feat(idp_open_id_connect): adds support for oauth2_unique_id_claim …

…and `oauth2_username_claim`. (#137)
FusionAuth · Oct 5, 2022 · 049865f · 049865f
1 parent 5ceb1ff
commit 049865f
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 19 deletions.
diff --git a/docs/resources/idp_open_id_connect.md b/docs/resources/idp_open_id_connect.md
@@ -15,20 +15,26 @@ If the external OpenID Connect identity provider returns a refresh token, it wil
 ```hcl
 resource "fusionauth_idp_open_id_connect" "OpenID" {
     application_configuration {
-        application_id = fusionauth_application.myapp.id
+        application_id      = fusionauth_application.myapp.id
         create_registration = true
-        enabled = true
+        enabled             = true
     }
-    button_text = "Login with OpenID Connect"
-    debug = false
-    name = "Super Awesome OpenID Connect Provider"
-    oauth2_authorization_endpoint = "https://acme.com/oauth2/authorization"
-    oauth2_client_id = "191c23dc-b772-4558-bd21-dc1cbf74ae21"
-    oauth2_client_secret ="SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO"
+    oauth2_authorization_endpoint       = "https://acme.com/oauth2/authorization"
+    oauth2_client_id                    = "191c23dc-b772-4558-bd21-dc1cbf74ae21"
+    oauth2_client_secret                ="SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO"
     oauth2_client_authentication_method = "client_secret_basic"
-    oauth2_scope = "openid offline_access"
-    oauth2_token_endpoint = "https://acme.com/oauth2/token"
-    oauth2_user_info_endpoint = "https://acme.com/oauth2/userinfo"
+    oauth2_scope                        = "openid offline_access"
+    oauth2_token_endpoint               = "https://acme.com/oauth2/token"
+    oauth2_user_info_endpoint           = "https://acme.com/oauth2/userinfo"
+    button_text                         = "Login with OpenID Connect"
+    debug                               = false
+    enabled                             = true
+    name                                = "Super Awesome OpenID Connect Provider"
+    tenant_configuration {
+      tenant_id                           = fusionauth_tenant.example.id
+      limit_user_link_count_enabled       = false
+      limit_user_link_count_maximum_links = 42
+    }
 }
 ```
 
@@ -43,24 +49,27 @@ resource "fusionauth_idp_open_id_connect" "OpenID" {
     - `oauth2_client_secret` - (Optional) This is an optional Application specific override for the top level client secret.
     - `create_registration` - (Optional) Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
     - `enabled` - (Optional) Determines if this identity provider is enabled for the Application specified by the applicationId key.
-    - `oauth2_scope` - (Optional) This is an optional Application specific override for for the top level scope.
+    - `oauth2_scope` - (Optional) This is an optional Application specific override for the top level scope.
 * `button_image_url` - (Optional) The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
 * `button_text` - (Required) The top-level button text to use on the FusionAuth login page for this Identity Provider.
 * `debug` - (Optional) Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
 * `domains` - (Optional) This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
 * `enabled` - (Optional) Determines if this provider is enabled. If it is false then it will be disabled globally.
 * `lambda_reconcile_id` - (Optional) The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
+* `linking_strategy` - (Optional) The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
 * `name` - (Required) The name of this OpenID Connect identity provider. This is only used for display purposes.
 * `oauth2_authorization_endpoint` - (Optional) The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
 * `oauth2_client_id` - (Required) The top-level client id for your Application.
 * `oauth2_client_secret` - (Optional) The top-level client secret to use with the OpenID Connect identity provider.
-* `oauth2_client_authentication_method` - The client authentication method to use with the OpenID Connect identity provider. 
-* `oauth2_email_claim` - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
+* `oauth2_client_authentication_method` - (Optional) The client authentication method to use with the OpenID Connect identity provider. 
+* `oauth2_email_claim` - (Optional) An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
+* `oauth2_unique_id_claim` - (Optional) An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
+* `oauth2_username_claim` - (Optional) An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
 * `oauth2_issuer` - (Optional) The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
 * `oauth2_scope` - (Optional) The top-level scope that you are requesting from the OpenID Connect identity provider.
 * `oauth2_token_endpoint` - (Optional) The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
 * `oauth2_user_info_endpoint` - (Optional) The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
-* `linking_strategy` - (Optional) The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
+* `post_request` - (Optional) Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
 * `tenant_configuration` - (Optional) The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
     - `tenant_id` - (Optional) The unique Id of the tenant that this configuration applies to.
     - `limit_user_link_count_enabled` - (Optional) When enabled, the number of identity provider links a user may create is enforced by maximumLinks.

