add pkce_required for okta_idp_oidc

okta/resource_okta_idp_oidc.go

@@ -44,13 +44,20 @@ func resourceIdpOidc() *schema.Resource {
 				Optional: true,
 			},
 			"client_id": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "Unique identifier (opens new window)issued by the AS for the Okta IdP instance",
 			},
 			"client_secret": {
-				Type:      schema.TypeString,
-				Required:  true,
-				Sensitive: true,
+				Type:        schema.TypeString,
+				Required:    true,
+				Sensitive:   true,
+				Description: "Client secret issued (opens new window)by the AS for the Okta IdP instance",
+			},
+			"pkce_required": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object",
 			},
 			"issuer_url": {
 				Type:     schema.TypeString,
@@ -116,6 +123,9 @@ func resourceIdpRead(ctx context.Context, d *schema.ResourceData, m interface{})
 	_ = d.Set("issuer_url", idp.Protocol.Issuer.Url)
 	_ = d.Set("client_secret", idp.Protocol.Credentials.Client.ClientSecret)
 	_ = d.Set("client_id", idp.Protocol.Credentials.Client.ClientId)
+	if idp.Protocol.Credentials.Client.PKCERequired != nil {
+		_ = d.Set("pkce_required", idp.Protocol.Credentials.Client.PKCERequired)
+	}
 	syncEndpoint("authorization", idp.Protocol.Endpoints.Authorization, d)
 	syncEndpoint("token", idp.Protocol.Endpoints.Token, d)
 	syncEndpoint("user_info", idp.Protocol.Endpoints.UserInfo, d)
@@ -172,6 +182,14 @@ func buildIdPOidc(d *schema.ResourceData) (sdk.IdentityProvider, error) {
 		len(d.Get("subject_match_attribute").(string)) > 0 {
 		return sdk.IdentityProvider{}, errors.New("you can only provide 'subject_match_attribute' with 'subject_match_type' set to 'CUSTOM_ATTRIBUTE'")
 	}
+	client := &sdk.IdentityProviderCredentialsClient{
+		ClientId:     d.Get("client_id").(string),
+		ClientSecret: d.Get("client_secret").(string),
+	}
+	pkceVal := d.GetRawConfig().GetAttr("pkce_required")
+	if !pkceVal.IsNull() {
+		client.PKCERequired = boolPtr(d.Get("pkce_required").(bool))
+	}
 	idp := sdk.IdentityProvider{
 		Name:       d.Get("name").(string),
 		Type:       "OIDC",
@@ -194,10 +212,7 @@ func buildIdPOidc(d *schema.ResourceData) (sdk.IdentityProvider, error) {
 			Scopes:     convertInterfaceToStringSet(d.Get("scopes")),
 			Type:       d.Get("protocol_type").(string),
 			Credentials: &sdk.IdentityProviderCredentials{
-				Client: &sdk.IdentityProviderCredentialsClient{
-					ClientId:     d.Get("client_id").(string),
-					ClientSecret: d.Get("client_secret").(string),
-				},
+				Client: client,
 			},
 			Issuer: &sdk.ProtocolEndpoint{
 				Url: d.Get("issuer_url").(string),

