search

auth0 / terraform-provider-auth0

The Auth0 Terraform Provider is the official plugin for managing Auth0 tenant configuration through the Terraform tool.
https://registry.terraform.io/providers/auth0/auth0/latest/docs
Mozilla Public License 2.0
162 stars 79 forks source link

Support OIDC for Provider connection #522

Open fproulx-boostsecurity opened 1 year ago

fproulx-boostsecurity commented 1 year ago

Checklist

Describe the problem you'd like to have solved

Similar to how AWS, GCP, Azure terraform providers support OIDC to authenticate from GitHub Actions for instance (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) it would be really nice for Auth0 provider to do that too.

That would allow to remove any long term secrets to connect to Auth0 provider and make IaC more secure.

Describe the ideal solution

Provider not only support OAuth client secret, but a mechanism to get ephemeral access based on OIDC claims trusting GitHub Actions

Alternatives and current workarounds

No response

Additional context

No response

sergiught commented 1 year ago

Hey @fproulx-boostsecurity 👋🏻

Thanks for raising this with us, it's a great suggestion! 🥳 Additionally we could expand further and include even more ways of authenticating, even leveraging the Auth0 CLI.

To set some realistic expectations, at the moment our biggest focus is to get this provider to a stable v1. So tackling something like additional authentication options will most likely come afterwards.

We'll keep you updated and leave the issue open until then.

monde commented 1 year ago

Just throwing this out there from the Okta workforce identity side of the house. We are currently working with Hashicorp to implement Dynamic Provider Credentials https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials for the Okta Terraform Provider in Terraform Cloud using their Workload Identity Token https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens. The workload id token is OIDC based. We'll keep @sergiught in the loop on this work should any of this art be transferable to the customer identity side of the house.

jdelforno commented 9 months ago

Just throwing this out there from the Okta workforce identity side of the house. We are currently working with Hashicorp to implement Dynamic Provider Credentials https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials for the Okta Terraform Provider in Terraform Cloud using their Workload Identity Token https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens. The workload id token is OIDC based. We'll keep @sergiught in the loop on this work should any of this art be transferable to the customer identity side of the house.

I appreciate the effort you're going to, to accomplish that however, I'd imagine the vast majority of us don't want to sign up with Hashicorps Terraform Cloud. Especially inline with existing CI/CD tools that we're all invested in and in lieu of corporate requirements/procurement getting in the way.

Is there any chance of having a OIDC connection without the bells and whistles as a first step?