search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
252 stars 204 forks source link

Not able to enable PKCE within okta_idp_oidc module #1731

Closed d02540315 closed 7 months ago

d02540315 commented 1 year ago

Terraform Version

terraform v1.4.6 okta provider v4.4.2

Affected Resource(s)

Terraform Configuration Files

How to enable PKCE in okta_idp_oidc module?

image

I don't find corresponding attribute in the terraform module (okta_idp_oidc) https://registry.terraform.io/providers/okta/okta/latest/docs/resources/idp_oidc

monde commented 1 year ago

Thanks @d02540315 I can see the boolean in the POST body of /api/v1/idps at protocol.credentials.client.pkce_required so this is a public attribute, see JSON body below. However, looking at our internal openapi spec I can see it's not listed on IdentityProviderCredentialsClient therefore it won't be available in out golang SDK or API docs https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider

I'll open an internal work item on this.

{
  "type": "OIDC",
  "status": "ACTIVE",
  "features": [],
  "name": "Test",
  "protocol": {
    "endpoints": {
      "authorization": {
        "binding": "HTTP-REDIRECT",
        "url": "https://example.com/auth"
      },
      "token": {
        "binding": "HTTP-POST",
        "url": "https://example.com/token"
      },
      "userInfo": null,
      "jwks": {
        "binding": "HTTP-REDIRECT",
        "url": "https://example.com/jwks"
      }
    },
    "scopes": [
      "email",
      "openid",
      "profile"
    ],
    "settings": {
      "nameFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    },
    "type": "SAML2",
    "algorithms": null,
    "credentials": {
      "client": {
        "pkce_required": true,
        "client_id": "abc123",
        "client_secret": "xyx123"
      }
    },
    "issuer": {
      "url": "test"
    }
  },
  "policy": {
    "accountLink": {
      "action": "DISABLED",
      "filter": null
    },
    "provisioning": {
      "action": "AUTO",
      "conditions": {
        "userOffboarding": {
          "action": "NONE"
        },
        "deprovisioned": {
          "action": "NONE"
        },
        "suspended": {
          "action": "NONE"
        }
      },
      "groups": {
        "action": "NONE"
      }
    },
    "maxClockSkew": 120000,
    "subject": {
      "userNameTemplate": {
        "template": "idpuser.email"
      },
      "matchType": "USERNAME",
      "matchAttribute": "",
      "filter": ""
    }
  },
  "_links": {
    "acs": {
      "hints": {
        "allow": []
      }
    },
    "metadata": {
      "hints": {
        "allow": []
      }
    },
    "users": {
      "hints": {
        "allow": []
      }
    },
    "authorize": {
      "hints": {
        "allow": []
      }
    },
    "clientRedirectUri": {
      "hints": {
        "allow": []
      }
    }
  }
}
monde commented 1 year ago

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-649252