Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for OAuth scope handling #282

Merged
merged 4 commits into from
Jun 20, 2024
Merged

Conversation

mmanes
Copy link
Contributor

@mmanes mmanes commented Jun 19, 2024

Add OAuth configuration support for:

  • scope_handling_policy
  • unknown_scope_policy
  • relationship
  • consent_mode

Add userinfo_populate_lambda_id.
Update provided_scope_policy to not want to re-apply on every run.

Fixes #283

mmanes added 2 commits June 18, 2024 19:03
* scope_handling_policy
* unknown_scope_policy
* relationship
* consent_mode

Add userinfo_populate_lambda_id
@mmanes mmanes requested a review from spwitt June 19, 2024 01:23
@mmanes mmanes assigned mmanes and unassigned mmanes Jun 19, 2024
"scope_handling_policy": {
Type: schema.TypeString,
Optional: true,
Default: fusionauth.OAuthScopeHandlingPolicy_Strict.String(),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this matches the API defaults, should we make it default to Compatibility to prevent breaking existing TF configs?

It may be possible to add some special handling so that it only sets it to Strict on create, and not overwrite existing applications.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it's good to keep the same default between the API and TF. It wasn't immediately obvious how to customize the default, but I would assume it's possible. It sounds like the Default here is static and cannot be customized.

CustomizeDiff could be useful, but that may only be used to decide whether changes need to be applied.

The issue is still present in older versions of the provider. I believe that's because the provider uses PUT instead of PATCH methods on the client calls. With no value provided, it will use the default of Strict in the API.

The data migration for 1.50.0 includes setting existing applications to Compatibility mode. Would it be unreasonable to expect provider users to update their TF state after an upgrade? If the new fields are available on the provider resource, I would expect that updating the state would pull in the migrated values from the application and then continue setting them when the configuration is applied in the future.

@mmanes mmanes marked this pull request as ready for review June 19, 2024 01:31
Copy link
Contributor

@spwitt spwitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference is for the provider default to match the API default. For now I think it is best to add a note that provider users should update their state prior to applying configuration. Unless that is very unusual to do.

docs/resources/application.md Outdated Show resolved Hide resolved
"scope_handling_policy": {
Type: schema.TypeString,
Optional: true,
Default: fusionauth.OAuthScopeHandlingPolicy_Strict.String(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it's good to keep the same default between the API and TF. It wasn't immediately obvious how to customize the default, but I would assume it's possible. It sounds like the Default here is static and cannot be customized.

CustomizeDiff could be useful, but that may only be used to decide whether changes need to be applied.

The issue is still present in older versions of the provider. I believe that's because the provider uses PUT instead of PATCH methods on the client calls. With no value provided, it will use the default of Strict in the API.

The data migration for 1.50.0 includes setting existing applications to Compatibility mode. Would it be unreasonable to expect provider users to update their TF state after an upgrade? If the new fields are available on the provider resource, I would expect that updating the state would pull in the migrated values from the application and then continue setting them when the configuration is applied in the future.

Elem: newOAuthConfigurationScopePolicy(),
"scope_handling_policy": {
Type: schema.TypeString,
Optional: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this field required as discussed. The data migration set this to Compatibility to maintain backwards compatibility, but new applications set it to Strict.

},
"unknown_scope_policy": {
Type: schema.TypeString,
Optional: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this one required as well. The migration set this to Allow in case existing applications were relying on unknown scopes being passed through. New applications set this to Reject by default.

@mmanes mmanes merged commit 64ced6b into main Jun 20, 2024
1 check passed
@mmanes mmanes deleted the mmanes/scope_handling_policy branch June 20, 2024 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Missing scope_handling_policy overwrites existing application to Strict
2 participants