Add support for authenticating with OpenID Connect

[geofflamrock]

Is your feature request related to a problem? Please describe. Octopus now has support for authenticating to the API using OpenID Connect (OIDC), replacing the need to provision and manage API keys for automations from external systems.

This involves configuring an OIDC identity on a service account with details on which tokens can be trusted from an OIDC provider (for example GitHub Actions), exchanging an ID token from this provider for a short-lived Octopus access token which can then be used to authenticate to the Octopus API.

Describe the solution you'd like Add support for configuring the Octopus terraform provider to use OIDC. We expect this could look something like:

• Configuring the service account id to use within the provider config
• Performing the token exchange outside of the terraform provider to obtain an access token and use this within the provider, either as a CLI parameter or from an environment variable.
  • An alternative to this might be to provide the ID token into the terraform provider somehow and have it do the exchange.

[Richard-de-Vries]

This would be something i would be interested in. Our case would be to get the authentication token in a github actions pipeline, and passing this to the octopus terraform provider.

[x-cubed]

I'd be keen to see this implemented, as we want to move away from using long-term API keys.

We were hoping that we'd at least be able to perform the OIDC token exchange ourselves, and just pass in the bearer token, but unfortunately the Octopus Terraform provider (by way of the Octopus Go client) currently validates that the API key starts with API-, so it rejects the bearer token without trying to use it.

It would be nice if we could at least get bearer tokens working, even if OIDC is a little way off.