coder
diff --git a/‎coderd/coderdtest/oidctest/helper.go‎
Lines changed: 1 addition & 0 deletions b/‎coderd/coderdtest/oidctest/helper.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dump.sql‎
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000402_add_oidc_id_token.down.sql‎
Lines changed: 2 additions & 0 deletions b/‎coderd/database/migrations/000402_add_oidc_id_token.down.sql‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000402_add_oidc_id_token.up.sql‎
Lines changed: 2 additions & 0 deletions b/‎coderd/database/migrations/000402_add_oidc_id_token.up.sql‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/models.go‎
Lines changed: 2 additions & 1 deletion b/‎coderd/database/models.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/queries.sql.go‎
Lines changed: 19 additions & 7 deletions b/‎coderd/database/queries.sql.go‎
Lines changed: 19 additions & 7 deletions
diff --git a/‎coderd/database/queries/user_links.sql‎
Lines changed: 5 additions & 3 deletions b/‎coderd/database/queries/user_links.sql‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎coderd/httpmw/apikey.go‎
Lines changed: 1 addition & 0 deletions b/‎coderd/httpmw/apikey.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go‎
Lines changed: 65 additions & 0 deletions b/‎coderd/provisionerdserver/provisionerdserver.go‎
Lines changed: 65 additions & 0 deletions
@@ -88,6 +88,7 @@ func (*LoginHelper) ExpireOauthToken(t *testing.T, db database.Store, user *code
 		OAuthExpiry:            time.Now().Add(time.Hour * -1),
 		UserID:                 link.UserID,
 		LoginType:              link.LoginType,
+		OAuthIDToken:           link.OAuthIDToken,
 		Claims:                 database.UserLinkClaims{},
 	})
 	require.NoError(t, err, "expire user link")
 
@@ -1037,6 +1037,7 @@ func UserLink(t testing.TB, db database.Store, orig database.UserLink) database.
 		OAuthAccessTokenKeyID:  takeFirst(orig.OAuthAccessTokenKeyID, sql.NullString{}),
 		OAuthRefreshToken:      takeFirst(orig.OAuthRefreshToken, uuid.NewString()),
 		OAuthRefreshTokenKeyID: takeFirst(orig.OAuthRefreshTokenKeyID, sql.NullString{}),
+		OAuthIDToken:           takeFirst(orig.OAuthIDToken),
 		OAuthExpiry:            takeFirst(orig.OAuthExpiry, dbtime.Now().Add(time.Hour*24)),
 		Claims:                 orig.Claims,
 	})
 
@@ -0,0 +1,2 @@
+-- Remove oauth_id_token column from user_links table
+ALTER TABLE user_links DROP COLUMN oauth_id_token;
@@ -0,0 +1,2 @@
+-- Add oauth_id_token column to user_links table to support ID token storage for OIDC providers like Azure
+ALTER TABLE user_links ADD COLUMN oauth_id_token text DEFAULT ''::text NOT NULL;
@@ -32,10 +32,11 @@ INSERT INTO
 		oauth_refresh_token,
 		oauth_refresh_token_key_id,
 		oauth_expiry,
+		oauth_id_token,
 		claims
 	)
 VALUES
-	( $1, $2, $3, $4, $5, $6, $7, $8, $9 ) RETURNING *;
+	( $1, $2, $3, $4, $5, $6, $7, $8, $9, $10 ) RETURNING *;
 
 -- name: UpdateUserLinkedID :one
 UPDATE
@@ -54,9 +55,10 @@ SET
 	oauth_refresh_token = $3,
 	oauth_refresh_token_key_id = $4,
 	oauth_expiry = $5,
-	claims = $6
+	oauth_id_token = $6,
+	claims = $7
 WHERE
-	user_id = $7 AND login_type = $8 RETURNING *;
+	user_id = $8 AND login_type = $9 RETURNING *;
 
 -- name: OIDCClaimFields :many
 -- OIDCClaimFields returns a list of distinct keys in the the merged_claims fields.
 
@@ -354,6 +354,7 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
 				OAuthAccessTokenKeyID:  sql.NullString{}, // dbcrypt will update as required
 				OAuthRefreshToken:      link.OAuthRefreshToken,
 				OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will update as required
+				OAuthIDToken:           link.OAuthIDToken,
 				OAuthExpiry:            link.OAuthExpiry,
 				// Refresh should keep the same debug context because we use
 				// the original claims for the group/role sync.
 
