A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
Please vote on this issue by adding a š reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Preamble
This request might belong upstream against okta-sdk-golang.
Please let me know if this is the case and I'd be happy to raise this again over there
Feature Request
I'd like the Okta Terraform provider to accepted a signed JWT as an input variable.
The provider can then exchange this signed JWT for an access token using the "token" endpoint.
Once the provider has exchanged the JWT for an access token, things can proceed as normal
I believe this has the potential to be more secure than existing options
API Tokens and Private Keys need not be involved at all
The Okta Terraform provider can also choose to not expose the Access Token to the Terraform configuration
With this approach the only sensitive attribute exposed to terraform is a one time use token (as far as I know signed JWTs are one time use)
This token can only be be exchanged for an access token with predetermined scopes that the attacker has no control over
Community Note
Preamble
This request might belong upstream against okta-sdk-golang. Please let me know if this is the case and I'd be happy to raise this again over there
Feature Request
I'd like the Okta Terraform provider to accepted a signed JWT as an input variable. The provider can then exchange this signed JWT for an access token using the "token" endpoint. Once the provider has exchanged the JWT for an access token, things can proceed as normal
I believe this has the potential to be more secure than existing options API Tokens and Private Keys need not be involved at all The Okta Terraform provider can also choose to not expose the Access Token to the Terraform configuration With this approach the only sensitive attribute exposed to terraform is a one time use token (as far as I know signed JWTs are one time use) This token can only be be exchanged for an access token with predetermined scopes that the attacker has no control over
New or Affected Resource(s)
Potential Terraform Configuration
References
1751
1714
1715