Unable to set Authorization Grant Type to Authorization Code with PKCE

[ruankrTs]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.0

AzureRM Provider Version

3.89.0

Affected Resource(s)/Data Source(s)

azurerm_api_management_authorization_server

Terraform Configuration Files

provider "azurerm" {
  features {}
}

data "azurerm_api_management" "example" {
  name                = "search-api"
  resource_group_name = "search-service"
}

resource "azurerm_api_management_authorization_server" "example" {
  name                         = "test-server"
  api_management_name          = data.azurerm_api_management.example.name
  resource_group_name          = data.azurerm_api_management.example.resource_group_name
  display_name                 = "Test Server"
  authorization_endpoint       = "https://example.mydomain.com/client/authorize"
  client_id                    = "42424242-4242-4242-4242-424242424242"
  client_registration_endpoint = "https://example.mydomain.com/client/register"

  grant_types = [
    "authorizationCode",
    "authorizationCodeWithPkce"
  ]
  authorization_methods = [
    "GET",
  ]
}

Debug Output/Panic Output

│ Error: expected grant_types to be one of ["authorizationCode" "clientCredentials" "implicit" "resourceOwnerPassword"], got authorizationCodeWithPkce
│
│   with resource.azurerm_api_management_authorization_server.example,
│   on ./main.tf line 19, in resource "azurerm_api_management_authorization_server" "example":
│  19:   grant_types                  = ["authorizationCode","authorizationCodeWithPkce"]

Operation failed: failed running terraform plan (exit 1)

Expected Behaviour

Should have the ability to specify "authorizationCodeWithPkce". When added in the portal it works:

{ "type": "Microsoft.ApiManagement/service/authorizationServers", "apiVersion": "2023-03-01-preview", "name": "test-server", "dependsOn": [ "[resourceId('Microsoft.ApiManagement/service', parameters('search-api'))]" ], "properties": { "displayName": "Test Server", "clientRegistrationEndpoint": "https://example.mydomain.com/client/register", "authorizationEndpoint": "https://example.mydomain.com/client/authorize", "authorizationMethods": [ "GET" ], "clientAuthenticationMethod": [ "Basic" ], "tokenBodyParameters": [], "tokenEndpoint": "", "useInTestConsole": true, "useInApiDocumentation": false, "supportState": true, "defaultScope": "openid offline_access", "grantTypes": [ "authorizationCodeWithPkce", "clientCredentials" ], "bearerTokenSendingMethods": [ "authorizationHeader" ], "clientId": "42424242-4242-4242-4242-424242424242" } }

Actual Behaviour

Fails with unexpected value

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[sinbai]

Hi @ruankr thanks for opening this issue. It is worth mentioning that Terraform uses the Azure Rest API to manage Azure resources. Currently Terraform is already using the latest version of Azure Rest API, there is no authorizationCodeWithPkce in the enum, so sorry to say there is nothing Terraform can do about it.

In addition, the 2023-03-01 preview API does not include authorizationCodeWithPkce , it is recommended to open an issue in this repo to confirm.

[ruankrTs]

@sinbai I was able to successfully create an authorization server configured with authorizationCodeWithPkce using:

Terraform (AzAPI provider) resource definition

My code looks like this:

resource "azapi_resource" "oath_server" {
  type      = "Microsoft.ApiManagement/service/authorizationServers@2023-05-01-preview"
  name      = "test-oath-server"
  parent_id = azurerm_api_management.example.id
  body = jsonencode({
    properties = {
      displayName                = "Test Server"
      clientRegistrationEndpoint = "https://example.mydomain.com/client/register"
      authorizationEndpoint      = "https://example.mydomain.com/client/authorize"
      tokenEndpoint              = "https://example.mydomain.com/client/token"
      defaultScope               = "openid offline_access"
      clientId                   = "42424242-4242-4242-4242-424242424242"
      clientSecret               = "abc123"
      clientAuthenticationMethod = = ["Basic"]
      bearerTokenSendingMethods  = ["authorizationHeader"]
      description                = "Test PKCE Oauth Server"
      supportState               = false
      useInApiDocumentation      = false
      useInTestConsole           = true
      grant_types = [
        "authorizationCode",
        "authorizationCodeWithPkce"
      ]
      authorization_methods = [
        "GET",
      ]
    }
  })
}

[sinbai]

@ruankr thanks for the update. Does authorizationCodeWithPkce still work in the stable API version? If yes, it is recommended to first request the API team in above mentioned repo to append it to the stable API. If it is only supported in the preview API, then Terraform may not support it currently, regardless of its presence in the Preview API. This is because Terraform by default does not onboard preview features given Terraform is not a breaking change tolerant tool.

[tombuildsstuff]

@sinbai FWIW this API version is now available in hashicorp/go-azure-sdk: https://github.com/hashicorp/go-azure-sdk/tree/main/resource-manager/apimanagement/2023-05-01-preview

[sinbai]

@tombuildsstuff thanks for the information. However, even 2023-05-01-preview API does not include the value authorizationCodeWithPkce for grantTypes. The grantTypes listed in 2023-05-01-preview are as follows, without authorizationCodeWithPkce.

[mir-cmavrichi]

Can confirm what @ruankr proposed works, even though it's not mentioned in the official documentation.

[FComisso]

Is there any work around available?