Skip to content

Commit

Permalink
DXCDT-147: Add new auth0_client_credentials resource with support for…
Browse files Browse the repository at this point in the history
… JWT CA (#588)
  • Loading branch information
sergiught authored May 22, 2023
1 parent 87bc19f commit 7f2eecc
Show file tree
Hide file tree
Showing 15 changed files with 5,280 additions and 9 deletions.
60 changes: 58 additions & 2 deletions MIGRATION_GUIDE.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,61 @@
# Migration Guide

## Upgrading from v0.47.0 → v0.48.0

There are deprecations in this update. Please ensure you read this guide thoroughly and prepare your potential
automated workflows before upgrading.

### Deprecations

- [Client Authentication Method](#client-authentication-method)


#### Client Authentication Method


The `token_endpoint_auth_method` field on the `auth0_client` resource will continue to be available for managing the
client's authentication method. However, to ensure a smooth transition when we eventually remove the capability to
manage the authentication method through this field, we recommend proactively migrating to the newly introduced
`auth0_client_credentials` resource as this will also give you the possibility of managing the client secret.
This will help you stay prepared for future changes.

<table>
<tr>
<th>Before (v0.47.0)</th>
<th>After (v0.48.0)</th>
</tr>
<tr>
<td>

```terraform
# Example:
resource "auth0_client" "my_client" {
name = "My Client"
token_endpoint_auth_method = "client_secret_post"
}
```

</td>
<td>

```terraform
# Example:
resource "auth0_client" "my_client" {
name = "My Client"
}
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id
authentication_method = "client_secret_post"
}
```

</td>
</tr>
</table>

## Upgrading from v0.46.0 → v0.47.0

There are deprecations in this update. Please ensure you read this guide thoroughly and prepare your potential
Expand All @@ -10,7 +66,7 @@ automated workflows before upgrading.
- [User Roles](#user-roles)
- [Role Permissions](#role-permissions)

### User Roles
#### User Roles

The `roles` field on the `auth0_user` resource will continue to be available for managing user roles. However, to ensure
a smooth transition when we eventually remove the capability to manage roles through this field, we recommend
Expand Down Expand Up @@ -96,7 +152,7 @@ resource auth0_user_role user_owner {
</tr>
</table>

### Role Permissions
#### Role Permissions

The `permissions` field on the `auth0_role` resource will continue to be available for managing role permissions. However, to ensure
a smooth transition when we eventually remove the capability to manage permissions through this field, we recommend
Expand Down
2 changes: 1 addition & 1 deletion docs/resources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ resource "auth0_client" "my_client" {
- `refresh_token` (Block List, Max: 1) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedblock--refresh_token))
- `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
- `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
- `token_endpoint_auth_method` (String) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic).
- `token_endpoint_auth_method` (String, Deprecated) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic).
- `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.

### Read-Only
Expand Down
129 changes: 129 additions & 0 deletions docs/resources/client_credentials.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
---
page_title: "Resource: auth0_client_credentials"
description: |-
With this resource, you can configure the method to use when making requests to any endpoint that requires this client to authenticate.
---

# Resource: auth0_client_credentials

With this resource, you can configure the method to use when making requests to any endpoint that requires this client to authenticate.

## Example Usage

```terraform
resource "auth0_client" "my_client" {
name = "Application - Acceptance Test"
app_type = "non_interactive"
jwt_configuration {
alg = "RS256"
}
}
# Configuring client_secret_post as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id
authentication_method = "client_secret_post"
}
# Configuring client_secret_basic as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id
authentication_method = "client_secret_basic"
}
# Configuring none as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id
authentication_method = "none"
}
# Configuring private_key_jwt as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id
authentication_method = "private_key_jwt"
private_key_jwt {
credentials {
name = "Testing Credentials 1"
credential_type = "public_key"
algorithm = "RS256"
parse_expiry_from_cert = true
pem = <<EOF
-----BEGIN CERTIFICATE-----
MIIFWDCCA0ACCQDXqpBo3R...G9w0BAQsFADBuMQswCQYDVQQGEwJl
-----END CERTIFICATE-----
EOF
}
}
}
# Configuring the client_secret.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id
authentication_method = "client_secret_basic"
client_secret = "LUFqPx+sRLjbL7peYRPFmFu-bbvE7u7og4YUNe_C345=683341"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `authentication_method` (String) Configure the method to use when making requests to any endpoint that requires this client to authenticate. Options include `none` (public client without a client secret), `client_secret_post` (confidential client using HTTP POST parameters), `client_secret_basic` (confidential client using HTTP Basic), `private_key_jwt` (confidential client using a Private Key JWT).
- `client_id` (String) The ID of the client for which to configure the authentication method.

### Optional

- `client_secret` (String, Sensitive) Secret for the client when using `client_secret_post` or `client_secret_basic` authentication method. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string. The attribute will also be an empty string in case `private_key_jwt` is selected as an authentication method.
- `private_key_jwt` (Block List, Max: 1) Defines `private_key_jwt` client authentication method. (see [below for nested schema](#nestedblock--private_key_jwt))

### Read-Only

- `id` (String) The ID of this resource.

<a id="nestedblock--private_key_jwt"></a>
### Nested Schema for `private_key_jwt`

Required:

- `credentials` (Block List, Min: 1, Max: 2) Client credentials available for use when Private Key JWT is in use as the client authentication method. A maximum of 2 client credentials can be set. (see [below for nested schema](#nestedblock--private_key_jwt--credentials))

<a id="nestedblock--private_key_jwt--credentials"></a>
### Nested Schema for `private_key_jwt.credentials`

Required:

- `credential_type` (String) Credential type. Supported types: `public_key`.
- `pem` (String) PEM-formatted public key (SPKI and PKCS1) or X509 certificate. Must be JSON escaped.

Optional:

- `algorithm` (String) Algorithm which will be used with the credential. Can be one of `RS256`, `RS384`, `PS256`. If not specified, `RS256` will be used.
- `expires_at` (String) The ISO 8601 formatted date representing the expiration of the credential. It is not possible to set this tonever expire after it has been set. Recreate the certificate if needed.
- `name` (String) Friendly name for a credential.
- `parse_expiry_from_cert` (Boolean) Parse expiry from x509 certificate. If true, attempts to parse the expiry date from the provided PEM. If also the `expires_at` is set the credential expiry will be set to the explicit `expires_at` value.

Read-Only:

- `created_at` (String) The ISO 8601 formatted date the credential was created.
- `id` (String) The ID of the client credential.
- `key_id` (String) The key identifier of the credential, generated on creation.
- `updated_at` (String) The ISO 8601 formatted date the credential was updated.

## Import

Import is supported using the following syntax:

