Scenario
I'm in an organization that needs to be able to provide access to multiple GitHub organizations, for example a public GitHub organization and my company's GitHub Enterprise instance, to my Coder workspace users. After adding an additional external authentication provider for GitHub with credentials for the second organization, my users started reporting that when they run git pull
they are being prompted to authenticate with the second external auth even though the workspace template doesn't use it. Shouldn't it only prompt for external authentication providers at use in the template? Reverting the configuration to remove the additional authentication provider restores the original functionality.
How to fix
When using multiple external providers, it is necessary to specify a regular expression on each one to match repositories to the corresponding external authentication configuration. It is specified as CODER_EXTERNAL_AUTH_#_REGEX
, where # is replaced with the index of the remainder of the external authentication configuration.
Note: These regular expressions are case sensitive by default. You can specify the (?i)
flag to tell the regex engine that you want a case-insensitive search should you need.
Example
Consider the following configuration. This example configures two external providers. The first one connects to repositories for the orgname organization on github.com. The second provider configuration would suit a GitHub Enterprise installation accessible at the github.example.com domain.
To support regex matching for paths (e.g. github.com/org), you'll need to add this to the Coder agent startup script:git config --global credential.useHttpPath true
# Provider 1) github.com
CODER_EXTERNAL_AUTH_0_ID=primary-github
CODER_EXTERNAL_AUTH_0_TYPE=github
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_0_REGEX=github\.com/orgname
# Provider 2) github.example.com
CODER_EXTERNAL_AUTH_1_ID=secondary-github
CODER_EXTERNAL_AUTH_1_TYPE=github
CODER_EXTERNAL_AUTH_1_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_1_CLIENT_SECRET=xxxxxxx
CODER_EXTERNAL_AUTH_1_REGEX=github\.example\.com
CODER_EXTERNAL_AUTH_1_AUTH_URL="https://github.example.com/login/oauth/authorize"
CODER_EXTERNAL_AUTH_1_TOKEN_URL="https://github.example.com/login/oauth/access_token"
CODER_EXTERNAL_AUTH_1_VALIDATE_URL="https://github.example.com/api/v3/user"