@@ -544,13 +544,18 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 		}
 
 		var workspaceOwnerOIDCAccessToken string
+		var workspaceOwnerOIDCIdToken string
 		// The check `s.OIDCConfig != nil` is not as strict, since it can be an interface
 		// pointing to a typed nil.
 		if !reflect.ValueOf(s.OIDCConfig).IsNil() {
 			workspaceOwnerOIDCAccessToken, err = obtainOIDCAccessToken(ctx, s.Database, s.OIDCConfig, owner.ID)
 			if err != nil {
 				return nil, failJob(fmt.Sprintf("obtain OIDC access token: %s", err))
 			}
+			workspaceOwnerOIDCIdToken, err = obtainOIDCIdToken(ctx, s.Database, s.OIDCConfig, owner.ID)
+			if err != nil {
+				return nil, failJob(fmt.Sprintf("obtain OIDC ID token: %s", err))
+			}
 		}
 
 		var sessionToken string
@@ -724,6 +729,7 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 					WorkspaceOwnerName:            owner.Name,
 					WorkspaceOwnerGroups:          ownerGroupNames,
 					WorkspaceOwnerOidcAccessToken: workspaceOwnerOIDCAccessToken,
+					WorkspaceOwnerOidcIdToken:     workspaceOwnerOIDCIdToken,
 					WorkspaceId:                   workspace.ID.String(),
 					WorkspaceOwnerId:              owner.ID.String(),
 					TemplateId:                    template.ID.String(),
@@ -3145,6 +3151,9 @@ func obtainOIDCAccessToken(ctx context.Context, db database.Store, oidcConfig pr
 		link.OAuthRefreshToken = token.RefreshToken
 		link.OAuthExpiry = token.Expiry
 
+		// Extract the ID token from the refreshed token if available
+		idToken, _ := token.Extra("id_token").(string)
+
 		link, err = db.UpdateUserLink(ctx, database.UpdateUserLinkParams{
 			UserID:                 userID,
 			LoginType:              database.LoginTypeOIDC,
@@ -3153,6 +3162,7 @@ func obtainOIDCAccessToken(ctx context.Context, db database.Store, oidcConfig pr
 			OAuthRefreshToken:      link.OAuthRefreshToken,
 			OAuthRefreshTokenKeyID: sql.NullString{}, // set by dbcrypt if required
 			OAuthExpiry:            link.OAuthExpiry,
+			OAuthIDToken:           idToken,
 			Claims:                 link.Claims,
 		})
 		if err != nil {
@@ -3163,6 +3173,61 @@ func obtainOIDCAccessToken(ctx context.Context, db database.Store, oidcConfig pr
 	return link.OAuthAccessToken, nil
 }
 
+// obtainOIDCIdToken returns a valid OpenID Connect ID token
+// for the user if it's able to obtain one, otherwise it returns an empty string.
+// The ID token is used by some providers like Azure for authentication.
+func obtainOIDCIdToken(ctx context.Context, db database.Store, oidcConfig promoauth.OAuth2Config, userID uuid.UUID) (string, error) {
+	link, err := db.GetUserLinkByUserIDLoginType(ctx, database.GetUserLinkByUserIDLoginTypeParams{
+		UserID:    userID,
+		LoginType: database.LoginTypeOIDC,
+	})
+	if errors.Is(err, sql.ErrNoRows) {
+		return "", nil
+	}
+	if err != nil {
+		return "", xerrors.Errorf("get owner oidc link: %w", err)
+	}
+
+	// If the token is expired and we have a refresh token, refresh it
+	if link.OAuthExpiry.Before(dbtime.Now()) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
+		token, err := oidcConfig.TokenSource(ctx, &oauth2.Token{
+			AccessToken:  link.OAuthAccessToken,
+			RefreshToken: link.OAuthRefreshToken,
+			Expiry:       link.OAuthExpiry,
+		}).Token()
+		if err != nil {
+			// If OIDC fails to refresh, we return an empty string and don't fail.
+			// There isn't a way to hard-opt in to OIDC from a template, so we don't
+			// want to fail builds if users haven't authenticated for a while or something.
+			return "", nil
+		}
+
+		// Extract the ID token from the refreshed token
+		idToken, _ := token.Extra("id_token").(string)
+		link.OAuthAccessToken = token.AccessToken
+		link.OAuthRefreshToken = token.RefreshToken
+		link.OAuthExpiry = token.Expiry
+		link.OAuthIDToken = idToken
+
+		link, err = db.UpdateUserLink(ctx, database.UpdateUserLinkParams{
+			UserID:                 userID,
+			LoginType:              database.LoginTypeOIDC,
+			OAuthAccessToken:       link.OAuthAccessToken,
+			OAuthAccessTokenKeyID:  sql.NullString{}, // set by dbcrypt if required
+			OAuthRefreshToken:      link.OAuthRefreshToken,
+			OAuthRefreshTokenKeyID: sql.NullString{}, // set by dbcrypt if required
+			OAuthExpiry:            link.OAuthExpiry,
+			OAuthIDToken:           link.OAuthIDToken,
+			Claims:                 link.Claims,
+		})
+		if err != nil {
+			return "", xerrors.Errorf("update user link: %w", err)
+		}
+	}
+
+	return link.OAuthIDToken, nil
+}
+
 func convertLogLevel(logLevel sdkproto.LogLevel) (database.LogLevel, error) {
 	switch logLevel {
 	case sdkproto.LogLevel_TRACE:
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+-- Remove oauth_id_token column from user_links table`
	`2`	`+ALTER TABLE user_links DROP COLUMN oauth_id_token;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+-- Add oauth_id_token column to user_links table to support ID token storage for OIDC providers like Azure`
	`2`	`+ALTER TABLE user_links ADD COLUMN oauth_id_token text DEFAULT ''::text NOT NULL;`