Skip to content

🔄 Sync shared files from ws-meta #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bdsoha merged 1 commit into from
Jun 3, 2026
Merged

🔄 Sync shared files from ws-meta #154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions .vitepress/data/dependencies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ dependencies:
home: https://nodejs.org
license: MIT
package: nodejs
version: 24.15.0
version: 24.16.0

npm:
cmd: npm --version
Expand All @@ -469,7 +469,16 @@ dependencies:
home: https://github.com/npm/cli
license: Artistic 2
package: npm/cli
version: 11.12.0
version: 11.13.0

oauth2-proxy:
cmd: oauth2-proxy --version
datasource: github-releases
group: Networking Tools
home: https://github.com/oauth2-proxy/oauth2-proxy
license: MIT
package: oauth2-proxy/oauth2-proxy
version: 7.15.2

oh-my-zsh:
datasource: github-releases
Expand Down
170 changes: 170 additions & 0 deletions .vitepress/data/env.reference.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,158 @@ envs:
`/run/secrets/workspace/auth/github_token`.
4. Schema default *(unset)*.

mode:
type: string
default: password
since: 0.3.1
example: oidc
description: Web authentication mode, either `password` or `oidc`.
reference: /editor/authentication
longDescription: |
- `password` *(default)*: the editor's built-in password login via
`WS_AUTH_PASSWORD` / `WS_AUTH_PASSWORD_HASHED`. Unchanged behaviour.
- `oidc`: an in-workspace oauth2-proxy listens on
`WS_SERVER_AUTH_PROXY_PORT` and authenticates every request against
`WS_AUTH_OIDC_ISSUER` before forwarding to the editor, which binds
loopback-only on `WS_SERVER_PORT`. Requires `WS_AUTH_OIDC_ISSUER`,
`WS_AUTH_OIDC_CLIENT_ID` and `WS_AUTH_OIDC_CLIENT_SECRET`. Publish
the proxy port.

Any other value is treated as `password`.

oidc_allowed_emails:
type: string
default: null
delimiter: " "
since: 0.3.1
example: alice@corp.com bob@corp.com
description: Restrict OIDC login to an explicit email allowlist.
reference: /editor/authentication
longDescription: |
A **space-delimited** list. When unset, any email the IdP
authenticates is allowed. `oidc` assumes a single-user workspace
whose authorization is enforced upstream. Only used when
`WS_AUTH_MODE=oidc`.

oidc_allowed_groups:
type: string
default: null
delimiter: " "
since: 0.3.1
example: engineering platform
description: Restrict OIDC login to members of these IdP groups.
reference: /editor/authentication
longDescription: |
A **space-delimited** list mapped to oauth2-proxy `--allowed-group`.
Only used when `WS_AUTH_MODE=oidc`.

oidc_client_id:
type: string
default: null
since: 0.3.1
example: workspace
description: OIDC client ID. Required when `WS_AUTH_MODE=oidc`.
reference: /editor/authentication

oidc_client_secret:
type: string
default: null
secret: true
since: 0.3.1
description: OIDC client secret. Required when `WS_AUTH_MODE=oidc`.
reference: /editor/authentication
longDescription: |
Required for oidc mode. oauth2-proxy authenticates to the IdP as a
confidential client and refuses to start without it. PKCE
(`--code-challenge-method=S256`) is layered on top as defence in
depth. Register the workspace as a confidential client and supply its
secret here. Never baked or shared, provide it per deployment via the
resolution chain below.

**Resolution chain:**

1. Env literal: `WS_AUTH_OIDC_CLIENT_SECRET=...`.
2. `file:` env value: `WS_AUTH_OIDC_CLIENT_SECRET=file:/path/to/secret`.
3. Convention default: file mounted at
`/run/secrets/workspace/auth/oidc_client_secret`.
4. Schema default *(unset)*.

oidc_cookie_secret:
type: string
default: null
secret: true
since: 0.3.1
description: Secret that signs and encrypts the oauth2-proxy session cookie.
reference: /editor/authentication
longDescription: |
A 16, 24, or 32-byte secret (raw or base64). When unset it is
generated once and persisted under the workspace home so sessions
survive restarts and redeploys that reattach the volume. For
multi-replica or volume-less deployments, set this to a shared value
so every instance signs cookies identically. Only used when
`WS_AUTH_MODE=oidc`.

**Resolution chain:**

1. Env literal: `WS_AUTH_OIDC_COOKIE_SECRET=...`.
2. `file:` env value: `WS_AUTH_OIDC_COOKIE_SECRET=file:/path/to/secret`.
3. Convention default: file mounted at
`/run/secrets/workspace/auth/oidc_cookie_secret`.
4. Generated and persisted *(unset)*.

oidc_forbidden_message:
type: string
default: Contact your administrator to request access; retrying will not help.
since: 0.3.1
example: Contact the platform team to request access.
description: Custom guidance shown on the OIDC not-authorized (403) page.
reference: /editor/authentication
longDescription: |
Replaces the default guidance on the 403 error page shown when an
authenticated user is denied (failed group/email allowlist). When
unset, a default "contact your administrator" message is shown. Only
used when `WS_AUTH_MODE=oidc`.

oidc_issuer:
type: string
default: null
since: 0.3.1
example: https://idp.example.com
description: OIDC issuer URL. Required when `WS_AUTH_MODE=oidc`.
reference: /editor/authentication
longDescription: |
The OpenID Connect issuer (discovery base URL). For Active Directory,
point at an OIDC-fronting issuer (Entra ID, Keycloak, dex) rather than
raw LDAP.

oidc_redirect_url:
type: string
default: null
since: 0.3.1
example: https://ws.example.com/oauth2/callback
description: Explicit OAuth redirect URL override.
reference: /editor/authentication
longDescription: |
When unset, oauth2-proxy derives the callback from the incoming
request host as `https://<host>/oauth2/callback`. Set this when the
externally-visible host differs from what oauth2-proxy can infer
(e.g. behind a terminator that rewrites the Host header). The in-IDE
logout action also uses this value to build the sign-out URL. Only
used when `WS_AUTH_MODE=oidc`.

oidc_scopes:
type: string
default: openid email profile
delimiter: " "
since: 0.3.1
example: openid email profile groups
description: OAuth scopes requested at login.
reference: /editor/authentication
longDescription: |
A **space-delimited** scope list requested from the IdP. Add `groups`
when you use `WS_AUTH_OIDC_ALLOWED_GROUPS` and your IdP exposes a
`groups` scope. Only used when `WS_AUTH_MODE=oidc`.

password:
type: string
default: null
Expand Down Expand Up @@ -492,6 +644,12 @@ envs:

logging:
properties:
auth_proxy_file:
type: string
default: auth-proxy.log
description: Log file for the OIDC authentication proxy.
since: 0.3.1

dir:
type: path
default: /var/log/workspace
Expand Down Expand Up @@ -612,6 +770,18 @@ envs:

server:
properties:
auth_proxy_port:
type: integer
default: 38080
since: 0.3.1
description: Port the OIDC auth proxy listens on when WS_AUTH_MODE is oidc.
reference: /editor/authentication
longDescription: |
When WS_AUTH_MODE=oidc the auth proxy listens on this port and
forwards authenticated traffic to the editor on WS_SERVER_PORT.
Publish this port instead of WS_SERVER_PORT so every request is
authenticated before it reaches the editor.

port:
type: integer
default: 8080
Expand Down
Loading