terraform-provider-auth0 icon indicating copy to clipboard operation
terraform-provider-auth0 copied to clipboard

Published 20 hours ago verified publisher icon auth0

Support OIDC for Provider connection

Open fproulx-boostsecurity opened this issue 1 year ago • 3 comments

Checklist

Describe the problem you'd like to have solved

Similar to how AWS, GCP, Azure terraform providers support OIDC to authenticate from GitHub Actions for instance (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) it would be really nice for Auth0 provider to do that too.

That would allow to remove any long term secrets to connect to Auth0 provider and make IaC more secure.

Describe the ideal solution

Provider not only support OAuth client secret, but a mechanism to get ephemeral access based on OIDC claims trusting GitHub Actions

Alternatives and current workarounds

No response

Additional context

No response

fproulx-boostsecurity avatar Mar 10 '23 20:03 fproulx-boostsecurity

Hey @fproulx-boostsecurity 👋🏻

Thanks for raising this with us, it's a great suggestion! 🥳 Additionally we could expand further and include even more ways of authenticating, even leveraging the Auth0 CLI.

To set some realistic expectations, at the moment our biggest focus is to get this provider to a stable v1. So tackling something like additional authentication options will most likely come afterwards.

We'll keep you updated and leave the issue open until then.

sergiught avatar Mar 14 '23 12:03 sergiught

Just throwing this out there from the Okta workforce identity side of the house. We are currently working with Hashicorp to implement Dynamic Provider Credentials https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials for the Okta Terraform Provider in Terraform Cloud using their Workload Identity Token https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens. The workload id token is OIDC based. We'll keep @sergiught in the loop on this work should any of this art be transferable to the customer identity side of the house.

monde avatar Mar 15 '23 17:03 monde

Just throwing this out there from the Okta workforce identity side of the house. We are currently working with Hashicorp to implement Dynamic Provider Credentials https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials for the Okta Terraform Provider in Terraform Cloud using their Workload Identity Token https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens. The workload id token is OIDC based. We'll keep @sergiught in the loop on this work should any of this art be transferable to the customer identity side of the house.

I appreciate the effort you're going to, to accomplish that however, I'd imagine the vast majority of us don't want to sign up with Hashicorps Terraform Cloud. Especially inline with existing CI/CD tools that we're all invested in and in lieu of corporate requirements/procurement getting in the way.

Is there any chance of having a OIDC connection without the bells and whistles as a first step?

jdelforno avatar Dec 12 '23 06:12 jdelforno