terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add "implicit_grant" block option under "single_page_application" block section

Open RaviP-Insight opened this issue 3 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently azuread_application resource has implicit_grant (which has access_token & id_token options) as part of web block. We have a scenario where we are using id_token with single application. Currently implicit_grant is not an option under single_page_application block. https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application

New or Affected Resource(s)

  • azuread_application

Potential Terraform Configuration

data "azuread_client_config" "current" {}

resource "azuread_application" "example" {
  display_name     = "example"
  identifier_uris  = ["api://example-app"]
  logo_image       = filebase64("/path/to/logo.png")
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  single_page_application {
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }
}

References

  • #0000

RaviP-Insight avatar Aug 25 '22 14:08 RaviP-Insight

Hi @RaviP-Insight, thanks for requesting this. On further investigation, it looks like this isn't actually a valid property. To clarify, I looked in the portal and inspected the API traffic and found that whilst these settings are exposed as checkboxes when you add settings for a single-page-application, they are actually set on the web block. See the following capture:

Screen Shot 2022-08-31 at 11 48 03

Since we already support this property as part of the web block, I'm going to close this one out. Thanks for the request - if you have any other feature requests please feel free to open issues for them.

manicminer avatar Aug 31 '22 10:08 manicminer

Thank you for looking into this. I tried them in reverse order (web block first and then spa) before creating the ticket which replaced the implicit setting options too. I tried them in the option provided in the screenshot and that kept spa and implicit options. Thank you.

RaviP-Insight avatar Sep 11 '22 14:09 RaviP-Insight

I think I spoke too soon. When I re-ran the DevOps process, platform is changing from spa to web. On the next run, it is changing from web to spa. Good thing is it is keeping the implicit permissions, but platform change is causing an issue for the application to work. It didn't matter which order I use spa and web blocks. For each execution it is changing the platform to the first choice block.

Goal is: spa with implicit grant enabled for every execution. Is there any work around?

RaviP-Insight avatar Sep 12 '22 17:09 RaviP-Insight

@RaviP-Insight That sounds like a possible API bug, can you please paste the config you are using and the resulting diffs for each execution? If you can enable debug logging (TF_LOG=DEBUG) and paste the entire output from the plan/apply, including the diff, that would be super helpful in tracking down the cause. I will reopen this issue in the meantime. Thanks!

manicminer avatar Sep 12 '22 19:09 manicminer

Thank you for the quick response, Tom.

Initially I used below code in the Azure AD app section:

single_page_application { redirect_uris = var.redirect_uris }

web { redirect_uris = var.redirect_uris

implicit_grant {
  access_token_issuance_enabled = true
  id_token_issuance_enabled     = true
}

}

After adding the comments, I tried removing “redirect_uris” option in web block and tried this:

single_page_application { redirect_uris = var.redirect_uris }

web { implicit_grant { access_token_issuance_enabled = true id_token_issuance_enabled = true } }

I thought I tried this before and got error saying “redirect_uris” is mandatory. I guess not.

It is working as expected now. So far, I am getting the same output “spa with implicit grants” for every execution of the code. I am working with my dev team to test in different environment. If this code works for every scenario, I will go ahead and update it in the comment section.

@.*** RAVI PINNAMANENI | Architect I | Insight d. 310.225.5071| c. 732.589.9640 | @.@.> | insight.comhttps://www.insight.com/content/insight-web/en_US/solve/digital-innovation.html

From: Tom Bamford @.> Sent: Monday, September 12, 2022 3:23 PM To: hashicorp/terraform-provider-azuread @.> Cc: Pinnamaneni, Ravi @.>; Mention @.> Subject: Re: [hashicorp/terraform-provider-azuread] Add "implicit_grant" block option under "single_page_application" block section (Issue #872)

External Message - Please be cautious when opening links or attachments in email

@RaviP-Insighthttps://github.com/RaviP-Insight That sounds like a possible API bug, can you please paste the config you are using and the resulting diffs for each execution? If you can enable debug logging (TF_LOG=DEBUG) and paste the entire output from the plan/apply, including the diff, that would be super helpful in tracking down the cause. I will reopen this issue in the meantime. Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform-provider-azuread/issues/872#issuecomment-1244218601, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AZE7E7ZF77V7QEN2EL5LXPTV557ILANCNFSM57TJSI7A. You are receiving this because you were mentioned.Message ID: @.@.>>

RaviP-Insight avatar Sep 12 '22 19:09 RaviP-Insight