Skip to content

Commit

Permalink
DXCDT-449: Add support for PAR on client and tenant resources (#756)
Browse files Browse the repository at this point in the history
  • Loading branch information
sergiught authored Sep 14, 2023
1 parent 16676a3 commit 4e81f09
Show file tree
Hide file tree
Showing 14 changed files with 156 additions and 131 deletions.
1 change: 1 addition & 0 deletions docs/data-sources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ data "auth0_client" "some-client-by-id" {
- `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or `post_login_prompt`.
- `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
- `refresh_token` (List of Object) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedatt--refresh_token))
- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for this client.
- `signing_keys` (List of Map of String) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
- `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
- `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
Expand Down
1 change: 1 addition & 0 deletions docs/data-sources/tenant.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ Read-Only:
- `enable_public_signup_user_exists_error` (Boolean)
- `mfa_show_factor_list_on_enrollment` (Boolean)
- `no_disclose_enterprise_connections` (Boolean)
- `require_pushed_authorization_requests` (Boolean)
- `revoke_refresh_token_grant` (Boolean)
- `use_scope_descriptions_for_consent` (Boolean)

Expand Down
1 change: 1 addition & 0 deletions docs/resources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ resource "auth0_client" "my_client" {
- `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or `post_login_prompt`.
- `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
- `refresh_token` (Block List, Max: 1) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedblock--refresh_token))
- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for this client.
- `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
- `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
- `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.
Expand Down
1 change: 1 addition & 0 deletions docs/resources/tenant.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ Optional:
- `enable_public_signup_user_exists_error` (Boolean) Indicates whether the public sign up process shows a `user_exists` error if the user already exists.
- `mfa_show_factor_list_on_enrollment` (Boolean) Used to allow users to pick which factor to enroll with from the list of available MFA factors.
- `no_disclose_enterprise_connections` (Boolean) Do not Publish Enterprise Connections Information with IdP domains on the lock configuration file.
- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant.
- `revoke_refresh_token_grant` (Boolean) Delete underlying grant when a refresh token is revoked via the Authentication API.
- `use_scope_descriptions_for_consent` (Boolean) Indicates whether to use scope descriptions for consent.

Expand Down
65 changes: 33 additions & 32 deletions internal/auth0/client/expand.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,38 +13,39 @@ func expandClient(data *schema.ResourceData) *management.Client {
config := data.GetRawConfig()

