terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

Support groups_claim configuration in okta_app_oauth when using OAuth 2.0 credentials

Open wrprice opened this issue 1 year ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In an organization with a ton of groups (>> 100) OIDC applications need to be able to filter the groups returned in their groups claim. When using TF for configuration-as-code, we need to be able to configure the filtering conditions or expressions without resorting to clickops in the UI.

The provider documentation for the groups_claim attribute notes a caveat that it is ignored when using OAuth 2.0 credentials.

We use OAuth 2.0 credentials so that the TF runner that applies application configuration is limited in what OAuth 2.0 scopes it has, rather than granting carte blanche access as a super-user like a SSWS API token might do. Forcing us to choose between Principle of Least Privilege and robust CaC (without clickops) is not a good place to be.

New or Affected Resource(s)

  • okta_app_oauth

References

  • #1713

wrprice avatar Feb 21 '24 19:02 wrprice

I Don't think there is a "supported" API endpoint for getting groups claim information, When using a SWSS API Token the Terraform provider calls a undocumented / unsupported API Endpoint

Calling undocumented / private API endpoints is something the Okta team (and me as well) would like to move the provider away from as these APIs can change at any time without warning, thus making the Okta Terraform provider brittle

I think it is likely that you'll be redirected to ideas.okta.com to vote on or crate a feature request for the missing API endpoint There likely isn't much the Terraform Provider team can do here until a supported API endpoint is implemented

I hope the broader Okta team(s) can prioritize these API gaps, so the provider team can move the provider over to using better supported API endpoints

exitcode0 avatar Feb 22 '24 00:02 exitcode0

I hope the broader Okta team(s) can prioritize these API gaps, so the provider team can move the provider over to using better supported API endpoints

+1. I have opened requests in Ideas, but it's like yelling into an empty hole. These sorts of API gaps should be table stakes; anyway, opened this ticket here to at least document there's a customer need for this particular endpoint. Maybe the Okta TF team can add pressure internally.

wrprice avatar Mar 08 '24 15:03 wrprice

Hello and thanks for the terraform okta provider ! Really useful !

I have the exact same problem.... I do not want to use a "full access" API key to set groups_claim on my oauth app.

Thanks

ypereirareis avatar Jul 05 '24 12:07 ypereirareis