Closed andar1an closed 8 months ago
Using data also doesn't work:
data "zitadel_application_oidc" "default" {
org_id = zitadel_org.default.id
project_id = zitadel_project.default.id
app_id = zitadel_application_oidc.default.id
}
output "application_oidc" {
value = nonsensitive(zitadel_application_oidc.default.client_secret)
}
I am wondering if whatever call is happening for GetClientSecret() is not structured properly in the terraform? I am trying to tease it apart, but it seems like it aligns with grpc or api zitadel endpoints.
In zitadel-go/pkg/client/zitadel/management.pb.go
I have noticed:
func (x *AddOIDCAppResponse) GetClientSecret() string {
if x != nil {
return x.ClientSecret
}
return ""
}
type AddOIDCAppResponse struct {
...
ClientSecret string `protobuf:"bytes,4,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"`
...
}
}```
Which is leading me to believe that x is evaluating to nil. Tracing from here
Will be diving into here later: https://github.com/zitadel/zitadel/tree/main/pkg/grpc
update to not forget: https://github.com/zitadel/zitadel/blob/main/internal/api/grpc/management/project_application.go#L96 -> https://github.com/zitadel/zitadel/blob/main/internal/command/project_application_oidc.go (Potentially relevant lines: 170, 175, 211)
I need to compare calls from web client and calls from go client, but currently think that the Terraform and Web Client application uses the same code from Zitadel Repo. I have never written a Terraform Provider before, so I will try to determine what Terraform uses to interact with Zitadel host. I had trouble finding relevant code in Terraform module before, so I will look to imports. I thought it was using Go Client based on. Hoping this is just user error on my end, but don't know yet.
Now on TF Provider 1.0.4 and Zitadel 2.40.2
I have verified that secret is empty in state as well:
I have also tried manually defining resource "zitadel_org_idp_oidc" with an explicit client id and secret, and the app secret is still empty.
Could the Go crypto module be having issues
Was crypto module recently upgraded? https://github.com/golang/go/issues/63987
Crypto update 3 weeks ago to 0.14: on Oct 17, 2023 https://github.com/zitadel/zitadel/commit/3bbcc3434ab58d11bb24a07949f54eedcf3cea5b
Regression tested with 2.38.1. Likely not crypto module. Will test with 2.37.3 just in case. 2.40.4 also didn't fix.
update: also tested with 2.37.3 - same issue.
Saw no issues @ /debug/metrics
Closing this, and slightly angry at documentation or error messages. Please indicate that Zitadel PKCE does not return a client secret. Everywhere else I have used this auth method, I have had a client secret as well. Zitadel is the first place I have not used Client Secret with PKCE, and it is nice that I don't have to, but I definitely wasted days of time.
Preflight Checklist
Version
1.0.3
ZITADEL Version
v2.39.1
Describe the problem caused by this bug
Terraform Application OIDC output for client secret is empty.
I have read: https://github.com/zitadel/terraform-provider-zitadel/issues/110, and believe this is a bug as this value should be captured on creation of the resource for output.
To reproduce
To reproduce:
Screenshots
Expected behavior
The secret is not empty on creation.
Relevant Configuration
No response
Additional Context
Currently, I have no way to get the client secret of the application. Digging into code now.