unable to obtain client_id/ client_secret from zitadel_org_oidc_idp

[pva2007]

Preflight Checklist

• [X] I could not find a solution in the documentation, the existing issues or discussions
• [ ] I have joined the ZITADEL chat

Version

1.7.0

ZITADEL Version

v2.43.3

Describe the problem caused by this bug

I'm creating an application in a project which work as expected with OIDC_GRANT_TYPE_AUTHORIZATION_CODE, but I'm unable to obtain the client_id/ client_secret from the created application for further usage. Neither data sources zitadel_org_oidc_idp nor zitadel_application_oidc.

Documentatio satte these are available read_only: https://registry.terraform.io/providers/zitadel/zitadel/latest/docs/data-sources/org_oidc_idp#client_id

To reproduce

Creation of a zitadel_application_oidc ressource:

resource "zitadel_application_oidc" "proxy_app" {
  org_id        = var.zitadel_org_id
  project_id    = var.zitadel_project_id
  name          = var.zitadel_application_name
  redirect_uris = length(var.zitadel_redirect_uris) != 0 ? var.zitadel_redirect_uris : ["http://${local.container_name}:4180/oauth2/callback"]

  # currently I'm using only OIDC_GRANT_TYPE_AUTHORIZATION_CODE
  response_types              = [var.zitadel_response_types]
  grant_types                 = [var.zitadel_grant_types]
  post_logout_redirect_uris   = var.zitadel_post_logout_redirect_uris
  app_type                    = var.zitadel_app_type
  auth_method_type            = var.zitadel_auth_method_type
  clock_skew                  = var.zitadel_clock_skew
  access_token_type           = var.zitadel_access_token_type
  access_token_role_assertion = var.zitadel_access_token_role_assertion
  id_token_role_assertion     = var.zitadel_id_token_role_assertion
  id_token_userinfo_assertion = var.zitadel_id_token_userinfo_assertion
}

creating data resources:

data "zitadel_application_oidc" "proxy_app" {
  org_id     = var.zitadel_org_id
  project_id = var.zitadel_project_id
  app_id     = zitadel_application_oidc.proxy_app.id
}

data "zitadel_org_oidc_idp" "proxy_app" {
  org_id = var.zitadel_org_id
  id     = data.zitadel_application_oidc.proxy_app.id
}

All below options don't provide values and throw errors:

env = {
  "OAUTH2_PROXY_CLIENT_ID=${data.zitadel_application_oidc.proxy_app.client_id}",
  "OAUTH2_PROXY_CLIENT_ID=${data.zitadel_org_oidc_idp.proxy_app.client_id}",

Screenshots

No response

Expected behavior

Either data ressource zitadel_org_oidc_idp or zitadel_application_oidc abel to provide the sensitive values.

Relevant Configuration

No response

Additional Context

No response

[stebenz]

The problem here as a datasource is that the client_secret is only provided at creation or if the secret is newly generated, do we maybe have to change this logic? @hifabienne

[hifabienne]

The problem here as a datasource is that the client_secret is only provided at creation or if the secret is newly generated, do we maybe have to change this logic? @hifabienne

In my opinion from an api perspective in ZITADEL this makes sense as it is. But not sure how it should be in the terraform provider. I also don't really get why this is the problem. In the issue description it talks about creating a client, why does it not get the secret in that case?

[stebenz]

@pva2007 The ZITADEL API only returns the client secret when it is created. After that, there is no way to read the secret from the ZITADEL API anymore.

If you want to have the client secret in your Terraform state so you can reference it, either create a new app using Terraform or import the resource by providing the secret.

Please create an issue related to the regeneration of the secret if necessary, but for the datasource I still see no way besides the import.