Problem

When a workspace is built, the OIDC access token (data.coder_workspace_owner.me.oidc_access_token) is obtained once during the provisioner job and baked into the Terraform environment. If the workspace agent later restarts (pod eviction, node rotation, OOM, etc.), startup scripts re-run with the original token — which may have expired hours ago. There is no mechanism for a running workspace to fetch a fresh OIDC token.

This is especially problematic on Kubernetes (EKS/GKE/AKS) where pod restarts are routine, and for organizations using short-lived OIDC tokens (e.g. 1-hour Okta tokens).

Current behavior

• OIDC token is fetched at build time via ObtainOIDCAccessToken in provisionerdserver
• Token is passed to Terraform as CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN
• On agent restart, startup scripts re-run with the stale token from the original build
• Any internal services relying on the OIDC token for authentication fail

Proposed solution

Provide a mechanism analogous to coder external-auth access-token for OIDC tokens. This could be:

1. A CLI command like coder oidc access-token that can be called from within a workspace to fetch a fresh, server-refreshed OIDC token on demand
2. An agent API endpoint (similar to the existing workspaceAgentsExternalAuth endpoint) that the agent can call to obtain a current OIDC token, with the server handling the OAuth2 refresh flow transparently

This would allow startup scripts and running processes to always obtain a valid token regardless of when the workspace was originally built or how many times the agent has restarted.

Impact

Any organization using OIDC tokens in workspace startup scripts on infrastructure where agent restarts are possible (Kubernetes, spot instances, etc.) is affected.