okta/resource_okta_idp_oidc_test.go

@@ -124,3 +124,92 @@ resource "okta_idp_oidc" "test" {
 		},
 	})
 }
+
+func TestAccResourceOktaIdpOidc_pkce_required(t *testing.T) {
+	config1 := `
+resource "okta_idp_oidc" "test" {
+  name                  = "testAcc_replace_with_uuid"
+  authorization_url     = "https://idp.example.com/authorize"
+  authorization_binding = "HTTP-REDIRECT"
+  token_url             = "https://idp.example.com/token"
+  token_binding         = "HTTP-POST"
+  user_info_url         = "https://idp.example.com/userinfo"
+  user_info_binding     = "HTTP-REDIRECT"
+  jwks_url              = "https://idp.example.com/keys"
+  jwks_binding          = "HTTP-REDIRECT"
+  scopes                = ["openid"]
+  client_id             = "efg456"
+  client_secret         = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+  issuer_url            = "https://id.example.com"
+  username_template     = "idpuser.email"
+}`
+	config2 := `
+resource "okta_idp_oidc" "test" {
+  name                  = "testAcc_replace_with_uuid"
+  authorization_url     = "https://idp.example.com/authorize"
+  authorization_binding = "HTTP-REDIRECT"
+  token_url             = "https://idp.example.com/token"
+  token_binding         = "HTTP-POST"
+  user_info_url         = "https://idp.example.com/userinfo"
+  user_info_binding     = "HTTP-REDIRECT"
+  jwks_url              = "https://idp.example.com/keys"
+  jwks_binding          = "HTTP-REDIRECT"
+  scopes                = ["openid"]
+  client_id             = "abc123"
+  client_secret         = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+  issuer_url            = "https://id.example.com"
+  username_template     = "idpuser.email"
+  pkce_required			= false
+}`
+
+	mgr := newFixtureManager("resources", idpOidc, t.Name())
+	resourceName := fmt.Sprintf("%s.test", idpOidc)
+
+	oktaResourceTest(t, resource.TestCase{
+		PreCheck:          testAccPreCheck(t),
+		ErrorCheck:        testAccErrorChecks(t),
+		ProviderFactories: testAccProvidersFactories,
+		CheckDestroy:      checkResourceDestroy(idpOidc, createDoesIdpExist),
+		Steps: []resource.TestStep{
+			{
+				Config: mgr.ConfigReplace(config1),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", buildResourceName(mgr.Seed)),
+					resource.TestCheckResourceAttr(resourceName, "authorization_url", "https://idp.example.com/authorize"),
+					resource.TestCheckResourceAttr(resourceName, "authorization_binding", "HTTP-REDIRECT"),
+					resource.TestCheckResourceAttr(resourceName, "token_url", "https://idp.example.com/token"),
+					resource.TestCheckResourceAttr(resourceName, "token_binding", "HTTP-POST"),
+					resource.TestCheckResourceAttr(resourceName, "user_info_url", "https://idp.example.com/userinfo"),
+					resource.TestCheckResourceAttr(resourceName, "user_info_binding", "HTTP-REDIRECT"),
+					resource.TestCheckResourceAttr(resourceName, "jwks_url", "https://idp.example.com/keys"),
+					resource.TestCheckResourceAttr(resourceName, "jwks_binding", "HTTP-REDIRECT"),
+					resource.TestCheckResourceAttr(resourceName, "client_id", "efg456"),
+					resource.TestCheckResourceAttr(resourceName, "client_secret", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
+					resource.TestCheckResourceAttr(resourceName, "issuer_url", "https://id.example.com"),
+					resource.TestCheckResourceAttr(resourceName, "username_template", "idpuser.email"),
+					resource.TestCheckNoResourceAttr(resourceName, "pkce_required"),
+				),
+			},
+			{
+				Config: mgr.ConfigReplace(config2),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", buildResourceName(mgr.Seed)),
+					resource.TestCheckResourceAttr(resourceName, "authorization_url", "https://idp.example.com/authorize"),
+					resource.TestCheckResourceAttr(resourceName, "authorization_binding", "HTTP-REDIRECT"),
+					resource.TestCheckResourceAttr(resourceName, "token_url", "https://idp.example.com/token"),
+					resource.TestCheckResourceAttr(resourceName, "token_binding", "HTTP-POST"),
+					resource.TestCheckResourceAttr(resourceName, "user_info_url", "https://idp.example.com/userinfo"),
+					resource.TestCheckResourceAttr(resourceName, "user_info_binding", "HTTP-REDIRECT"),
+					resource.TestCheckResourceAttr(resourceName, "jwks_url", "https://idp.example.com/keys"),
+					resource.TestCheckResourceAttr(resourceName, "jwks_binding", "HTTP-REDIRECT"),
+					resource.TestCheckResourceAttr(resourceName, "client_id", "abc123"),
+					resource.TestCheckResourceAttr(resourceName, "client_secret", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"),
+					resource.TestCheckResourceAttr(resourceName, "issuer_url", "https://id.example.com"),
+					resource.TestCheckResourceAttr(resourceName, "username_template", "idpuser.email"),
+					resource.TestCheckResourceAttr(resourceName, "pkce_required", "false"),
+				),
+			},
+		},
+	})
+
+}

sdk/v2_identityProviderCredentialsClient.go

@@ -4,4 +4,5 @@ package sdk
 type IdentityProviderCredentialsClient struct {
 	ClientId     string `json:"client_id,omitempty"`
 	ClientSecret string `json:"client_secret,omitempty"`
+	PKCERequired *bool `json:"pkce_required"`
 }