Merge pull request #1720 from okta/pr_1715_tgoodsell-tempus

@tgoodsell-tempus's #1715
okta · Sep 12, 2023 · 918083e · 918083e
2 parents ed0ce6f + fff31d3
commit 918083e
Show file tree

Hide file tree

Showing 8 changed files with 1,574 additions and 131 deletions.
diff --git a/GNUmakefile b/GNUmakefile
@@ -25,6 +25,8 @@ DEFAULT_SMOKE_TESTS?=\
   TestAccResourceOktaAppAutoLoginApplication_crud \
   TestAccResourceOktaAppBasicAuthApplication_crud \
   TestAccResourceOktaAppBookmarkApplication_crud \
+  TestAccResourceOktaAppOauth_basic \
+  TestAccResourceOktaAppOauth_serviceWithJWKS \
   TestAccResourceOktaAppSaml_crud \
   TestAccResourceOktaAppSignOnPolicy_crud \
   TestAccResourceOktaAppSignOnPolicy_crud \

diff --git a/examples/okta_app_oauth/service_with_jwks.tf b/examples/okta_app_oauth/service_with_jwks.tf
@@ -7,8 +7,34 @@ resource "okta_app_oauth" "test" {
 
   jwks {
     kty = "RSA"
-    kid = "SIGNING_KEY"
+    kid = "SIGNING_KEY_RSA"
     e   = "AQAB"
     n   = "owfoXNHcAlAVpIO41840ZU2tZraLGw3yEr3xZvAti7oEZPUKCytk88IDgH7440JOuz8GC_D6vtduWOqnEt0j0_faJnhKHgfj7DTWBOCxzSdjrM-Uyj6-e_XLFvZXzYsQvt52PnBJUV15G1W9QTjlghT_pFrW0xrTtbO1c281u1HJdPd5BeIyPb0pGbciySlx53OqGyxrAxPAt5P5h-n36HJkVsSQtNvgptLyOwWYkX50lgnh2szbJ0_O581bqkNBy9uqlnVeK1RZDQUl4mk8roWYhsx_JOgjpC3YyeXA6hHsT5xWZos_gNx98AHivNaAjzIzvyVItX2-hP0Aoscfff"
   }
 }
+
+resource "okta_app_oauth" "test_ec" {
+  label                      = "test_ecAcc_replace_with_uuid"
+  type                       = "service"
+  response_types             = ["token"]
+  grant_types                = ["client_credentials"]
+  token_endpoint_auth_method = "private_key_jwt"
+
+  jwks {
+    kty = "EC"
+    kid = "SIGNING_KEY_EC"
+    x   = "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I"
+    y   = "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo"
+  }
+}
+
+# Test EC Key
+# {
+#     "kty": "EC",
+#     "use": "sig",
+#     "crv": "P-256",
+#     "kid": "testing",
+#     "x": "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
+#     "y": "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
+#     "alg": "ES256"
+# }
diff --git a/okta/resource_okta_app_oauth.go b/okta/resource_okta_app_oauth.go
@@ -325,6 +325,16 @@ func resourceAppOAuth() *schema.Resource {
 							Optional:    true,
 							Description: "RSA Modulus",
 						},
+						"x": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "X coordinate of the elliptic curve point",
+						},
+						"y": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Y coordinate of the elliptic curve point",
+						},
 					},
 				},
 			},
@@ -595,11 +605,21 @@ func setOAuthClientSettings(d *schema.ResourceData, oauthClient *sdk.OpenIdConne
 		jwks := oauthClient.Jwks.Keys
 		arr := make([]map[string]interface{}, len(jwks))
 		for i, jwk := range jwks {
-			arr[i] = map[string]interface{}{
-				"kty": jwk.Kty,
-				"kid": jwk.Kid,
-				"e":   jwk.E,
-				"n":   jwk.N,
+			if jwk.Kty == "RSA" && jwk.E != "" && jwk.N != "" {
+				arr[i] = map[string]interface{}{
+					"kty": jwk.Kty,
+					"kid": jwk.Kid,
+					"e":   jwk.E,
+					"n":   jwk.N,
+				}
+			}
+			if jwk.Kty == "EC" && jwk.X != "" && jwk.Y != "" {
+				arr[i] = map[string]interface{}{
+					"kty": jwk.Kty,
+					"kid": jwk.Kid,
+					"x":   jwk.X,
+					"y":   jwk.Y,
+				}
 			}
 		}
 		err := setNonPrimitives(d, map[string]interface{}{"jwks": arr})
@@ -783,12 +803,19 @@ func buildAppOAuth(d *schema.ResourceData) *sdk.OpenIdConnectApplication {
 	if len(jwks) > 0 {
 		keys := make([]*sdk.JsonWebKey, len(jwks))
 		for i := range jwks {
-			keys[i] = &sdk.JsonWebKey{
+			key := &sdk.JsonWebKey{
 				Kid: d.Get(fmt.Sprintf("jwks.%d.kid", i)).(string),
 				Kty: d.Get(fmt.Sprintf("jwks.%d.kty", i)).(string),
-				E:   d.Get(fmt.Sprintf("jwks.%d.e", i)).(string),
-				N:   d.Get(fmt.Sprintf("jwks.%d.n", i)).(string),
 			}
+			if e, ok := d.Get(fmt.Sprintf("jwks.%d.e", i)).(string); ok {
+				key.E = e
+				key.N = d.Get(fmt.Sprintf("jwks.%d.n", i)).(string)
+			}
+			if x, ok := d.Get(fmt.Sprintf("jwks.%d.x", i)).(string); ok {
+				key.X = x
+				key.Y = d.Get(fmt.Sprintf("jwks.%d.y", i)).(string)
+			}
+			keys[i] = key
 		}
 		app.Settings.OauthClient.Jwks = &sdk.OpenIdConnectApplicationSettingsClientKeys{Keys: keys}
 	}

