By default, your Coder instance uses Codespace SSO — users sign in through Codespace and are automatically authenticated with Coder. You can override this with a custom OAuth/OIDC provider.
Default: Codespace SSO
With the default setup:
- Users sign in to Codespace with email/password
- Codespace issues tokens that Coder accepts automatically
- No additional configuration needed
This is recommended for most teams.
Custom OAuth provider
If your organization uses an identity provider like Okta, Auth0, Azure AD, or another OIDC-compatible service, you can configure it as the login provider for your Coder instance.
- Go to your instance Settings
- Scroll to Advanced Settings → Login Provider Override
- Select Custom OAuth
- Enter:
- Issuer URL — your OIDC provider’s issuer URL (e.g.,
https://your-org.okta.com)
- Client ID — the OAuth client ID from your provider
- Client Secret — the OAuth client secret from your provider
- Click Save
- Click Reconcile Configuration to apply the changes
After saving, you must click Reconcile Configuration in Advanced Settings for the change to take effect. This re-provisions your instance with the new login settings.
Switching back to Codespace SSO
- Go to Advanced Settings → Login Provider Override
- Select Codespace SSO (default)
- Click Save
- Click Reconcile Configuration
Important notes
- The reconcile process takes 1–2 minutes while your instance is re-provisioned
- Existing Coder sessions may be invalidated when switching providers
- Make sure your OIDC provider is configured to allow redirects to your instance domain
