search

pulumi / pulumi-okta

An Okta Pulumi resource package, providing multi-language access to Okta
Apache License 2.0
9 stars 2 forks source link

Cannot remove Refresh Token Grant #224

Open NArnott opened 2 years ago

NArnott commented 2 years ago

What happened?

I created an Okta Application (Pulumi OAuth resource) with a "refresh_token" grant type, specifing both the RefreshTokenRotation and RefreshTokenLeeway. Now, I want to update the resource to no longer include refresh_token. However, I get the following error:

failed to update OAuth application: the API returned an error: Api validation failed: App Instance. Causes: errorSummary: ''refresh_token'' grant type is required to configure ''refresh_token'' settings.

I have tried both setting the args for RefreshTokenRotation and RefreshTokenLeeway to null, as well as just not specifying them at all, but I get the error both ways. It seems that I cannot remove this grant using Pulumi no matter what I try.

Steps to reproduce

  1. Create an OAuth resource with two grants: authorization_code and refresh_token.
  2. Apply
  3. Remove the refresh_token grant.
  4. Apply again, get error.

Expected Behavior

I expect the refresh_token grant to be removed, as if I unchecked the checkbox in Okta.

Actual Behavior

The refresh_token grant is not removed, and I get the following error instead:

failed to update OAuth application: the API returned an error: Api validation failed: App Instance. Causes: errorSummary: ''refresh_token'' grant type is required to configure ''refresh_token'' settings.

Output of pulumi about

CLI Version 3.37.2 Go Version go1.17.12 Go Compiler gc

Plugins NAME VERSION aws 5.13.0 dotnet unknown kubernetes 3.21.0 mongodbatlas 3.5.0 okta 3.15.0

Host OS Microsoft Windows 10 Enterprise Version 10.0.19044 Build 19044 Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='6.0.400'

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

NArnott commented 2 years ago

I thought that a workaround would be to manually remove the Refresh Token in the Okta Console, and then run a Pulumi Refresh so it would think it was never applied.

However, even after doing that, the next Pulumi up will still fail with the same error.

I exported the stack, and noticed that the Output for the resource still has:

  "refreshTokenLeeway": 30,
  "refreshTokenRotation": "ROTATE",

Manually deleting those, and then re-importing the stack seems to finally fix the issue, though it still requires all the previous steps to get it working again.