exitcode0
commented
7 months ago I Don't think there is a "supported" API endpoint for getting groups claim information, When using a SWSS API Token the Terraform provider calls a undocumented / unsupported API Endpoint
Calling undocumented / private API endpoints is something the Okta team (and me as well) would like to move the provider away from as these APIs can change at any time without warning, thus making the Okta Terraform provider brittle
I think it is likely that you'll be redirected to ideas.okta.com to vote on or crate a feature request for the missing API endpoint There likely isn't much the Terraform Provider team can do here until a supported API endpoint is implemented
I hope the broader Okta team(s) can prioritize these API gaps, so the provider team can move the provider over to using better supported API endpoints
wrprice
ypereirareis
Community Note
Description
In an organization with a ton of groups (>> 100) OIDC applications need to be able to filter the groups returned in their
groupsclaim. When using TF for configuration-as-code, we need to be able to configure the filtering conditions or expressions without resorting to clickops in the UI.The provider documentation for the
groups_claimattribute notes a caveat that it is ignored when using OAuth 2.0 credentials.We use OAuth 2.0 credentials so that the TF runner that applies application configuration is limited in what OAuth 2.0 scopes it has, rather than granting carte blanche access as a super-user like a SSWS API token might do. Forcing us to choose between Principle of Least Privilege and robust CaC (without clickops) is not a good place to be.
New or Affected Resource(s)
References
1713