```shell
# A client credentials resource can be imported using the client's ID.
#
# Example:
terraform import auth0_client_credentials.my_creds AaiyAPdpYdesoKnqjj8HJqRn4T5titww
```
2 changes: 1 addition & 1 deletion docs/resources/global_client.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ PAGE
- `signing_keys` (List of Map of String, Sensitive) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
- `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
- `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
- `token_endpoint_auth_method` (String) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic).
- `token_endpoint_auth_method` (String, Deprecated) Defines the requested authentication method for the token endpoint. Options include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic).
- `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.

### Read-Only
Expand Down
4 changes: 4 additions & 0 deletions examples/resources/auth0_client_credentials/import.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# A client credentials resource can be imported using the client's ID.
#
# Example:
terraform import auth0_client_credentials.my_creds AaiyAPdpYdesoKnqjj8HJqRn4T5titww
58 changes: 58 additions & 0 deletions examples/resources/auth0_client_credentials/resource.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
resource "auth0_client" "my_client" {
name = "Application - Acceptance Test"
app_type = "non_interactive"

jwt_configuration {
alg = "RS256"
}
}

# Configuring client_secret_post as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id

authentication_method = "client_secret_post"
}

# Configuring client_secret_basic as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id

authentication_method = "client_secret_basic"
}

# Configuring none as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id

authentication_method = "none"
}

# Configuring private_key_jwt as an authentication method.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id

authentication_method = "private_key_jwt"

private_key_jwt {
credentials {
name = "Testing Credentials 1"
credential_type = "public_key"
algorithm = "RS256"
parse_expiry_from_cert = true
pem = <<EOF
-----BEGIN CERTIFICATE-----
MIIFWDCCA0ACCQDXqpBo3R...G9w0BAQsFADBuMQswCQYDVQQGEwJl
-----END CERTIFICATE-----
EOF
}
}
}

# Configuring the client_secret.
resource "auth0_client_credentials" "test" {
client_id = auth0_client.my_client.id

authentication_method = "client_secret_basic"
client_secret = "LUFqPx+sRLjbL7peYRPFmFu-bbvE7u7og4YUNe_C345=683341"
}
22 changes: 17 additions & 5 deletions internal/acctest/http_recorder.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,19 @@ func redactDomain(i *cassette.Interaction, domain string) {
}

func redactSensitiveDataInClient(t *testing.T, i *cassette.Interaction, domain string) {
create := i.Request.URL == "https://"+domain+"/api/v2/clients" && i.Request.Method == http.MethodPost
read := strings.Contains(i.Request.URL, "https://"+domain+"/api/v2/clients/") && i.Request.Method == http.MethodGet
update := strings.Contains(i.Request.URL, "https://"+domain+"/api/v2/clients/") && i.Request.Method == http.MethodPatch
rotateSecret := strings.Contains(i.Request.URL, "clients") && strings.Contains(i.Request.URL, "/rotate-secret")
create := i.Request.URL == "https://"+domain+"/api/v2/clients" &&
i.Request.Method == http.MethodPost

read := strings.Contains(i.Request.URL, "https://"+domain+"/api/v2/clients/") &&
!strings.Contains(i.Request.URL, "credentials") &&
i.Request.Method == http.MethodGet

update := strings.Contains(i.Request.URL, "https://"+domain+"/api/v2/clients/") &&
!strings.Contains(i.Request.URL, "credentials") &&
i.Request.Method == http.MethodPatch

rotateSecret := strings.Contains(i.Request.URL, "clients") &&
strings.Contains(i.Request.URL, "/rotate-secret")

if create || read || update || rotateSecret {
var client management.Client
Expand All @@ -119,7 +128,10 @@ func redactSensitiveDataInClient(t *testing.T, i *cassette.Interaction, domain s
client.SigningKeys = []map[string]string{
{"cert": redacted},
}
client.ClientSecret = &redacted

if client.GetClientSecret() != "" {
client.ClientSecret = &redacted
}

clientBody, err := json.Marshal(client)
require.NoError(t, err)
Expand Down
5 changes: 5 additions & 0 deletions internal/auth0/client/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,11 @@ func NewResource() *schema.Resource {
"Options include `none` (public client without a client secret), " +
"`client_secret_post` (client uses HTTP POST parameters), " +
"`client_secret_basic` (client uses HTTP Basic).",
Deprecated: "Managing the authentication method through this attribute is deprecated and it will be " +
"changed to read-only in a future version. Migrate to the `auth0_client_credentials` resource to " +
"manage a client's authentication method instead. Check the " +
"[MIGRATION GUIDE](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md) " +
"on how to do that.",
},
"client_metadata": {
Type: schema.TypeMap,
Expand Down
Loading

0 comments on commit 7f2eecc

Please sign in to comment.