Add OIDC backchannel initiators

[bryanroute]

🔧 Changes

This adds two new properties to the auth0_client resource:

oidc_backchannel_logout_initiators_mode to set the mode for which initiators should get a logout token. Valid values are "all" or "custom"

oidc_backchannel_logout_initiators to set which specific initiators should get a logout token if the mode is set to "custom"

This allows all the configuration around the OIDC backchannel logout to be set via terraform where as currently you can only set the URL and nothing else.

Worth calling out this is my first PR working with a terraform provider so if I'm missing something about the terraform SDK and how it is supposed to work I apologize in advance. I just really want this functionality added and this seems to do it.

📚 References

Addresses this open issue with the proposed design
#1030

Also addresses this support ticket: https://support.auth0.com/tickets/02368461

🔬 Testing

Test checks were added to the existing tests however http recordings need to be regenerated for the tests to pass and it appears from what I could figure that has to be done by someone that has access to the test tenant terraform-provider-auth0-dev.eu.auth0.com

I did run the e2e tests against my own test tenant and everything passed except for some tests related to features not enabled in my test tenant.

This was manually tested and verified by creating a client with none of the back channel properties set, one with the mode all and one with the mode custom. Everything appears to function as I expected.

I do have an open question whether the approach to handling the default mode/initiators is the correct one however I'm not sure of a better approach and the behavior seems to mirror similar behavior I've observed with other terraform providers I've worked with.

📝 Checklist

• All new/changed/fixed functionality is covered by tests (or N/A)
• I have added documentation for all new/changed functionality (or N/A)

[developerkunal]

Perhaps it would be better to create a nested OIDCLogout structure instead of the current approach, as oidc_backchannel_logout_urls already contains other values. Instead of removing oidc_backchannel_logout_urls, we can deprecate it and introduce OIDCLogout, with nested properties such as oidc_backchannel_logout_urls and BackChannelLogoutInitiators, similar to the implementation in the SDK. This approach ensures backward compatibility, as it's not going to be a major release.

[bryanroute]

The concern I had with that approach is you introduce the potential of setting the back channel logout urls in two different places, via the depreciated property and via the new nested properties. I imagine the Auth0 API will reject if you try that but I wasn't sure?

I also was trying to follow the proposal in this issue #1030
Generally I do prefer flat json to nested properties.

It seems the main reason for this change is your comment about backwards compatibility. These properties exist on the API and are set even though you can't control them via terraform currently. I guess the concern is someone gets a provider update and then it will try to set them back to the default values if they don't add their current values to their terraform? I can see that would be an issue. I just hate resorting to nested JSON but I suppose there isn't a better option.

[developerkunal]

Same here don't remove this just deprecate this.

[developerkunal]

Perhaps it would be better to create a nested OIDCLogout structure instead of the current approach, as oidc_backchannel_logout_urls already contains other values. We can deprecate oidc_backchannel_logout_urls and introduce OIDCLogout, with nested properties such as oidc_backchannel_logout_urls and BackChannelLogoutInitiators, similar to the implementation in the SDK.

[bryanroute]

@developerkunal I just updated with your suggestion of using a oidc_logout block with nested attributes. There are still some failing tests when I run E2E in my test tenant not related to features we don't have enabled.

The problem appears to be that the API returns the logout urls both in the OIDCBackchannelLogout object and the OIDCLogout object. I've tried a couple different approaches but rolled them back because they all had unintended side effects. The problem is we don't necessarily know which approach in the flatten to take, ignore the old setting or ignore the new one. The paths I've gone down have all caused another test to fail. I'm going to step away and then come back at it fresh. If you have any suggestions for handling it I'd appreciate them.

[Seha16]

Should we mark this one as deprecated as well?

[bryanroute]

Do we want to change the data source to pull back the data differently? I didn't change the data source to add the new nested structure and this is auto generated from that so that is why it isn't marked as depreciated.

[Seha16]

yeah, make sense, for client retrieval it is probably not deprecated.

[Seha16]

@developerkunal I just updated with your suggestion of using a oidc_logout block with nested attributes. There are still some failing tests when I run E2E in my test tenant not related to features we don't have enabled.

The problem appears to be that the API returns the logout urls both in the OIDCBackchannelLogout object and the OIDCLogout object. I've tried a couple different approaches but rolled them back because they all had unintended side effects. The problem is we don't necessarily know which approach in the flatten to take, ignore the old setting or ignore the new one. The paths I've gone down have all caused another test to fail. I'm going to step away and then come back at it fresh. If you have any suggestions for handling it I'd appreciate them.

@bryanroute If I understand you correctly, I think, it's better to ignore old setting oidc_backchannel_logout_urls because if there is introduced a new block oidc_logout, it requires backchannel_logout_urls in it. Thus it guarantees that Backchannel Logout URL will be present in the execution plan.

[bryanroute]

@Seha16 I'm not sure I understand your suggestion. If I don't set the old oidc_backchannel_logout_urls then won't that generate a unexpected plan diff for someone using the old property and not implementing the new block?

I'm not sure if I'm understanding your suggestion.

[Seha16]

@bryanroute I just wanted to reply on your message

The problem is we don't necessarily know which approach in the flatten to take, ignore the old setting or ignore the new one.

And I want to say that I like you current implementation and agree with you to ignore oidc_backchannel_logout_urls if oidc_logout is introduced:

func flattenOIDCBackchannelURLs(backchannelLogout *management.OIDCBackchannelLogout, logout *management.OIDCLogout) []string {
  if logout != nil {
    return nil
  } else {
    return backchannelLogout.GetBackChannelLogoutURLs()
  }
}

...

data.Set("oidc_backchannel_logout_urls", flattenOIDCBackchannelURLs(client.GetOIDCBackchannelLogout(), client.GetOIDCLogout())),
data.Set("oidc_logout", flattenOIDCLogout(client.GetOIDCLogout())),

There was silence in this PR and no replies on your comments for a while. So I thought voting for your solution may bring some attention of the project contributors.

[bryanroute]

Ah @Seha16 I thought you were from Auth0. I got a message on my support ticket tracking the missing functionality. They are supposed to be reviewing my PR soon and figured that you were the one doing so. Appreciate drawing attention to it. I'm hoping I hear back from the team soon so we can get this functionality.