terraform-provider-okta
terraform-provider-okta copied to clipboard
okta
Provider support for Demonstrating Proof of Possession (DPoP)
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Okta added support for Demonstrating Proof of Possession (DPoP) in 2023. Would it be possible for the Okta Terraform provider to support this additional protection when using OAuth with a public/private keypair?
If the feature is enabled in the Okta OAuth app being used by the provider to fetch access tokens, the provider errors like:
│ Error: failed to get group: the API returned an error: The DPoP proof JWT header is missing.
New or Affected Resource(s)
-
provider "okta"
Potential Terraform Configuration
Not sure if a new provider attribute is required or not
References
- https://www.okta.com/blog/2023/06/a-leap-forward-in-token-security-okta-adds-support-for-dpop/
- https://developer.okta.com/docs/guides/dpop/main/
This is likely and upstream issue for the GoLang SDK I have a similar feature request in https://github.com/okta/terraform-provider-okta/issues/1873
Close due to duplication with #1873 . For now, please disable DPop to use terraform
Close due to duplication with #1873 . For now, please disable DPop to use terraform
Hi @duytiennguyen-okta, While there may be overlap here, I'm not sure that this issue and #1873 are overlapping 100%
#1873 could be considered a sub-set of the functionality requested in this issue
These might seeking to support different use-cases as DPOP will that the provider has continued access to the private key for every request made where as my issue #1873 is trying to intentionally obfuscate the private key from the provider by storing it in an external service, for my use-case DPOP would be more difficult as it would require calling that external service on every request the provider makes
These might seeking to support different use-cases as DPOP will that the provider has continued access to the private key for every request made
@exitcode0 @duytiennguyen-okta Agree. My intent in opening this issue was to request support for DPoP in the provider in the case where we do continually make the private key available to the provider.
OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-700768
@parente the team is working on adding DPop support for all our SDKs. To use DPop right now, you would have to add the DPop header in your requests which is created by using the client's private key to sign a JWT containing the client's public key, HTTP request URL and method. The team is currently working on implementing this support in the SDKs.
Thanks for the update @ivanezeigbo-okta. Looking forward to the feature when you land it. ❤️
We are implementing dpop for terraform at the moment. We will update this issue once it is released