Add support for PAR on client and tenant resources

docs/data-sources/client.md

@@ -62,6 +62,7 @@ data "auth0_client" "some-client-by-id" {
 - `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or  `post_login_prompt`.
 - `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
 - `refresh_token` (List of Object) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedatt--refresh_token))
+- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for this client.
 - `signing_keys` (List of Map of String) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
 - `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
 - `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.

docs/data-sources/tenant.md

@@ -63,6 +63,7 @@ Read-Only:
 - `enable_public_signup_user_exists_error` (Boolean)
 - `mfa_show_factor_list_on_enrollment` (Boolean)
 - `no_disclose_enterprise_connections` (Boolean)
+- `require_pushed_authorization_requests` (Boolean)
 - `revoke_refresh_token_grant` (Boolean)
 - `use_scope_descriptions_for_consent` (Boolean)
 

docs/resources/client.md

@@ -116,6 +116,7 @@ resource "auth0_client" "my_client" {
 - `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or  `post_login_prompt`.
 - `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
 - `refresh_token` (Block List, Max: 1) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedblock--refresh_token))
+- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for this client.
 - `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
 - `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
 - `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.

docs/resources/tenant.md

@@ -94,6 +94,7 @@ Optional:
 - `enable_public_signup_user_exists_error` (Boolean) Indicates whether the public sign up process shows a `user_exists` error if the user already exists.
 - `mfa_show_factor_list_on_enrollment` (Boolean) Used to allow users to pick which factor to enroll with from the list of available MFA factors.
 - `no_disclose_enterprise_connections` (Boolean) Do not Publish Enterprise Connections Information with IdP domains on the lock configuration file.
+- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant.
 - `revoke_refresh_token_grant` (Boolean) Delete underlying grant when a refresh token is revoked via the Authentication API.
 - `use_scope_descriptions_for_consent` (Boolean) Indicates whether to use scope descriptions for consent.
 

internal/auth0/client/expand.go

@@ -13,38 +13,39 @@ func expandClient(data *schema.ResourceData) *management.Client {
 	config := data.GetRawConfig()
 
