search

mulesoft-anypoint / terraform-provider-anypoint

The Anypoint Platform Terraform Provider
https://registry.terraform.io/providers/mulesoft-anypoint/anypoint/latest
MIT License
12 stars 6 forks source link

Bug: Cannot create an anypoint_idp_oidc with Identity Client Registration type manual registration #53

Open Tarzac opened 2 months ago

Tarzac commented 2 months ago

There is a bug when creating an IPD with an "Identity Client Registration" of type "Manual Registration".

Source :

resource "anypoint_idp_oidc" "example2" {
  org_id = var.root_org_id
  name = "openid connect provider 2"
  oidc_provider {
    authorize_url = "http://idp.example.com/auth/realms/master/protocol/openid-connect/auth"
    token_url     = "http://idp.example.com/auth/realms/master/protocol/openid-connect/token"
    userinfo_url  = "http://idp.example.com/auth/realms/master/protocol/openid-connect/userinfo"

    issuer = "http://idp.example.com/auth/realms/master"

    client_credentials_id     = "xxxxx-xxxx-xxxx"
    client_credentials_secret = "xxxx-xxxx-xxx-xxx-xxxxxxxxx"

    allow_untrusted_certificates = true
  }
}

Result :

anypoint_idp_oidc.example2: Creating...
╷
│ Error: Unable to create OIDC provider for org xxxxxxx
│
│   with anypoint_idp_oidc.example2,
│   on idp.tf line 1, in resource "anypoint_idp_oidc" "example2":
│    1: resource "anypoint_idp_oidc" "example2" {
│
│ Invalid OIDC provider client registration URL provided
╵
soufi commented 1 month ago

is your IDP accessible publicly ?

This issue is purely functional from what I can see and is not a bug with the provider. The error you have is from the platform's API

Tarzac commented 2 weeks ago

However, the same request works via the API :

Request:

POST https://anypoint.mulesoft.com/accounts/api/organizations/xxx/identityProviders

{
    "type": {
        "description": "OpenID Connect",
        "name": "openid"
    },
    "oidc_provider": {
        "client": {
            "credentials": {
                "id": "xxxxx-xxxx-xxxx",
                "secret": "xxxx-xxxx-xxx-xxx-xxxxxxxxx"
            }
        },
        "urls": {
            "authorize": "http://idp.example.com/auth/realms/master/protocol/openid-connect/auth",
            "token": "http://idp.example.com/auth/realms/master/protocol/openid-connect/token",
            "userinfo": "http://idp.example.com/auth/realms/master/protocol/openid-connect/userinfo"
        }
    },
    "allow_untrusted_certificates": true,
    "login_disabled": false,
    "name": "openid connect provider 2"
}

Response:

{
  "provider_id": "xxxx",
  "org_id": "xx",
  "name": "openid connect provider 2",
  "type": {
    "description": "OpenID Connect",
    "name": "openid"
  },
  "oidc_provider": {
    "urls": {
      "token": "http://idp.example.com/auth/realms/master/protocol/openid-connect/token",
      "redirect": "https://anypoint.mulesoft.com/accounts/login/xxxx/providers/xxxx",
      "userinfo": "http://idp.example.com/auth/realms/master/protocol/openid-connect/userinfo",
      "authorize": "http://idp.example.com/auth/realms/master/protocol/openid-connect/auth"
    },
    "client": {
      "credentials": {
        "id": "xxxxx-xxxx-xxxx"
      }
    }
  },
  "service_provider": {
    "urls": {
      "sign_on": "http://idp.example.com/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid%20profile%20email&client_id=xxxxx-xxxx-xxxx&redirect_uri=https%3A%2F%2Fanypoint.mulesoft.com%2Faccounts%2Flogin%2Fxxxxx%2Fproviders%xxxxx%2Fredirect"
    }
  },
  "allow_untrusted_certificates": true,
  "arc_namespace": null
}
soufi commented 2 weeks ago

thank you @Tarzac It seems that the request definition is not correct from our side. this could explain why the request is not working. could you please verify this and tell me what else is wrong ? thank you for your help