 42.3535C30.1401 42.3535 28.7029 40.8897 28.7029 39.0496V32.86V26.7958C28.7029 26.294 28.2922 25.8757 27.7995 25.8757H26.5265C24.0217 25.9176 22.0096 28.7614 22.0096 31.7726C22.0096 34.7838 22.0096 42.7717 22.0096 42.7717C22.0096 46.0338 24.5966 48.6686 27.7995 48.6686C27.7995 48.6686 42.0483 48.6268 42.2536 48.6268C45.5386 48.2922 48.5773 46.5775 50.6304 43.9427C52.6835 41.3916 53.628 38.0459 53.2174 34.6165Z" />
+      <g clipPath="url(#clip0_1_3)">
+        <path d="M425.93 5.41H263.75V194.65H425.93V5.41Z" fill="currentColor" />
+        <path
+          d="M0 100C0 38.92 51.89 0 123.25 0C194.61 0 234.6 33.78 235.95 83.51L174.33 85.4C172.71 57.83 148.3 39.72 123.25 40.26C88.93 41 63.52 63.77 63.52 99.99C63.52 136.21 88.93 158.64 123.25 158.64C148.3 158.64 172.16 141.34 174.87 113.78L236.49 115.13C234.87 165.67 192.44 200 123.25 200C54.06 200 0 160.81 0 100Z"
+          fill="currentColor"
+        />
+      </g>
     </svg>
   );
 };

From 993fb2b7f0bdfb8744951136673b78b13ba0f35d Mon Sep 17 00:00:00 2001
From: Michael Smith <michaelsmith@coder.com>
Date: Wed, 15 Oct 2025 02:37:04 +0000
Subject: [PATCH 12/12] docs: add new instructions

---
 .../backstage-plugin-coder-backend/README.md  | 49 +++++++++++++++++++
 plugins/backstage-plugin-coder/README.md      | 32 +++++++++---
 2 files changed, 74 insertions(+), 7 deletions(-)
 create mode 100644 plugins/backstage-plugin-coder-backend/README.md

diff --git a/plugins/backstage-plugin-coder-backend/README.md b/plugins/backstage-plugin-coder-backend/README.md
new file mode 100644
index 00000000..0c6efe34
--- /dev/null
+++ b/plugins/backstage-plugin-coder-backend/README.md
@@ -0,0 +1,49 @@
+# `backstage-plugin-coder-backend`
+
+> [!NOTE]
+> This plugin is designed to be the backend counterpart of `backstage-plugin-coder`. In the future, this plugin may become more standalone, but for now, all functionality requires that you also have `backstage-plugin-coder` installed. [See that plugin's setup instructions](../backstage-plugin-coder/README.md#setup) for more information.
+
+## Features
+
+- Management of OAuth2 state for requests sent from the Backstage backend.
+
+## Installing the plugin to support oauth2
+
+1. Run the following command from your Backstage app to install the plugin:
+   ```bash
+   yarn --cwd packages/app add @coder/backstage-plugin-coder
+   ```
+2. Import the `createRouter` function from the `@coder/backstage-plugin-coder` package:
+   ```ts
+   // Imports can be renamed if there would be a name conflict
+   import { createRouter as createCoderRouter } from '@coder/backstage-plugin-coder-backend';
+   ```
+3. Add support for Coder hot module reloading to `main` function in your deployment's `backend/src/index.ts` file:
+   ```ts
+   const coderEnv = useHotMemoize(module, () => createEnv('coder'));
+   ```
+4. Register the plugin's oauth route with Backstage from inside the same `main` function:
+   ```ts
+   apiRouter.use(
+     '/auth/coder',
+     await createCoderRouter({
+       logger: coderEnv.logger,
+       config: coderEnv.config,
+     }),
+   );
+   ```
+5. [If you haven't already, be sure to register Backstage as an oauth app through Coder](https://coder.com/docs/admin/integrations/oauth2-provider).
+6. Add the following values to one of your `app-config.yaml` files:
+   ```yaml
+   coder:
+     deployment:
+       # Change the value to match your Coder deployment
+       accessUrl: https://dev.coder.com
+     oauth:
+       clientId: oauth2-client-id-goes-here
+       # The client secret isn't used by the frontend plugin, but the backend
+       # plugin needs it for oauth functionality to work
+       clientSecret: oauth2-secret-goes-here
+   ```
+
+Note that the `clientSecret` value is given `secret`-level visibility, and will never be logged anywhere by Backstage.
diff --git a/plugins/backstage-plugin-coder/README.md b/plugins/backstage-plugin-coder/README.md
index 84382507..96523ec3 100644
--- a/plugins/backstage-plugin-coder/README.md
+++ b/plugins/backstage-plugin-coder/README.md
@@ -38,7 +38,8 @@ the Dev Container.
          target: 'https://coder.example.com/'
 
          changeOrigin: true
-         allowedMethods: ['GET'] # Additional methods will be supported soon!
+         # Add methods based on what API calls you need
+         allowedMethods: ['GET', 'POST']
          allowedHeaders: ['Authorization', 'Coder-Session-Token']
          headers:
            X-Custom-Source: backstage
@@ -59,12 +60,6 @@ the Dev Container.
        accessUrl: 'https://coder.example.com',
      },
 
-     // Optional: OAuth configuration for "Sign in with Coder" button
-     // Get the clientId from your Coder OAuth2 apps settings
-     oauth: {
-       clientId: 'your-oauth-client-id',
-     },
-
      // Set the default template (and parameters) for
      // catalog items. Individual properties can be overridden
      // by a repo's catalog-info.yaml file
@@ -123,6 +118,29 @@ the Dev Container.
    );
    ```
 
+### Adding support for OAuth2
+
+> [!IMPORTANT]
+> Support for OAuth2 requires that you also install the `backstage-plugin-coder-backend` package through NPM. [You can find its README here](../backstage-plugin-coder-backend/README.md). These instrutions assume that you will be installing this plugin before that one.
+
+1. Register Backstage as an OAuth application. [See the instructions in Coder's documentation for more information](https://coder.com/docs/admin/integrations/oauth2-provider).
+2. Add the following values to one of your `app-config.yaml` files:
+   ```yaml
+   coder:
+     deployment:
+       # Change the value to match your Coder deployment
+       accessUrl: https://dev.coder.com
+     oauth:
+       clientId: oauth2-client-id-goes-here
+       # The client secret isn't used by the frontend plugin, but the backend
+       # plugin needs it for oauth functionality to work
+       clientSecret: oauth2-secret-goes-here
+   ```
+
+(Once the values have been added, you may need to restart the Backstage server for the new values to be recognized.)
+
+Only the Client ID is exposed in the frontend application (and is used to generate OAuth2 consent links). The client secret stays exclusively on the server.
+
 ### `catalog-info.yaml` files
 
 In addition to the above, you can define additional properties on your specific repo's `catalog-info.yaml` file.