client := &management.Client{
Name: value.String(config.GetAttr("name")),
Description: value.String(config.GetAttr("description")),
AppType: value.String(config.GetAttr("app_type")),
LogoURI: value.String(config.GetAttr("logo_uri")),
IsFirstParty: value.Bool(config.GetAttr("is_first_party")),
OIDCConformant: value.Bool(config.GetAttr("oidc_conformant")),
ClientAliases: value.Strings(config.GetAttr("client_aliases")),
Callbacks: value.Strings(config.GetAttr("callbacks")),
AllowedLogoutURLs: value.Strings(config.GetAttr("allowed_logout_urls")),
AllowedOrigins: value.Strings(config.GetAttr("allowed_origins")),
AllowedClients: value.Strings(config.GetAttr("allowed_clients")),
GrantTypes: value.Strings(config.GetAttr("grant_types")),
OrganizationUsage: value.String(config.GetAttr("organization_usage")),
OrganizationRequireBehavior: value.String(config.GetAttr("organization_require_behavior")),
WebOrigins: value.Strings(config.GetAttr("web_origins")),
SSO: value.Bool(config.GetAttr("sso")),
SSODisabled: value.Bool(config.GetAttr("sso_disabled")),
CrossOriginAuth: value.Bool(config.GetAttr("cross_origin_auth")),
CrossOriginLocation: value.String(config.GetAttr("cross_origin_loc")),
CustomLoginPageOn: value.Bool(config.GetAttr("custom_login_page_on")),
CustomLoginPage: value.String(config.GetAttr("custom_login_page")),
FormTemplate: value.String(config.GetAttr("form_template")),
InitiateLoginURI: value.String(config.GetAttr("initiate_login_uri")),
EncryptionKey: value.MapOfStrings(config.GetAttr("encryption_key")),
IsTokenEndpointIPHeaderTrusted: value.Bool(config.GetAttr("is_token_endpoint_ip_header_trusted")),
OIDCBackchannelLogout: expandOIDCBackchannelLogout(data),
ClientMetadata: expandClientMetadata(data),
RefreshToken: expandClientRefreshToken(data),
JWTConfiguration: expandClientJWTConfiguration(data),
Addons: expandClientAddons(data),
NativeSocialLogin: expandClientNativeSocialLogin(data),
Mobile: expandClientMobile(data),
Name: value.String(config.GetAttr("name")),
Description: value.String(config.GetAttr("description")),
AppType: value.String(config.GetAttr("app_type")),
LogoURI: value.String(config.GetAttr("logo_uri")),
IsFirstParty: value.Bool(config.GetAttr("is_first_party")),
OIDCConformant: value.Bool(config.GetAttr("oidc_conformant")),
ClientAliases: value.Strings(config.GetAttr("client_aliases")),
Callbacks: value.Strings(config.GetAttr("callbacks")),
AllowedLogoutURLs: value.Strings(config.GetAttr("allowed_logout_urls")),
AllowedOrigins: value.Strings(config.GetAttr("allowed_origins")),
AllowedClients: value.Strings(config.GetAttr("allowed_clients")),
GrantTypes: value.Strings(config.GetAttr("grant_types")),
OrganizationUsage: value.String(config.GetAttr("organization_usage")),
OrganizationRequireBehavior: value.String(config.GetAttr("organization_require_behavior")),
WebOrigins: value.Strings(config.GetAttr("web_origins")),
RequirePushedAuthorizationRequests: value.Bool(config.GetAttr("require_pushed_authorization_requests")),
SSO: value.Bool(config.GetAttr("sso")),
SSODisabled: value.Bool(config.GetAttr("sso_disabled")),
CrossOriginAuth: value.Bool(config.GetAttr("cross_origin_auth")),
CrossOriginLocation: value.String(config.GetAttr("cross_origin_loc")),
CustomLoginPageOn: value.Bool(config.GetAttr("custom_login_page_on")),
CustomLoginPage: value.String(config.GetAttr("custom_login_page")),
FormTemplate: value.String(config.GetAttr("form_template")),
InitiateLoginURI: value.String(config.GetAttr("initiate_login_uri")),
EncryptionKey: value.MapOfStrings(config.GetAttr("encryption_key")),
IsTokenEndpointIPHeaderTrusted: value.Bool(config.GetAttr("is_token_endpoint_ip_header_trusted")),
OIDCBackchannelLogout: expandOIDCBackchannelLogout(data),
ClientMetadata: expandClientMetadata(data),
RefreshToken: expandClientRefreshToken(data),
JWTConfiguration: expandClientJWTConfiguration(data),
Addons: expandClientAddons(data),
NativeSocialLogin: expandClientNativeSocialLogin(data),
Mobile: expandClientMobile(data),
}

