add default to refresh token

[duytiennguyen-okta]

In resource okta_app_oauth, sets refresh_token_rotation's default argument to STATIC, and sets refresh_token_leeway's default argument to 0.

[monde]

released in https://github.com/okta/terraform-provider-okta/releases/tag/v4.4.3 which is also listed in the TF registry https://registry.terraform.io/providers/okta/okta/latest/docs

[thatguysimon]

@duytiennguyen-okta @monde Seems like this needs to be ignored for all okta_app_oauth resources with type = service that use a private key for authentication. We're getting the following error for all of our service apps since upgrading:

│ Error: failed to update OAuth application: the API returned an error: You do not have permission to perform the requested action
│ 
│   with okta_app_oauth.my_service_app,
│   on applications.tf line 55, in resource "okta_app_oauth" "my_service_app":
│   55: resource "okta_app_oauth" "my_service_app" {
│ 

Apps with type = "web" applied this change successfully.

[duytiennguyen-okta]

@thatguysimon how does the tf script looks like? because I don't have that issue with type = "service" and token_endpoint_auth_method = "private_key_jwt". From the error it looks like you don't have permission rather than the issue came from the provider

[thatguysimon]

@duytiennguyen-okta other apps that are not type=service work as expected so I don't think it's a permission issue.
Here's an example for a service app that is having this issue:

resource "okta_app_oauth" "my_service_app" {
  client_id                  = var.my_service_app_id
  label                      = "My service app"
  logo                       = "${path.module}/assets/images/logo.png"
  type                       = "service"
  grant_types                = ["client_credentials"]
  response_types             = ["token"]
  token_endpoint_auth_method = "private_key_jwt"
  login_scopes               = []
  post_logout_redirect_uris  = []
  redirect_uris              = []

  jwks {
    kty = var.my_public_jwk.kty
    e   = var.my_public_jwk.e
    kid = var.my_public_jwk.kid
    n   = var.my_public_jwk.n
  }

  lifecycle {
    ignore_changes = [
      logo,
    ]
  }
}

Here's an OIDC app that works:

resource "okta_app_oauth" "my_oidc_app" {
  client_id           = var.my_client_id
  client_basic_secret = var.my_client_secret
  label               = "My app"
  logo                = "${path.module}/assets/images/logo.png"
  type                = "web"
  issuer_mode         = "DYNAMIC"
  grant_types = [
    "authorization_code", "refresh_token"
  ]
  redirect_uris = [
    "..."
  ]
  response_types = ["code"]
  login_uri      = var.my_host_url

  lifecycle {
    ignore_changes = [
      logo,
    ]
  }
}

Thanks!

[duytiennguyen-okta]

@thatguysimon I think you should double check your permission. I just successfully run this script with my org

resource "okta_app_oauth" "test" {
  client_id                  = "efg456"
  label                      = "My service app"
  type                       = "service"
  grant_types                = ["client_credentials"]
  response_types             = ["token"]
  token_endpoint_auth_method = "private_key_jwt"
  login_scopes               = []
  post_logout_redirect_uris  = []
  redirect_uris              = []

  jwks {
    kty = var.my_public_jwk.kty
    e   = var.my_public_jwk.e
    kid = var.my_public_jwk.kid
    n   = var.my_public_jwk.n
  }

  lifecycle {
    ignore_changes = [
      logo,
    ]
  }
}

[thatguysimon]

@duytiennguyen-okta was there a new Okta API scope that been added along with this feature? Because this was working before the upgrade, no permission issues before. (We're using a private key to authenticate the provider against the Okta tenant btw).
Maybe this has to do with creating the app in an earlier version of the provider (without this default), and then upgrading the provider and running plan+apply with this new change?

[duytiennguyen-okta]

@thatguysimon I don't know which version you were upgrading from, but the default wouldn't do anything unless you have grant types refresh_token. Since I cannot reproduce this issue, can you provide the log? Just use
TF_LOG=debug terraform apply

[thatguysimon]

@duytiennguyen-okta it suddenly started working, without making any changes.. one of those voodoo cases I guess 🤷🏻‍♂️
Anyway, sorry and thanks for your time 🙏🏻