Support OIDC authentication

[mawasile]

The provider should support OIDC authentication so that we can call endpoints from the providers inside Github pipelines (ideally it should work in a generic way that any OIDC provider should work)

Example code:

provider "restful" {
  base_url = "http://localhost:3000"
  security = {
    oidc = true

    # for Github Actions
    oidc_request_token = var.oidc_request_token
    oidc_request_url   = var.oidc_request_url

    # for other generic OIDC providers, providing token directly
    oidc_token = var.oidc_token
    # for other generic OIDC providers, reading token from a file
    oidc_token_file_path = var.oidc_token_file_path
  }
  alias = "oidc_github"
}

[magodo]

With a bit digging in, it turns out there isn't a one for all existing Go module to support workload identity fedoration OIDC auth for now. The most comprehensive one I found is https://pkg.go.dev/golang.org/x/oauth2@v0.22.0/google/externalaccount, but it doesn't support Azure, e.g., as it hardcodedthe grant type to be urn:ietf:params:oauth:grant-type:token-exchange, while Azure AD only supports client_credential.

On the other hand, as the STS is short lived token, it might be possible to just use the restful_operation resource to get that token in CI like Github?

[magodo]

I've successfully construct a config to show case how to retrieve and use the Azure access token from a Github action:

https://github.com/magodo/terraform-provider-restful/blob/4bb69446ba167a543fc4e25ac91d09fa8ed856ed/examples/usecases/azure/oidc/main.tf

[mawasile]

thanks, let me try that out in out use case, but if that works I would take that as a ok workaround.