Skip to content

feat: support OAuth in the Jetbrains extension #195

New issue
New issue
Open
Open
feat: support OAuth in the Jetbrains extension#195
Assignees
fioan89
@jcjiang

Description

@jcjiang
jcjiang
opened on Sep 17, 2025

With Coder becoming an OAuth provider, there is an opportunity to replace the existing copy-paste token authentication with a smoother experience.

Issues with Token Auth

  • Longer default token lifetimes due to lack of refresh, which means more risk of abuse - a stolen token remains valid for a longer period of time, while real-time revocation becomes far more difficult (requires a server-side blacklist that must be maintained)
  • If tokens are leaked, potential for widespread damage is higher - because tokens are stateless and self-contained, the validating server does not check with a database for verification
  • Requires more user input and changes of context (redirection to a browser page, copy the token to the clipboard, paste it into the original context) which results in a heavier UX

Suggested Flow

  1. Once the user chooses to Login, they get directed to the following page.
Image
  1. Upon entering the URL, a browser page will open and prompt the user to log in to their Coder account.
    1. Offer an optional link with text to the effect of, “Can’t authenticate? Generate a token” that will reload the page with a generated token if clicked.
    2. If this link is clicked, the remainder of the flow will return to the token authentication experience (i.e. IDE will prompt for the token to be pasted.)
  2. In the next prompt, the Coder IDE extension requests access to act on their behalf. The user clicks Grant app access.
  3. When authentication is successfully completed, a confirmation message appears. The user closes the browser window and returns to the IDE.
    1. The IDE reads and saves authentication on the user’s local machine.

The scope of permissions given to the API key for IDE clients will shrink for security reasons. They are:

  • read workspaces
  • read templates, templateversions, buildinfo
  • read/write workspace agents + apps
  • read your own user details
  • authentication
  • read access to SSH keys
  • connect to workspace agents and show their resources (proxy through Coder CLI, depends on CLI's requested scopes)

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions