feat: add oidc_id_token to workspace_owner data source

rowansmithau · rowansmithau · commit f8474a8ba802 · 2025-11-25T15:14:00.000+11:00
Adds support for the new CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN environment
variable, exposing the OIDC ID token through the coder_workspace_owner
data source as oidc_id_token.

This complements the existing oidc_access_token field.
diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
@@ -23,6 +23,7 @@ resource "coder_agent" "dev" {
   dir  = "/workspace"
   env = {
     OIDC_TOKEN : data.coder_workspace_owner.me.oidc_access_token,
+    OIDC_ID_TOKEN : data.coder_workspace_owner.me.oidc_id_token,
   }
 }
 
@@ -53,6 +54,7 @@ resource "coder_env" "git_author_email" {
 - `login_type` (String) The type of login the user has.
 - `name` (String) The username of the user.
 - `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
+- `oidc_id_token` (String, Sensitive) A valid OpenID Connect ID token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
 - `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
@@ -54,6 +54,7 @@ func workspaceOwnerDataSource() *schema.Resource {
 
 			_ = rd.Set("session_token", os.Getenv("CODER_WORKSPACE_OWNER_SESSION_TOKEN"))
 			_ = rd.Set("oidc_access_token", os.Getenv("CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN"))
+			_ = rd.Set("oidc_id_token", os.Getenv("CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN"))
 
 			if loginType := os.Getenv("CODER_WORKSPACE_OWNER_LOGIN_TYPE"); loginType != "" {
 				_ = rd.Set("login_type", loginType)
@@ -123,6 +124,14 @@ func workspaceOwnerDataSource() *schema.Resource {
 					"If a valid token cannot be obtained, this value will be an empty string.",
 				Sensitive: true,
 			},
+			"oidc_id_token": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: "A valid OpenID Connect ID token of the workspace owner. " +
+					"This is only available if the workspace owner authenticated with OpenID Connect. " +
+					"If a valid token cannot be obtained, this value will be an empty string.",
+				Sensitive: true,
+			},
 			"login_type": {
 				Type:        schema.TypeString,
 				Computed:    true,
diff --git a/provider/workspace_owner_test.go b/provider/workspace_owner_test.go
@@ -33,6 +33,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 		t.Setenv("CODER_WORKSPACE_OWNER_GROUPS", `["group1", "group2"]`)
 		t.Setenv("CODER_WORKSPACE_OWNER_SESSION_TOKEN", `supersecret`)
 		t.Setenv("CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN", `alsosupersecret`)
+		t.Setenv("CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN", `yetanothersecret`)
 		t.Setenv("CODER_WORKSPACE_OWNER_LOGIN_TYPE", `github`)
 		t.Setenv("CODER_WORKSPACE_OWNER_RBAC_ROLES", `[{"name":"member","org_id":"00000000-0000-0000-0000-000000000000"}]`)
 
@@ -61,6 +62,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 					assert.Equal(t, `group2`, attrs["groups.1"])
 					assert.Equal(t, `supersecret`, attrs["session_token"])
 					assert.Equal(t, `alsosupersecret`, attrs["oidc_access_token"])
+					assert.Equal(t, `yetanothersecret`, attrs["oidc_id_token"])
 					assert.Equal(t, `github`, attrs["login_type"])
 					assert.Equal(t, `member`, attrs["rbac_roles.0.name"])
 					assert.Equal(t, `00000000-0000-0000-0000-000000000000`, attrs["rbac_roles.0.org_id"])
@@ -79,6 +81,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 			"CODER_WORKSPACE_OWNER_SESSION_TOKEN",
 			"CODER_WORKSPACE_OWNER_GROUPS",
 			"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN",
+			"CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN",
 			"CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY",
 			"CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY",
 			"CODER_WORKSPACE_OWNER_LOGIN_TYPE",
@@ -112,6 +115,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 					assert.Empty(t, attrs["groups.0"])
 					assert.Empty(t, attrs["session_token"])
 					assert.Empty(t, attrs["oidc_access_token"])
+					assert.Empty(t, attrs["oidc_id_token"])
 					assert.Empty(t, attrs["login_type"])
 					assert.Empty(t, attrs["rbac_roles.0"])
 					return nil

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ resource "coder_agent" "dev" {`
`23`	`23`	`dir = "/workspace"`
`24`	`24`	`env = {`
`25`	`25`	`OIDC_TOKEN : data.coder_workspace_owner.me.oidc_access_token,`
	`26`	`+ OIDC_ID_TOKEN : data.coder_workspace_owner.me.oidc_id_token,`
`26`	`27`	`}`
`27`	`28`	`}`
`28`	`29`
`@@ -53,6 +54,7 @@ resource "coder_env" "git_author_email" {`
`53`	`54`	- `login_type` (String) The type of login the user has.
`54`	`55`	- `name` (String) The username of the user.
`55`	`56`	- `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
	`57`	+- `oidc_id_token` (String, Sensitive) A valid OpenID Connect ID token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
`56`	`58`	- `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
`57`	`59`	- `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
`58`	`60`	- `ssh_private_key` (String, Sensitive) The user's generated SSH private key.