Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okta_app_oauth - remove force_new? #1890

Open
exitcode0 opened this issue Feb 1, 2024 · 3 comments
Open

okta_app_oauth - remove force_new? #1890

exitcode0 opened this issue Feb 1, 2024 · 3 comments
Labels
enhancement Asking for new behavior or feature triaged Triaged into internal Jira

Comments

@exitcode0
Copy link
Contributor

exitcode0 commented Feb 1, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

okta_app_oauth uses force_new to taint the resource if omit_secret ever changes from false -> True
I'm wondering if we need to do this given that a while ago Okta added the capability for Applications to have multiple credentials to improve the experience when rotating credentials

Now that this is available, we can potentially avoid re-creating the application and rotating the application's id and instead replace the client_secret with a new randomly generated client_secret, then we don't persist this new secret's value to state

If we avoid re-creating the entire application, we likely reduce our exposure to eventual consistency in the Okta API

Perhaps instead the client secrets should be separated into their own discrete resource? 🤔 💭

New or Affected Resource(s)

  • okta_app_oauth
  • okta_client_secret
  • okta_app_oauth_client_secret

References
@exitcode0 exitcode0 added the enhancement Asking for new behavior or feature label Feb 1, 2024
@exitcode0
Copy link
Contributor Author

CC: @tgoodsell-tempus
given you raised #1852 you likely have some context / more informed opinions here

@duytiennguyen-okta duytiennguyen-okta added the triaged Triaged into internal Jira label Feb 6, 2024
@duytiennguyen-okta
Copy link
Contributor

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-693022

@tgoodsell-tempus
Copy link
Contributor

CC: @tgoodsell-tempus given you raised #1852 you likely have some context / more informed opinions here

The issue we have is the apps API still supports the legacy method for controlling the client secret, which only supports a single secret string. This support likely just needs to be removed entirely, and swapped over to the new API which supports the multiple secret option as a new standalone resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Asking for new behavior or feature triaged Triaged into internal Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@exitcode0 @tgoodsell-tempus @duytiennguyen-okta