Skip to content

Commit

Permalink
add pkce_required for okta_idp_oidc
Browse files Browse the repository at this point in the history
  • Loading branch information
duytiennguyen-okta committed Jan 24, 2024
1 parent 0c04e25 commit c558d58
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 9 deletions.
33 changes: 24 additions & 9 deletions okta/resource_okta_idp_oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,13 +44,20 @@ func resourceIdpOidc() *schema.Resource {
Optional: true,
},
"client_id": {
Type: schema.TypeString,
Required: true,
Type: schema.TypeString,
Required: true,
Description: "Unique identifier (opens new window)issued by the AS for the Okta IdP instance",
},
"client_secret": {
Type: schema.TypeString,
Required: true,
Sensitive: true,
Type: schema.TypeString,
Required: true,
Sensitive: true,
Description: "Client secret issued (opens new window)by the AS for the Okta IdP instance",
},
"pkce_required": {
Type: schema.TypeBool,
Optional: true,
Description: "Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object",
},
"issuer_url": {
Type: schema.TypeString,
Expand Down Expand Up @@ -116,6 +123,9 @@ func resourceIdpRead(ctx context.Context, d *schema.ResourceData, m interface{})
_ = d.Set("issuer_url", idp.Protocol.Issuer.Url)
_ = d.Set("client_secret", idp.Protocol.Credentials.Client.ClientSecret)
_ = d.Set("client_id", idp.Protocol.Credentials.Client.ClientId)
if idp.Protocol.Credentials.Client.PKCERequired != nil {
_ = d.Set("pkce_required", idp.Protocol.Credentials.Client.PKCERequired)
}
syncEndpoint("authorization", idp.Protocol.Endpoints.Authorization, d)
syncEndpoint("token", idp.Protocol.Endpoints.Token, d)
syncEndpoint("user_info", idp.Protocol.Endpoints.UserInfo, d)
Expand Down Expand Up @@ -172,6 +182,14 @@ func buildIdPOidc(d *schema.ResourceData) (sdk.IdentityProvider, error) {
len(d.Get("subject_match_attribute").(string)) > 0 {
return sdk.IdentityProvider{}, errors.New("you can only provide 'subject_match_attribute' with 'subject_match_type' set to 'CUSTOM_ATTRIBUTE'")
}
client := &sdk.IdentityProviderCredentialsClient{
ClientId: d.Get("client_id").(string),
ClientSecret: d.Get("client_secret").(string),
}
pkceVal := d.GetRawConfig().GetAttr("pkce_required")
if !pkceVal.IsNull() {
client.PKCERequired = boolPtr(d.Get("pkce_required").(bool))
}
idp := sdk.IdentityProvider{
Name: d.Get("name").(string),
Type: "OIDC",
Expand All @@ -194,10 +212,7 @@ func buildIdPOidc(d *schema.ResourceData) (sdk.IdentityProvider, error) {
Scopes: convertInterfaceToStringSet(d.Get("scopes")),
Type: d.Get("protocol_type").(string),
Credentials: &sdk.IdentityProviderCredentials{
Client: &sdk.IdentityProviderCredentialsClient{
ClientId: d.Get("client_id").(string),
ClientSecret: d.Get("client_secret").(string),
},
Client: client,
},
Issuer: &sdk.ProtocolEndpoint{
Url: d.Get("issuer_url").(string),
Expand Down
89 changes: 89 additions & 0 deletions okta/resource_okta_idp_oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,3 +124,92 @@ resource "okta_idp_oidc" "test" {
},
})
}