 	client := &management.Client{
-		Name:                           value.String(config.GetAttr("name")),
-		Description:                    value.String(config.GetAttr("description")),
-		AppType:                        value.String(config.GetAttr("app_type")),
-		LogoURI:                        value.String(config.GetAttr("logo_uri")),
-		IsFirstParty:                   value.Bool(config.GetAttr("is_first_party")),
-		OIDCConformant:                 value.Bool(config.GetAttr("oidc_conformant")),
-		ClientAliases:                  value.Strings(config.GetAttr("client_aliases")),
-		Callbacks:                      value.Strings(config.GetAttr("callbacks")),
-		AllowedLogoutURLs:              value.Strings(config.GetAttr("allowed_logout_urls")),
-		AllowedOrigins:                 value.Strings(config.GetAttr("allowed_origins")),
-		AllowedClients:                 value.Strings(config.GetAttr("allowed_clients")),
-		GrantTypes:                     value.Strings(config.GetAttr("grant_types")),
-		OrganizationUsage:              value.String(config.GetAttr("organization_usage")),
-		OrganizationRequireBehavior:    value.String(config.GetAttr("organization_require_behavior")),
-		WebOrigins:                     value.Strings(config.GetAttr("web_origins")),
-		SSO:                            value.Bool(config.GetAttr("sso")),
-		SSODisabled:                    value.Bool(config.GetAttr("sso_disabled")),
-		CrossOriginAuth:                value.Bool(config.GetAttr("cross_origin_auth")),
-		CrossOriginLocation:            value.String(config.GetAttr("cross_origin_loc")),
-		CustomLoginPageOn:              value.Bool(config.GetAttr("custom_login_page_on")),
-		CustomLoginPage:                value.String(config.GetAttr("custom_login_page")),
-		FormTemplate:                   value.String(config.GetAttr("form_template")),
-		InitiateLoginURI:               value.String(config.GetAttr("initiate_login_uri")),
-		EncryptionKey:                  value.MapOfStrings(config.GetAttr("encryption_key")),
-		IsTokenEndpointIPHeaderTrusted: value.Bool(config.GetAttr("is_token_endpoint_ip_header_trusted")),
-		OIDCBackchannelLogout:          expandOIDCBackchannelLogout(data),
-		ClientMetadata:                 expandClientMetadata(data),
-		RefreshToken:                   expandClientRefreshToken(data),
-		JWTConfiguration:               expandClientJWTConfiguration(data),
-		Addons:                         expandClientAddons(data),
-		NativeSocialLogin:              expandClientNativeSocialLogin(data),
-		Mobile:                         expandClientMobile(data),
+		Name:                               value.String(config.GetAttr("name")),
+		Description:                        value.String(config.GetAttr("description")),
+		AppType:                            value.String(config.GetAttr("app_type")),
+		LogoURI:                            value.String(config.GetAttr("logo_uri")),
+		IsFirstParty:                       value.Bool(config.GetAttr("is_first_party")),
+		OIDCConformant:                     value.Bool(config.GetAttr("oidc_conformant")),
+		ClientAliases:                      value.Strings(config.GetAttr("client_aliases")),
+		Callbacks:                          value.Strings(config.GetAttr("callbacks")),
+		AllowedLogoutURLs:                  value.Strings(config.GetAttr("allowed_logout_urls")),
+		AllowedOrigins:                     value.Strings(config.GetAttr("allowed_origins")),
+		AllowedClients:                     value.Strings(config.GetAttr("allowed_clients")),
+		GrantTypes:                         value.Strings(config.GetAttr("grant_types")),
+		OrganizationUsage:                  value.String(config.GetAttr("organization_usage")),
+		OrganizationRequireBehavior:        value.String(config.GetAttr("organization_require_behavior")),
+		WebOrigins:                         value.Strings(config.GetAttr("web_origins")),
+		RequirePushedAuthorizationRequests: value.Bool(config.GetAttr("require_pushed_authorization_requests")),
+		SSO:                                value.Bool(config.GetAttr("sso")),
+		SSODisabled:                        value.Bool(config.GetAttr("sso_disabled")),
+		CrossOriginAuth:                    value.Bool(config.GetAttr("cross_origin_auth")),
+		CrossOriginLocation:                value.String(config.GetAttr("cross_origin_loc")),
+		CustomLoginPageOn:                  value.Bool(config.GetAttr("custom_login_page_on")),
+		CustomLoginPage:                    value.String(config.GetAttr("custom_login_page")),
+		FormTemplate:                       value.String(config.GetAttr("form_template")),
+		InitiateLoginURI:                   value.String(config.GetAttr("initiate_login_uri")),
+		EncryptionKey:                      value.MapOfStrings(config.GetAttr("encryption_key")),
+		IsTokenEndpointIPHeaderTrusted:     value.Bool(config.GetAttr("is_token_endpoint_ip_header_trusted")),
+		OIDCBackchannelLogout:              expandOIDCBackchannelLogout(data),
+		ClientMetadata:                     expandClientMetadata(data),
+		RefreshToken:                       expandClientRefreshToken(data),
+		JWTConfiguration:                   expandClientJWTConfiguration(data),
+		Addons:                             expandClientAddons(data),
+		NativeSocialLogin:                  expandClientNativeSocialLogin(data),
+		Mobile:                             expandClientMobile(data),
 	}
 
 	if data.IsNewResource() && client.IsTokenEndpointIPHeaderTrusted != nil {

internal/auth0/client/flatten.go

@@ -542,6 +542,7 @@ func flattenClient(data *schema.ResourceData, client *management.Client) error {
 		data.Set("signing_keys", client.SigningKeys),
 		data.Set("client_metadata", client.GetClientMetadata()),
 		data.Set("oidc_backchannel_logout_urls", client.GetOIDCBackchannelLogout().GetBackChannelLogoutURLs()),
+		data.Set("require_pushed_authorization_requests", client.GetRequirePushedAuthorizationRequests()),
 	)
 	return result.ErrorOrNil()
 }

