Unable To Use Certain OAuth Grants

[tgoodsell-tempus]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.5.5

Affected Resource(s)

• okta_app_oauth_api_scope

Terraform Configuration Files

resource "okta_app_oauth_api_scope" "okta_iac_management" {
  app_id = okta_app_oauth.okta_iac.id
  issuer = module.auth_servers.info.AUTH_SERVER_URL
  scopes = [
    "okta.appGrants.manage",
    "okta.apps.manage",
    "okta.authorizationServers.manage",
    "okta.brands.manage",
    "okta.eventHooks.manage",
    "okta.groups.manage",
    "okta.inlineHooks.manage",
    "okta.orgs.read",
    "okta.policies.manage",
    "okta.roles.manage",
    "okta.trustedOrigins.manage",
    "okta.users.manage",
  ]
}

Debug Output

│ Error: expected value to be one of 'okta.agentPools.manage', 'okta.agentPools.read', 'okta.apiTokens.manage', 'okta.apiTokens.read', 'okta.apps.manage', 'okta.apps.read', 'okta.authorizationServers.manage', 'okta.authorizationServers.read', 'okta.authenticators.manage', 'okta.authenticators.read', 'okta.behaviors.manage', 'okta.behaviors.read', 'okta.brands.manage', 'okta.brands.read', 'okta.captchas.manage', 'okta.captchas.read', 'okta.clients.manage', 'okta.clients.read', 'okta.clients.register', 'okta.deviceAssurance.manage', 'okta.deviceAssurance.read', 'okta.devices.manage', 'okta.devices.read', 'okta.domains.manage', 'okta.domains.read', 'okta.emailDomains.manage', 'okta.emailDomains.read', 'okta.emailServers.manage', 'okta.emailServers.read', 'okta.eventHooks.manage', 'okta.eventHooks.read', 'okta.events.read', 'okta.features.read', 'okta.factors.manage', 'okta.factors.read', 'okta.features.manage', 'okta.features.read', 'okta.groups.manage', 'okta.groups.read', 'okta.identitySources.manage', 'okta.identitySources.read', 'okta.idps.manage', 'okta.idps.read', 'okta.inlineHooks.manage', 'okta.inlineHooks.read', 'okta.linkedObjects.manage', 'okta.linkedObjects.read', 'okta.logStreams.manage', 'okta.logStreams.read', 'okta.logs.read', 'okta.networkZones.manage', 'okta.networkZones.read', 'okta.oauthIntegrations.manage', 'okta.oauthIntegrations.read', 'okta.orgs.manage', 'okta.orgs.read', 'okta.policies.manage', 'okta.policies.read', 'okta.principalRateLimits.manage', 'okta.principalRateLimits.read', 'okta.profileMappings.manage', 'okta.profileMappings.read', 'okta.pushProviders.manage', 'okta.pushProviders.read', 'okta.rateLimits.manage', 'okta.rateLimits.read', 'okta.realms.manage', 'okta.realms.read', 'okta.riskEvents.manage', 'okta.riskProviders.manage', 'okta.riskProviders.read', 'okta.roles.manage', 'okta.roles.read', 'okta.schemas.manage', 'okta.schemas.read', 'okta.sessions.manage', 'okta.sessions.read', 'okta.templates.manage', 'okta.templates.read', 'okta.threatInsights.manage', 'okta.threatInsights.read', 'okta.trustedOrigins.manage', 'okta.trustedOrigins.read', 'okta.users.manage', 'okta.users.read', 'okta.users.manage.self', 'okta.users.read.self', 'okta.userTypes.manage', 'okta.userTypes.read', got 'okta.appGrants.manage'
│ 
│   with okta_app_oauth_api_scope.okta_iac_management,
│   on iac.tf line 110, in resource "okta_app_oauth_api_scope" "okta_iac_management":
│  110:   scopes = [
│  111:     "okta.appGrants.manage",
│  112:     "okta.apps.manage",
│  113:     "okta.authorizationServers.manage",
│  114:     "okta.brands.manage",
│  115:     "okta.eventHooks.manage",
│  116:     "okta.groups.manage",
│  117:     "okta.inlineHooks.manage",
│  118:     "okta.orgs.read",
│  119:     "okta.policies.manage",
│  120:     "okta.roles.manage",
│  121:     "okta.trustedOrigins.manage",
│  122:     "okta.users.manage",
│  123:   ]

--->

Panic Output

Expected Behavior

Okta OAuth 2.0 Grant Scopes should be available for use: https://developer.okta.com/docs/release-notes/2023/#oauth-2-0-grant-scopes-added

Can this be done in the Admin UI?

I don't know

Can this be done in the actual API call?

I don't know

Actual Behavior

Error during terraform plan stating grant is not valid.

Steps to Reproduce

Use configuration above

Important Factoids

References

[tgoodsell-tempus]

FYI: I did look and I can confirm we're on a "Classic" tenant: Version 2023.08.2 C, however this error is being observed on our "preview" tenant which is on OIE: Version 2023.08.2 E.

[tgoodsell-tempus]

I can confirm we got the same error on both our Classic and OIE tenants.

[duytiennguyen-okta]

@tgoodsell-tempus This error came straight out of the API and not the result of terraform. The error message is descriptive of the problem. Can you change your config to match watch is describe in the error?

[duytiennguyen-okta]

Upon further investigation, it seems that the API has removed okta.appGrants.manage and okta.appGrants.read from acceptable scopes

[tgoodsell-tempus]

https://developer.okta.com/docs/release-notes/2023/#oauth-2-0-grant-scopes-added

Yes I'm rather confused by that, as the API reference alludes to that being the required grant for performing operations on the grants endpoint of a given app.

See: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationGrants/

[tgoodsell-tempus]

The following screenshot shows it's possible to set this using the Admin UI. So is this rather a bug with the management API instead?

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-651882