Provider input variable - Signed JWT

exitcode0 commented 8 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Preamble

This request might belong upstream against okta-sdk-golang. Please let me know if this is the case and I'd be happy to raise this again over there

Feature Request

I'd like the Okta Terraform provider to accepted a signed JWT as an input variable. The provider can then exchange this signed JWT for an access token using the "token" endpoint. Once the provider has exchanged the JWT for an access token, things can proceed as normal

I believe this has the potential to be more secure than existing options API Tokens and Private Keys need not be involved at all The Okta Terraform provider can also choose to not expose the Access Token to the Terraform configuration With this approach the only sensitive attribute exposed to terraform is a one time use token (as far as I know signed JWTs are one time use) This token can only be be exchanged for an access token with predetermined scopes that the attacker has no control over

New or Affected Resource(s)

config.go

Potential Terraform Configuration

provider "okta" {
  # Existing Attributes
  org_name = var.okta_org_name
  base_url = var.okta_base_url
  client_id = var.okta_client_id
  scopes = var.okta_scopes
  private_key_id = var.okta_private_key_id

  # Proposed New attributes (names subject to change)
  signed_jwt = var.okta_signed_jwt
  private_key_algorithm = var.okta_private_key_algorithm # e.g HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512
  access_token_expiry = var.okta_access_token_expiry  # (Int 300-3600) Seconds
}

References

1751
1714
1715

exitcode0 commented 7 months ago

@duytiennguyen-okta @monde - Any thoughts on this one?

duytiennguyen-okta commented 5 months ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-718180

okta / terraform-provider-okta