func TestAccResourceOktaIdpOidc_pkce_required(t *testing.T) {
config1 := `
resource "okta_idp_oidc" "test" {
name = "testAcc_replace_with_uuid"
authorization_url = "https://idp.example.com/authorize"
authorization_binding = "HTTP-REDIRECT"
token_url = "https://idp.example.com/token"
token_binding = "HTTP-POST"
user_info_url = "https://idp.example.com/userinfo"
user_info_binding = "HTTP-REDIRECT"
jwks_url = "https://idp.example.com/keys"
jwks_binding = "HTTP-REDIRECT"
scopes = ["openid"]
client_id = "efg456"
client_secret = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
issuer_url = "https://id.example.com"
username_template = "idpuser.email"
}`
config2 := `
resource "okta_idp_oidc" "test" {
name = "testAcc_replace_with_uuid"
authorization_url = "https://idp.example.com/authorize"
authorization_binding = "HTTP-REDIRECT"
token_url = "https://idp.example.com/token"
token_binding = "HTTP-POST"
user_info_url = "https://idp.example.com/userinfo"
user_info_binding = "HTTP-REDIRECT"
jwks_url = "https://idp.example.com/keys"
jwks_binding = "HTTP-REDIRECT"
scopes = ["openid"]
client_id = "abc123"
client_secret = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
issuer_url = "https://id.example.com"
username_template = "idpuser.email"
pkce_required = false
}`

mgr := newFixtureManager("resources", idpOidc, t.Name())
resourceName := fmt.Sprintf("%s.test", idpOidc)

oktaResourceTest(t, resource.TestCase{
PreCheck: testAccPreCheck(t),
ErrorCheck: testAccErrorChecks(t),
ProviderFactories: testAccProvidersFactories,
CheckDestroy: checkResourceDestroy(idpOidc, createDoesIdpExist),
Steps: []resource.TestStep{
{
Config: mgr.ConfigReplace(config1),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "name", buildResourceName(mgr.Seed)),
resource.TestCheckResourceAttr(resourceName, "authorization_url", "https://idp.example.com/authorize"),
resource.TestCheckResourceAttr(resourceName, "authorization_binding", "HTTP-REDIRECT"),
resource.TestCheckResourceAttr(resourceName, "token_url", "https://idp.example.com/token"),
resource.TestCheckResourceAttr(resourceName, "token_binding", "HTTP-POST"),
resource.TestCheckResourceAttr(resourceName, "user_info_url", "https://idp.example.com/userinfo"),
resource.TestCheckResourceAttr(resourceName, "user_info_binding", "HTTP-REDIRECT"),
resource.TestCheckResourceAttr(resourceName, "jwks_url", "https://idp.example.com/keys"),
resource.TestCheckResourceAttr(resourceName, "jwks_binding", "HTTP-REDIRECT"),
resource.TestCheckResourceAttr(resourceName, "client_id", "efg456"),
resource.TestCheckResourceAttr(resourceName, "client_secret", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
resource.TestCheckResourceAttr(resourceName, "issuer_url", "https://id.example.com"),
resource.TestCheckResourceAttr(resourceName, "username_template", "idpuser.email"),
resource.TestCheckNoResourceAttr(resourceName, "pkce_required"),
),
},
{
Config: mgr.ConfigReplace(config2),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "name", buildResourceName(mgr.Seed)),
resource.TestCheckResourceAttr(resourceName, "authorization_url", "https://idp.example.com/authorize"),
resource.TestCheckResourceAttr(resourceName, "authorization_binding", "HTTP-REDIRECT"),
resource.TestCheckResourceAttr(resourceName, "token_url", "https://idp.example.com/token"),
resource.TestCheckResourceAttr(resourceName, "token_binding", "HTTP-POST"),
resource.TestCheckResourceAttr(resourceName, "user_info_url", "https://idp.example.com/userinfo"),
resource.TestCheckResourceAttr(resourceName, "user_info_binding", "HTTP-REDIRECT"),
resource.TestCheckResourceAttr(resourceName, "jwks_url", "https://idp.example.com/keys"),
resource.TestCheckResourceAttr(resourceName, "jwks_binding", "HTTP-REDIRECT"),
resource.TestCheckResourceAttr(resourceName, "client_id", "abc123"),
resource.TestCheckResourceAttr(resourceName, "client_secret", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"),
resource.TestCheckResourceAttr(resourceName, "issuer_url", "https://id.example.com"),
resource.TestCheckResourceAttr(resourceName, "username_template", "idpuser.email"),
resource.TestCheckResourceAttr(resourceName, "pkce_required", "false"),
),
},
},
})

}
1 change: 1 addition & 0 deletions sdk/v2_identityProviderCredentialsClient.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,5 @@ package sdk
type IdentityProviderCredentialsClient struct {
ClientId string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
PKCERequired *bool `json:"pkce_required"`
}

0 comments on commit c558d58

Please sign in to comment.