diff --git a/fusionauth/resource_fusionauth_idp_open_id_connect.go b/fusionauth/resource_fusionauth_idp_open_id_connect.go
@@ -181,6 +181,18 @@ func newIDPOpenIDConnect() *schema.Resource {
 				Default:     "email",
 				Description: "An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.",
 			},
+			"oauth2_unique_id_claim": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "id",
+				Description: "An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.",
+			},
+			"oauth2_username_claim": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "preferred_username",
+				Description: "An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.",
+			},
 			"oauth2_issuer": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -268,7 +280,9 @@ func buildOpenIDConnect(data *schema.ResourceData) OpenIDConnectIdentityProvider
 			Issuer:           data.Get("oauth2_issuer").(string),
 			Scope:            data.Get("oauth2_scope").(string),
 			TokenEndpoint:    data.Get("oauth2_token_endpoint").(string),
+			UniqueIdClaim:    data.Get("oauth2_unique_id_claim").(string),
 			UserinfoEndpoint: data.Get("oauth2_user_info_endpoint").(string),
+			UsernameClaim:    data.Get("oauth2_username_claim").(string),
 		},
 	}
 
@@ -360,6 +374,9 @@ func buildResourceFromOpenIDConnect(o fusionauth.OpenIdConnectIdentityProvider,
 	if err := data.Set("lambda_reconcile_id", o.LambdaConfiguration.ReconcileId); err != nil {
 		return diag.Errorf("idpOpenIDConnect.lambda_reconcile_id: %s", err.Error())
 	}
+	if err := data.Set("linking_strategy", o.LinkingStrategy); err != nil {
+		return diag.Errorf("idpExternalJwt.linking_strategy: %s", err.Error())
+	}
 	if err := data.Set("name", o.Name); err != nil {
 		return diag.Errorf("idpOpenIDConnect.name: %s", err.Error())
 	}
@@ -378,6 +395,12 @@ func buildResourceFromOpenIDConnect(o fusionauth.OpenIdConnectIdentityProvider,
 	if err := data.Set("oauth2_email_claim", o.Oauth2.EmailClaim); err != nil {
 		return diag.Errorf("idpOpenIDConnect.oauth2_email_claim: %s", err.Error())
 	}
+	if err := data.Set("oauth2_unique_id_claim", o.Oauth2.UniqueIdClaim); err != nil {
+		return diag.Errorf("idpOpenIDConnect.oauth2_unique_id_claim: %s", err.Error())
+	}
+	if err := data.Set("oauth2_username_claim", o.Oauth2.UsernameClaim); err != nil {
+		return diag.Errorf("idpOpenIDConnect.oauth2_username_claim: %s", err.Error())
+	}
 	if err := data.Set("oauth2_issuer", o.Oauth2.Issuer); err != nil {
 		return diag.Errorf("idpOpenIDConnect.oauth2_issuer: %s", err.Error())
 	}
@@ -390,10 +413,6 @@ func buildResourceFromOpenIDConnect(o fusionauth.OpenIdConnectIdentityProvider,
 	if err := data.Set("oauth2_user_info_endpoint", o.Oauth2.UserinfoEndpoint); err != nil {
 		return diag.Errorf("idpOpenIDConnect.oauth2_user_info_endpoint: %s", err.Error())
 	}
-	if err := data.Set("linking_strategy", o.LinkingStrategy); err != nil {
-		return diag.Errorf("idpExternalJwt.linking_strategy: %s", err.Error())
-	}
-
 	if err := data.Set("post_request", o.PostRequest); err != nil {
 		return diag.Errorf("idpOpenIDConnect.post_request: %s", err.Error())
 	}