diff --git a/okta/resource_okta_app_oauth_test.go b/okta/resource_okta_app_oauth_test.go
@@ -266,22 +266,34 @@ func TestAccResourceOktaAppOauth_serviceWithJWKS(t *testing.T) {
 	config := mgr.GetFixtures("service_with_jwks.tf", t)
 	resourceName := fmt.Sprintf("%s.test", appOAuth)
 
+	ecResourceName := fmt.Sprintf("%s.test_ec", appOAuth)
+
 	oktaResourceTest(t, resource.TestCase{
-		PreCheck:          testAccPreCheck(t),
-		ErrorCheck:        testAccErrorChecks(t),
-		ProviderFactories: testAccProvidersFactories,
-		CheckDestroy:      checkResourceDestroy(appOAuth, createDoesAppExist(sdk.NewOpenIdConnectApplication())),
+		PreCheck:                 testAccPreCheck(t),
+		ErrorCheck:               testAccErrorChecks(t),
+		ProtoV5ProviderFactories: testAccMergeProvidersFactories,
+		CheckDestroy:             checkResourceDestroy(appOAuth, createDoesAppExist(sdk.NewOpenIdConnectApplication())),
 		Steps: []resource.TestStep{
 			{
 				Config: config,
 				Check: resource.ComposeTestCheckFunc(
 					ensureResourceExists(resourceName, createDoesAppExist(sdk.NewOpenIdConnectApplication())),
 					resource.TestCheckResourceAttr(resourceName, "jwks.0.kty", "RSA"),
-					resource.TestCheckResourceAttr(resourceName, "jwks.0.kid", "SIGNING_KEY"),
+					resource.TestCheckResourceAttr(resourceName, "jwks.0.kid", "SIGNING_KEY_RSA"),
 					resource.TestCheckResourceAttr(resourceName, "jwks.0.e", "AQAB"),
 					resource.TestCheckResourceAttr(resourceName, "jwks.0.n", "owfoXNHcAlAVpIO41840ZU2tZraLGw3yEr3xZvAti7oEZPUKCytk88IDgH7440JOuz8GC_D6vtduWOqnEt0j0_faJnhKHgfj7DTWBOCxzSdjrM-Uyj6-e_XLFvZXzYsQvt52PnBJUV15G1W9QTjlghT_pFrW0xrTtbO1c281u1HJdPd5BeIyPb0pGbciySlx53OqGyxrAxPAt5P5h-n36HJkVsSQtNvgptLyOwWYkX50lgnh2szbJ0_O581bqkNBy9uqlnVeK1RZDQUl4mk8roWYhsx_JOgjpC3YyeXA6hHsT5xWZos_gNx98AHivNaAjzIzvyVItX2-hP0Aoscfff"),
 				),
 			},
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					ensureResourceExists(ecResourceName, createDoesAppExist(sdk.NewOpenIdConnectApplication())),
+					resource.TestCheckResourceAttr(ecResourceName, "jwks.0.kty", "EC"),
+					resource.TestCheckResourceAttr(ecResourceName, "jwks.0.kid", "SIGNING_KEY_EC"),
+					resource.TestCheckResourceAttr(ecResourceName, "jwks.0.x", "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I"),
+					resource.TestCheckResourceAttr(ecResourceName, "jwks.0.y", "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo"),
+				),
+			},
 		},
 	})
 }
@@ -352,7 +364,7 @@ func TestAccResourceOktaAppOauth_redirect_uris(t *testing.T) {
 					  "https://*.example.com/"
 					]
 					response_types = ["code"]
-				  }				
+				  }
 				`,
 				Check: resource.ComposeTestCheckFunc(
 					ensureResourceExists(resourceName, createDoesAppExist(sdk.NewOpenIdConnectApplication())),

diff --git a/sdk/v2_jsonWebKey.go b/sdk/v2_jsonWebKey.go
@@ -17,8 +17,10 @@ type JsonWebKey struct {
 	N           string      `json:"n,omitempty"`
 	Status      string      `json:"status,omitempty"`
 	Use         string      `json:"use,omitempty"`
+	X           string      `json:"x,omitempty"` // NOTE: EC X parameter is undocumented in docs and oas3 but still valid in the API
 	X5c         []string    `json:"x5c,omitempty"`
 	X5t         string      `json:"x5t,omitempty"`
 	X5tS256     string      `json:"x5t#S256,omitempty"`
 	X5u         string      `json:"x5u,omitempty"`
+	Y           string      `json:"y,omitempty"` // NOTE: EC Y parameter is undocumented in docs and oas3 but still valid in the API
 }