Creation of new OAuth 2.0 client results in Tainting the resource

[sansub]

We use PingDirectory (LDAP) to store our OAUTH client metadata (not file). We have started seeing this behaviour since we upgraded from PingFederate 9.4 to 11.1. Any new creation of OAUTH 2 Client through terraform results in the below error during the apply stage.

pingfederate_oauth_client.connected_car_client["e2e"]: Modifications complete after 0s [id=oidc_08_e2e_001] ╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to │ pingfederate_oauth_client.ev_mob_app_client["e2e"], provider │ "provider[\"registry.terraform.io/iwarapter/pingfederate\"]" produced an │ unexpected new value: .persistent_grant_expiration_time: was │ cty.NumberIntVal(0), but now null. │ │ This is a bug in the provider, which should be reported in the provider's │ own issue tracker.

The respective plan fro the above resource is

pingfederate_oauth_client.ev_mob_app_client["e2e"] will be created

• resource "pingfederate_oauth_client" "ev_mob_app_client" {
  • allow_authentication_api_init = false
  • bypass_approval_page = true
  • client_auth = {
    • encrypted_secret = (known after apply)
    • secret = (sensitive value)
    • type = "SECRET" }
  • client_id = "oidc_09_e2e_001"
  • client_secret_changed_time = (known after apply)
  • client_secret_retention_period_type = "SERVER_DEFAULT"
  • default_access_token_manager_ref = (known after apply)
  • device_flow_setting_type = "SERVER_DEFAULT"
  • enabled = true
  • exclusive_scopes = []
  • grant_types = [
    • "AUTHORIZATION_CODE", ]
  • id = (known after apply)
  • name = "EVMOB OIDC E2E Client"
  • oidc_policy = {
    • grant_access_session_revocation_api = false
    • grant_access_session_session_management_api = false
    • id_token_signing_algorithm = "RS256"
    • pairwise_identifier_user_type = false
    • ping_access_logout_capable = false
    • policy_group = (known after apply) }
  • persistent_grant_expiration_time = 0
  • persistent_grant_expiration_time_unit = "DAYS"
  • persistent_grant_expiration_type = "SERVER_DEFAULT"
  • persistent_grant_idle_timeout = 0
  • persistent_grant_idle_timeout_time_unit = "DAYS"
  • persistent_grant_idle_timeout_type = "SERVER_DEFAULT"
  • persistent_grant_reuse_type = "SERVER_DEFAULT"
  • redirect_uris = [
    • "https://myapp.testsite.co.uk/callback", ]
  • refresh_rolling = "SERVER_DEFAULT"
  • refresh_token_rolling_grace_period_type = "SERVER_DEFAULT"
  • refresh_token_rolling_interval_type = "SERVER_DEFAULT"
  • require_jwt_secured_authorization_response_mode = false
  • require_proof_key_for_code_exchange = false
  • require_pushed_authorization_requests = false
  • require_signed_requests = false
  • restrict_scopes = true
  • restrict_to_default_access_token_manager = false
  • restricted_response_types = [
    • "code", ]
  • restricted_scopes = [
    • "ev_mob_app", ]
  • validate_using_all_eligible_atms = false }

[iwarapter]

hi @sansub, is this a possible duplicate of https://github.com/iwarapter/terraform-provider-pingfederate/issues/263, can you just confirm what your client backing store is?

[sansub]

Thanks for the swift response. My client backing store is PingDirectory (LDAP). I can also confirm that this issue does not occur if the client backing store is XML file

[iwarapter]

This should be fixed in v0.2.0