-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OIDC backchannel initiators #1045
Add OIDC backchannel initiators #1045
Conversation
internal/auth0/client/resource.go
Outdated
"oidc_backchannel_logout_initiators_mode": { | ||
Type: schema.TypeString, | ||
Optional: true, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
"all", "custom", | ||
}, false), | ||
Description: "Which initiators should receive a logout token. Possible values are `all` indicating all " + | ||
"initiators or `custom` meaning only those selected via oidc_backchannel_logout_initiators", | ||
}, | ||
"oidc_backchannel_logout_initiators": { | ||
Type: schema.TypeSet, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateFunc: validation.StringInSlice([]string{ | ||
"rp-logout", "idp-logout", "password-changed", "session-expired", "session-revoked", | ||
"account-deleted", "email-identifier-changed", "mfa-phone-unenrolled", "account-deactivated", | ||
}, false), | ||
}, | ||
Optional: true, | ||
Description: "Which specific initiators should receive a logout token. Possible values are " + | ||
"rp-logout, idp-logout, password-changed, session-expired, session-revoked, account-deleted, email-identifier-changed, mfa-phone-unenrolled, account-deactivated", | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps it would be better to create a nested OIDCLogout
structure instead of the current approach, as oidc_backchannel_logout_urls
already contains other values. We can deprecate oidc_backchannel_logout_urls
and introduce OIDCLogout
, with nested properties such as oidc_backchannel_logout_urls
and BackChannelLogoutInitiators
, similar to the implementation in the SDK.
@developerkunal I just updated with your suggestion of using a oidc_logout block with nested attributes. There are still some failing tests when I run E2E in my test tenant not related to features we don't have enabled. The problem appears to be that the API returns the logout urls both in the OIDCBackchannelLogout object and the OIDCLogout object. I've tried a couple different approaches but rolled them back because they all had unintended side effects. The problem is we don't necessarily know which approach in the flatten to take, ignore the old setting or ignore the new one. The paths I've gone down have all caused another test to fail. I'm going to step away and then come back at it fresh. If you have any suggestions for handling it I'd appreciate them. |
@bryanroute If I understand you correctly, I think, it's better to ignore old setting |
@Seha16 I'm not sure I understand your suggestion. If I don't set the old oidc_backchannel_logout_urls then won't that generate a unexpected plan diff for someone using the old property and not implementing the new block? I'm not sure if I'm understanding your suggestion. |
@bryanroute I just wanted to reply on your message
And I want to say that I like you current implementation and agree with you to ignore func flattenOIDCBackchannelURLs(backchannelLogout *management.OIDCBackchannelLogout, logout *management.OIDCLogout) []string {
if logout != nil {
return nil
} else {
return backchannelLogout.GetBackChannelLogoutURLs()
}
}
...
data.Set("oidc_backchannel_logout_urls", flattenOIDCBackchannelURLs(client.GetOIDCBackchannelLogout(), client.GetOIDCLogout())),
data.Set("oidc_logout", flattenOIDCLogout(client.GetOIDCLogout())), There was silence in this PR and no replies on your comments for a while. So I thought voting for your solution may bring some attention of the project contributors. |
Ah @Seha16 I thought you were from Auth0. I got a message on my support ticket tracking the missing functionality. They are supposed to be reviewing my PR soon and figured that you were the one doing so. Appreciate drawing attention to it. I'm hoping I hear back from the team soon so we can get this functionality. |
Hi @bryanroute , |
Updated the test to avoid noisy plan
fix: update error messages in Forms using terraform. Co-authored-by: Rajat Bajaj <rajat.bajaj@okta.com>
87ab4bf
to
60ddb2c
Compare
* Added support to set the oidc backchannel initiators mode and selected initiators * Regenerated docs to add new properties * Changed to use oidc_logout block * Fixed And Added Test Cases * Updated Docs * Updated TestAccDataClients to avoid noisy plan (#1087) Updated the test to avoid noisy plan * fix: update messages in Forms using terraform. (#1088) fix: update error messages in Forms using terraform. Co-authored-by: Rajat Bajaj <rajat.bajaj@okta.com> --------- Co-authored-by: Kunal Dawar <kunal.dawar@okta.com> Co-authored-by: Rajat Bajaj <rajat.bajaj@okta.com> Co-authored-by: Kushal <43465488+kushalshit27@users.noreply.github.com> Co-authored-by: KunalOfficial <35455566+developerkunal@users.noreply.github.com> Signed-off-by: Rajat Bajaj <rajat.bajaj@okta.com>
🔧 Changes
This PR adds support for configuring the
oidc_logout
block in theauth0_client
resource. This enhancement enables more detailed configuration of OIDC backchannel logout, which was previously limited to setting thebackchannel_logout_urls
.The
oidc_logout
block includes the following:backchannel_logout_urls
: (Required) A set of URLs that Auth0 will call back for OIDC backchannel logout. Currently, only one URL is allowed.backchannel_logout_initiators
: (Optional) Configures the OIDC logout initiators for the client. Includes:mode
: (Required) Determines how initiators are configured:"all"
: Enables all current and future initiators."custom"
: Limits initiators to those explicitly listed inselected_initiators
.selected_initiators
: (Optional) A list of specific initiators enabled for the client whenmode
is set to"custom"
.These additions allow comprehensive OIDC backchannel logout functionality to be fully managed via Terraform.
📚 References
Addresses this open issue with the proposed design
#1030
Also addresses this support ticket: https://support.auth0.com/tickets/02368461
🔬 Testing
Test checks were added to the existing tests however http recordings need to be regenerated for the tests to pass and it appears from what I could figure that has to be done by someone that has access to the test tenant
terraform-provider-auth0-dev.eu.auth0.com
I did run the e2e tests against my own test tenant and everything passed except for some tests related to features not enabled in my test tenant.
This was manually tested and verified by creating a client with none of the back channel properties set, one with the mode all and one with the mode custom. Everything appears to function as I expected.
I do have an open question whether the approach to handling the default mode/initiators is the correct one however I'm not sure of a better approach and the behavior seems to mirror similar behavior I've observed with other terraform providers I've worked with.
📝 Checklist