allow refresh token removal

examples/okta_app_oauth/refresh_second_update.tf

@@ -0,0 +1,13 @@
+resource "okta_app_oauth" "test" {
+  label                  = "testAcc_replace_with_uuid"
+  status                 = "ACTIVE"
+  type                   = "browser"
+  grant_types            = ["authorization_code"]
+  redirect_uris          = ["http://d.com/aaa"]
+  response_types         = ["code"]
+  hide_ios               = true
+  hide_web               = true
+  auto_submit_toolbar    = false
+  refresh_token_rotation = "ROTATE"
+  refresh_token_leeway   = 30
+}

okta/resource_okta_app_oauth.go

@@ -770,21 +770,31 @@ func buildAppOAuth(d *schema.ResourceData) *sdk.OpenIdConnectApplication {
 	}
 
 	refresh := &sdk.OpenIdConnectApplicationSettingsRefreshToken{}
-	hasRefresh := false
+	var hasRefresh bool
+	for _, grant_type := range grantTypes {
+		if grant_type == refreshToken {
+			hasRefresh = true
+			break
+		}
+	}
 	if rotate, ok := d.GetOk("refresh_token_rotation"); ok {
 		refresh.RotationType = rotate.(string)
-		hasRefresh = true
 	}
 
 	if leeway, ok := d.GetOk("refresh_token_leeway"); ok {
 		refresh.LeewayPtr = int64Ptr(leeway.(int))
-		hasRefresh = true
 	}
 
 	if hasRefresh {
 		app.Settings.OauthClient.RefreshToken = refresh
 	}
 
+	// TODO: need to put a warning
+	// if !hasRefresh && refresh != nil {
+	// 	return nil, errors.New("does not have refresh grant type but refresh_token_rotation and refresh_token_leeway exist in payload")
+	// }
+	// TODO unset refresh_token_rotation, refresh_token_leeway
+
 	app.Visibility = buildAppVisibility(d)
 	app.Accessibility = buildAppAccessibility(d)
 

okta/resource_okta_app_oauth_test.go

@@ -91,6 +91,7 @@ func TestAccResourceOktaAppOauth_refreshToken(t *testing.T) {
 	mgr := newFixtureManager(appOAuth, t.Name())
 	config := mgr.GetFixtures("refresh.tf", t)
 	update := mgr.GetFixtures("refresh_update.tf", t)
+	secondUpdate := mgr.GetFixtures("refresh_second_update.tf", t)
 	resourceName := fmt.Sprintf("%s.test", appOAuth)
 
 	oktaResourceTest(t, resource.TestCase{
@@ -107,7 +108,7 @@ func TestAccResourceOktaAppOauth_refreshToken(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "type", "browser"),
 					resource.TestCheckResourceAttr(resourceName, "grant_types.#", "2"),
 					resource.TestCheckResourceAttr(resourceName, "refresh_token_rotation", "STATIC"),
-					resource.TestCheckResourceAttr(resourceName, "refresh_token_leeway", "0"),
+					resource.TestCheckNoResourceAttr(resourceName, "refresh_token_leeway"),
 				),
 			},
 			{
@@ -121,6 +122,17 @@ func TestAccResourceOktaAppOauth_refreshToken(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "refresh_token_leeway", "30"),
 				),
 			},
+			{
+				Config: secondUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					ensureResourceExists(resourceName, createDoesAppExist(sdk.NewOpenIdConnectApplication())),
+					resource.TestCheckResourceAttr(resourceName, "label", buildResourceName(mgr.Seed)),
+					resource.TestCheckResourceAttr(resourceName, "type", "browser"),
+					resource.TestCheckResourceAttr(resourceName, "grant_types.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "refresh_token_rotation", "ROTATE"),
+					resource.TestCheckResourceAttr(resourceName, "refresh_token_leeway", "30"),
+				),
+			},
 		},
 	})
 }