internal/auth0/client/resource.go

@@ -250,6 +250,11 @@ func NewResource() *schema.Resource {
 					"alphanumeric and may only include the following special characters: " +
 					"`:,-+=_*?\"/\\()<>@ [Tab] [Space]`.",
 			},
+			"require_pushed_authorization_requests": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Makes the use of Pushed Authorization Requests mandatory for this client.",
+			},
 			"mobile": {
 				Type:        schema.TypeList,
 				Optional:    true,

internal/auth0/client/resource_test.go

@@ -461,6 +461,7 @@ resource "auth0_client" "my_client" {
 	logo_uri = "https://example.com/logoUri"
 	organization_require_behavior = "no_prompt"
 	organization_usage = "deny"
+	require_pushed_authorization_requests = false
 	sso = false
 	sso_disabled = false
 	custom_login_page_on = true
@@ -492,6 +493,7 @@ resource "auth0_client" "my_client" {
 	logo_uri = "https://another-example.com/logoUri"
 	organization_require_behavior = "no_prompt"
 	organization_usage = "deny"
+	require_pushed_authorization_requests = true
 	sso = true
 	sso_disabled = true
 	custom_login_page_on = true
@@ -582,6 +584,7 @@ func TestAccClient(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_client.my_client", "organization_require_behavior", "no_prompt"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "organization_usage", "deny"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "sso", "false"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "require_pushed_authorization_requests", "false"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "sso_disabled", "false"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "custom_login_page_on", "true"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "is_first_party", "true"),
@@ -644,6 +647,7 @@ func TestAccClient(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_client.my_client", "logo_uri", "https://another-example.com/logoUri"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "organization_require_behavior", "no_prompt"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "organization_usage", "deny"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "require_pushed_authorization_requests", "true"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "sso", "true"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "sso_disabled", "true"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "custom_login_page_on", "true"),

internal/auth0/tenant/expand.go

@@ -65,6 +65,7 @@ func expandTenantFlags(config cty.Value) *management.TenantFlags {
 			DashboardInsightsView:              value.Bool(flags.GetAttr("dashboard_insights_view")),
 			DisableFieldsMapFix:                value.Bool(flags.GetAttr("disable_fields_map_fix")),
 			MFAShowFactorListOnEnrollment:      value.Bool(flags.GetAttr("mfa_show_factor_list_on_enrollment")),
+			RequirePushedAuthorizationRequests: value.Bool(flags.GetAttr("require_pushed_authorization_requests")),
 		}
 
 		return stop

internal/auth0/tenant/flatten.go

@@ -56,6 +56,7 @@ func flattenTenantFlags(flags *management.TenantFlags) []interface{} {
 	m["dashboard_insights_view"] = flags.DashboardInsightsView
 	m["disable_fields_map_fix"] = flags.DisableFieldsMapFix
 	m["mfa_show_factor_list_on_enrollment"] = flags.MFAShowFactorListOnEnrollment
+	m["require_pushed_authorization_requests"] = flags.RequirePushedAuthorizationRequests
 
 	return []interface{}{m}
 }

internal/auth0/tenant/resource.go

@@ -242,6 +242,12 @@ func NewResource() *schema.Resource {
 							Computed:    true,
 							Description: "Used to allow users to pick which factor to enroll with from the list of available MFA factors.",
 						},
+						"require_pushed_authorization_requests": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Computed:    true,
+							Description: "Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant.",
+						},
 					},
 				},
 			},

internal/auth0/tenant/resource_test.go

@@ -102,6 +102,7 @@ resource "auth0_tenant" "my_tenant" {
 		disable_management_api_sms_obfuscation = false
 		disable_fields_map_fix                 = false
 		mfa_show_factor_list_on_enrollment     = false
+		require_pushed_authorization_requests  = false
 	}
 
 	session_cookie {
@@ -136,6 +137,7 @@ resource "auth0_tenant" "my_tenant" {
 		disable_management_api_sms_obfuscation = true
 		disable_fields_map_fix                 = true
 		mfa_show_factor_list_on_enrollment     = true
+		require_pushed_authorization_requests  = true
 	}
 
 	session_cookie {