if data.IsNewResource() && client.IsTokenEndpointIPHeaderTrusted != nil {
Expand Down
1 change: 1 addition & 0 deletions internal/auth0/client/flatten.go
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,7 @@ func flattenClient(data *schema.ResourceData, client *management.Client) error {
data.Set("signing_keys", client.SigningKeys),
data.Set("client_metadata", client.GetClientMetadata()),
data.Set("oidc_backchannel_logout_urls", client.GetOIDCBackchannelLogout().GetBackChannelLogoutURLs()),
data.Set("require_pushed_authorization_requests", client.GetRequirePushedAuthorizationRequests()),
)
return result.ErrorOrNil()
}
Expand Down
5 changes: 5 additions & 0 deletions internal/auth0/client/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,11 @@ func NewResource() *schema.Resource {
"alphanumeric and may only include the following special characters: " +
"`:,-+=_*?\"/\\()<>@ [Tab] [Space]`.",
},
"require_pushed_authorization_requests": {
Type: schema.TypeBool,
Optional: true,
Description: "Makes the use of Pushed Authorization Requests mandatory for this client.",
},
"mobile": {
Type: schema.TypeList,
Optional: true,
Expand Down
4 changes: 4 additions & 0 deletions internal/auth0/client/resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,7 @@ resource "auth0_client" "my_client" {
logo_uri = "https://example.com/logoUri"
organization_require_behavior = "no_prompt"
organization_usage = "deny"
require_pushed_authorization_requests = false
sso = false
sso_disabled = false
custom_login_page_on = true
Expand Down Expand Up @@ -492,6 +493,7 @@ resource "auth0_client" "my_client" {
logo_uri = "https://another-example.com/logoUri"
organization_require_behavior = "no_prompt"
organization_usage = "deny"
require_pushed_authorization_requests = true
sso = true
sso_disabled = true
custom_login_page_on = true
Expand Down Expand Up @@ -582,6 +584,7 @@ func TestAccClient(t *testing.T) {
resource.TestCheckResourceAttr("auth0_client.my_client", "organization_require_behavior", "no_prompt"),
resource.TestCheckResourceAttr("auth0_client.my_client", "organization_usage", "deny"),
resource.TestCheckResourceAttr("auth0_client.my_client", "sso", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "require_pushed_authorization_requests", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "sso_disabled", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "custom_login_page_on", "true"),
resource.TestCheckResourceAttr("auth0_client.my_client", "is_first_party", "true"),
Expand Down Expand Up @@ -644,6 +647,7 @@ func TestAccClient(t *testing.T) {
resource.TestCheckResourceAttr("auth0_client.my_client", "logo_uri", "https://another-example.com/logoUri"),
resource.TestCheckResourceAttr("auth0_client.my_client", "organization_require_behavior", "no_prompt"),
resource.TestCheckResourceAttr("auth0_client.my_client", "organization_usage", "deny"),
resource.TestCheckResourceAttr("auth0_client.my_client", "require_pushed_authorization_requests", "true"),
resource.TestCheckResourceAttr("auth0_client.my_client", "sso", "true"),
resource.TestCheckResourceAttr("auth0_client.my_client", "sso_disabled", "true"),
resource.TestCheckResourceAttr("auth0_client.my_client", "custom_login_page_on", "true"),
Expand Down
1 change: 1 addition & 0 deletions internal/auth0/tenant/expand.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ func expandTenantFlags(config cty.Value) *management.TenantFlags {
DashboardInsightsView: value.Bool(flags.GetAttr("dashboard_insights_view")),
DisableFieldsMapFix: value.Bool(flags.GetAttr("disable_fields_map_fix")),
MFAShowFactorListOnEnrollment: value.Bool(flags.GetAttr("mfa_show_factor_list_on_enrollment")),
RequirePushedAuthorizationRequests: value.Bool(flags.GetAttr("require_pushed_authorization_requests")),
}

return stop
Expand Down
1 change: 1 addition & 0 deletions internal/auth0/tenant/flatten.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func flattenTenantFlags(flags *management.TenantFlags) []interface{} {
m["dashboard_insights_view"] = flags.DashboardInsightsView
m["disable_fields_map_fix"] = flags.DisableFieldsMapFix
m["mfa_show_factor_list_on_enrollment"] = flags.MFAShowFactorListOnEnrollment
m["require_pushed_authorization_requests"] = flags.RequirePushedAuthorizationRequests

return []interface{}{m}
}
Expand Down
6 changes: 6 additions & 0 deletions internal/auth0/tenant/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,12 @@ func NewResource() *schema.Resource {
Computed: true,
Description: "Used to allow users to pick which factor to enroll with from the list of available MFA factors.",
},
"require_pushed_authorization_requests": {
Type: schema.TypeBool,
Optional: true,
Computed: true,
Description: "Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant.",
},
},
},
},
Expand Down
2 changes: 2 additions & 0 deletions internal/auth0/tenant/resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ resource "auth0_tenant" "my_tenant" {
disable_management_api_sms_obfuscation = false
disable_fields_map_fix = false
mfa_show_factor_list_on_enrollment = false
require_pushed_authorization_requests = false
}
session_cookie {
Expand Down Expand Up @@ -136,6 +137,7 @@ resource "auth0_tenant" "my_tenant" {
disable_management_api_sms_obfuscation = true
disable_fields_map_fix = true
mfa_show_factor_list_on_enrollment = true
require_pushed_authorization_requests = true
}
session_cookie {
Expand Down
Loading

0 comments on commit 4e81f09

Please sign in to comment.