From f8474a8ba8023aaa18b5652c71a037d0a418f02d Mon Sep 17 00:00:00 2001
From: Rowan Smith <rowan@coder.com>
Date: Tue, 25 Nov 2025 15:14:00 +1100
Subject: [PATCH] feat: add oidc_id_token to workspace_owner data source

Adds support for the new CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN environment
variable, exposing the OIDC ID token through the coder_workspace_owner
data source as oidc_id_token.

This complements the existing oidc_access_token field.
---
 docs/data-sources/workspace_owner.md | 2 ++
 provider/workspace_owner.go          | 9 +++++++++
 provider/workspace_owner_test.go     | 4 ++++
 3 files changed, 15 insertions(+)

diff --git a/docs/data-sources/workspace_owner.md b/docs/data-sources/workspace_owner.md
index f16480ef..4058e194 100644
--- a/docs/data-sources/workspace_owner.md
+++ b/docs/data-sources/workspace_owner.md
@@ -23,6 +23,7 @@ resource "coder_agent" "dev" {
   dir  = "/workspace"
   env = {
     OIDC_TOKEN : data.coder_workspace_owner.me.oidc_access_token,
+    OIDC_ID_TOKEN : data.coder_workspace_owner.me.oidc_id_token,
   }
 }
 
@@ -53,6 +54,7 @@ resource "coder_env" "git_author_email" {
 - `login_type` (String) The type of login the user has.
 - `name` (String) The username of the user.
 - `oidc_access_token` (String, Sensitive) A valid OpenID Connect access token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
+- `oidc_id_token` (String, Sensitive) A valid OpenID Connect ID token of the workspace owner. This is only available if the workspace owner authenticated with OpenID Connect. If a valid token cannot be obtained, this value will be an empty string.
 - `rbac_roles` (List of Object) The RBAC roles of which the user is assigned. (see [below for nested schema](#nestedatt--rbac_roles))
 - `session_token` (String, Sensitive) Session token for authenticating with a Coder deployment. It is regenerated every time a workspace is started.
 - `ssh_private_key` (String, Sensitive) The user's generated SSH private key.
diff --git a/provider/workspace_owner.go b/provider/workspace_owner.go
index 109b0b93..ea9ef405 100644
--- a/provider/workspace_owner.go
+++ b/provider/workspace_owner.go
@@ -54,6 +54,7 @@ func workspaceOwnerDataSource() *schema.Resource {
 
 			_ = rd.Set("session_token", os.Getenv("CODER_WORKSPACE_OWNER_SESSION_TOKEN"))
 			_ = rd.Set("oidc_access_token", os.Getenv("CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN"))
+			_ = rd.Set("oidc_id_token", os.Getenv("CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN"))
 
 			if loginType := os.Getenv("CODER_WORKSPACE_OWNER_LOGIN_TYPE"); loginType != "" {
 				_ = rd.Set("login_type", loginType)
@@ -123,6 +124,14 @@ func workspaceOwnerDataSource() *schema.Resource {
 					"If a valid token cannot be obtained, this value will be an empty string.",
 				Sensitive: true,
 			},
+			"oidc_id_token": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: "A valid OpenID Connect ID token of the workspace owner. " +
+					"This is only available if the workspace owner authenticated with OpenID Connect. " +
+					"If a valid token cannot be obtained, this value will be an empty string.",
+				Sensitive: true,
+			},
 			"login_type": {
 				Type:        schema.TypeString,
 				Computed:    true,
diff --git a/provider/workspace_owner_test.go b/provider/workspace_owner_test.go
index de23b3e7..31292cb6 100644
--- a/provider/workspace_owner_test.go
+++ b/provider/workspace_owner_test.go
@@ -33,6 +33,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 		t.Setenv("CODER_WORKSPACE_OWNER_GROUPS", `["group1", "group2"]`)
 		t.Setenv("CODER_WORKSPACE_OWNER_SESSION_TOKEN", `supersecret`)
 		t.Setenv("CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN", `alsosupersecret`)
+		t.Setenv("CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN", `yetanothersecret`)
 		t.Setenv("CODER_WORKSPACE_OWNER_LOGIN_TYPE", `github`)
 		t.Setenv("CODER_WORKSPACE_OWNER_RBAC_ROLES", `[{"name":"member","org_id":"00000000-0000-0000-0000-000000000000"}]`)
 
@@ -61,6 +62,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 					assert.Equal(t, `group2`, attrs["groups.1"])
 					assert.Equal(t, `supersecret`, attrs["session_token"])
 					assert.Equal(t, `alsosupersecret`, attrs["oidc_access_token"])
+					assert.Equal(t, `yetanothersecret`, attrs["oidc_id_token"])
 					assert.Equal(t, `github`, attrs["login_type"])
 					assert.Equal(t, `member`, attrs["rbac_roles.0.name"])
 					assert.Equal(t, `00000000-0000-0000-0000-000000000000`, attrs["rbac_roles.0.org_id"])
@@ -79,6 +81,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 			"CODER_WORKSPACE_OWNER_SESSION_TOKEN",
 			"CODER_WORKSPACE_OWNER_GROUPS",
 			"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN",
+			"CODER_WORKSPACE_OWNER_OIDC_ID_TOKEN",
 			"CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY",
 			"CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY",
 			"CODER_WORKSPACE_OWNER_LOGIN_TYPE",
@@ -112,6 +115,7 @@ func TestWorkspaceOwnerDatasource(t *testing.T) {
 					assert.Empty(t, attrs["groups.0"])
 					assert.Empty(t, attrs["session_token"])
 					assert.Empty(t, attrs["oidc_access_token"])
+					assert.Empty(t, attrs["oidc_id_token"])
 					assert.Empty(t, attrs["login_type"])
 					assert.Empty(t, attrs["rbac_roles.0"])
 					return nil