From d8f29b6b1e05cbb6b0e4a0f9f3a56c69a448b970 Mon Sep 17 00:00:00 2001 From: kloud-bot Date: Wed, 3 Jun 2026 13:24:37 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=84=20Sync=20shared=20files=20from=20`?= =?UTF-8?q?ws-meta`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .vitepress/data/dependencies.yaml | 13 ++- .vitepress/data/env.reference.yaml | 170 +++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+), 2 deletions(-) diff --git a/.vitepress/data/dependencies.yaml b/.vitepress/data/dependencies.yaml index b0a4184..19ae930 100644 --- a/.vitepress/data/dependencies.yaml +++ b/.vitepress/data/dependencies.yaml @@ -460,7 +460,7 @@ dependencies: home: https://nodejs.org license: MIT package: nodejs - version: 24.15.0 + version: 24.16.0 npm: cmd: npm --version @@ -469,7 +469,16 @@ dependencies: home: https://github.com/npm/cli license: Artistic 2 package: npm/cli - version: 11.12.0 + version: 11.13.0 + + oauth2-proxy: + cmd: oauth2-proxy --version + datasource: github-releases + group: Networking Tools + home: https://github.com/oauth2-proxy/oauth2-proxy + license: MIT + package: oauth2-proxy/oauth2-proxy + version: 7.15.2 oh-my-zsh: datasource: github-releases diff --git a/.vitepress/data/env.reference.yaml b/.vitepress/data/env.reference.yaml index 9f23608..24b79af 100644 --- a/.vitepress/data/env.reference.yaml +++ b/.vitepress/data/env.reference.yaml @@ -168,6 +168,158 @@ envs: `/run/secrets/workspace/auth/github_token`. 4. Schema default *(unset)*. + mode: + type: string + default: password + since: 0.3.1 + example: oidc + description: Web authentication mode, either `password` or `oidc`. + reference: /editor/authentication + longDescription: | + - `password` *(default)*: the editor's built-in password login via + `WS_AUTH_PASSWORD` / `WS_AUTH_PASSWORD_HASHED`. Unchanged behaviour. + - `oidc`: an in-workspace oauth2-proxy listens on + `WS_SERVER_AUTH_PROXY_PORT` and authenticates every request against + `WS_AUTH_OIDC_ISSUER` before forwarding to the editor, which binds + loopback-only on `WS_SERVER_PORT`. Requires `WS_AUTH_OIDC_ISSUER`, + `WS_AUTH_OIDC_CLIENT_ID` and `WS_AUTH_OIDC_CLIENT_SECRET`. Publish + the proxy port. + + Any other value is treated as `password`. + + oidc_allowed_emails: + type: string + default: null + delimiter: " " + since: 0.3.1 + example: alice@corp.com bob@corp.com + description: Restrict OIDC login to an explicit email allowlist. + reference: /editor/authentication + longDescription: | + A **space-delimited** list. When unset, any email the IdP + authenticates is allowed. `oidc` assumes a single-user workspace + whose authorization is enforced upstream. Only used when + `WS_AUTH_MODE=oidc`. + + oidc_allowed_groups: + type: string + default: null + delimiter: " " + since: 0.3.1 + example: engineering platform + description: Restrict OIDC login to members of these IdP groups. + reference: /editor/authentication + longDescription: | + A **space-delimited** list mapped to oauth2-proxy `--allowed-group`. + Only used when `WS_AUTH_MODE=oidc`. + + oidc_client_id: + type: string + default: null + since: 0.3.1 + example: workspace + description: OIDC client ID. Required when `WS_AUTH_MODE=oidc`. + reference: /editor/authentication + + oidc_client_secret: + type: string + default: null + secret: true + since: 0.3.1 + description: OIDC client secret. Required when `WS_AUTH_MODE=oidc`. + reference: /editor/authentication + longDescription: | + Required for oidc mode. oauth2-proxy authenticates to the IdP as a + confidential client and refuses to start without it. PKCE + (`--code-challenge-method=S256`) is layered on top as defence in + depth. Register the workspace as a confidential client and supply its + secret here. Never baked or shared, provide it per deployment via the + resolution chain below. + + **Resolution chain:** + + 1. Env literal: `WS_AUTH_OIDC_CLIENT_SECRET=...`. + 2. `file:` env value: `WS_AUTH_OIDC_CLIENT_SECRET=file:/path/to/secret`. + 3. Convention default: file mounted at + `/run/secrets/workspace/auth/oidc_client_secret`. + 4. Schema default *(unset)*. + + oidc_cookie_secret: + type: string + default: null + secret: true + since: 0.3.1 + description: Secret that signs and encrypts the oauth2-proxy session cookie. + reference: /editor/authentication + longDescription: | + A 16, 24, or 32-byte secret (raw or base64). When unset it is + generated once and persisted under the workspace home so sessions + survive restarts and redeploys that reattach the volume. For + multi-replica or volume-less deployments, set this to a shared value + so every instance signs cookies identically. Only used when + `WS_AUTH_MODE=oidc`. + + **Resolution chain:** + + 1. Env literal: `WS_AUTH_OIDC_COOKIE_SECRET=...`. + 2. `file:` env value: `WS_AUTH_OIDC_COOKIE_SECRET=file:/path/to/secret`. + 3. Convention default: file mounted at + `/run/secrets/workspace/auth/oidc_cookie_secret`. + 4. Generated and persisted *(unset)*. + + oidc_forbidden_message: + type: string + default: Contact your administrator to request access; retrying will not help. + since: 0.3.1 + example: Contact the platform team to request access. + description: Custom guidance shown on the OIDC not-authorized (403) page. + reference: /editor/authentication + longDescription: | + Replaces the default guidance on the 403 error page shown when an + authenticated user is denied (failed group/email allowlist). When + unset, a default "contact your administrator" message is shown. Only + used when `WS_AUTH_MODE=oidc`. + + oidc_issuer: + type: string + default: null + since: 0.3.1 + example: https://idp.example.com + description: OIDC issuer URL. Required when `WS_AUTH_MODE=oidc`. + reference: /editor/authentication + longDescription: | + The OpenID Connect issuer (discovery base URL). For Active Directory, + point at an OIDC-fronting issuer (Entra ID, Keycloak, dex) rather than + raw LDAP. + + oidc_redirect_url: + type: string + default: null + since: 0.3.1 + example: https://ws.example.com/oauth2/callback + description: Explicit OAuth redirect URL override. + reference: /editor/authentication + longDescription: | + When unset, oauth2-proxy derives the callback from the incoming + request host as `https:///oauth2/callback`. Set this when the + externally-visible host differs from what oauth2-proxy can infer + (e.g. behind a terminator that rewrites the Host header). The in-IDE + logout action also uses this value to build the sign-out URL. Only + used when `WS_AUTH_MODE=oidc`. + + oidc_scopes: + type: string + default: openid email profile + delimiter: " " + since: 0.3.1 + example: openid email profile groups + description: OAuth scopes requested at login. + reference: /editor/authentication + longDescription: | + A **space-delimited** scope list requested from the IdP. Add `groups` + when you use `WS_AUTH_OIDC_ALLOWED_GROUPS` and your IdP exposes a + `groups` scope. Only used when `WS_AUTH_MODE=oidc`. + password: type: string default: null @@ -492,6 +644,12 @@ envs: logging: properties: + auth_proxy_file: + type: string + default: auth-proxy.log + description: Log file for the OIDC authentication proxy. + since: 0.3.1 + dir: type: path default: /var/log/workspace @@ -612,6 +770,18 @@ envs: server: properties: + auth_proxy_port: + type: integer + default: 38080 + since: 0.3.1 + description: Port the OIDC auth proxy listens on when WS_AUTH_MODE is oidc. + reference: /editor/authentication + longDescription: | + When WS_AUTH_MODE=oidc the auth proxy listens on this port and + forwards authenticated traffic to the editor on WS_SERVER_PORT. + Publish this port instead of WS_SERVER_PORT so every request is + authenticated before it reaches the editor. + port: type: integer default: 8080