* added configuration for application.provided_scope_policy (#278)

Fixes #277 * * added configuration for `application.provided_scope_policy` * Update resource_fusionauth_application.go changed OAuth configuration scope policy to enabled by default * Update application.md Updated description --------- Co-authored-by: Mark Manes <[email protected]>
FusionAuth · Jun 14, 2024 · 5f6366c · 5f6366c
1 parent bd40ab5
commit 5f6366c
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 0 deletions.
diff --git a/docs/resources/application.md b/docs/resources/application.md
@@ -49,6 +49,24 @@ resource "fusionauth_application" "Forum" {
     logout_behavior               = "AllApplications"
     logout_url                    = "http://www.example.com/logout"
     require_client_authentication = false
+    provided_scope_policy {
+      address {
+        enabled = false
+        required = false
+      }
+      email {
+        enabled = false
+        required = false
+      }
+      phone {
+        enabled = false
+        required = false
+      }
+      profile {
+        enabled = false
+        required = false
+      }
+    }
   }
   registration_configuration {
     birth_date {
@@ -147,6 +165,19 @@ resource "fusionauth_application" "Forum" {
     - `proof_key_for_code_exchange_policy` - (Optional) Determines the PKCE requirements when using the authorization code grant.
     - `require_client_authentication` - (Optional) Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The client_id and client_secret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
     - `require_registration` - (Optional) When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not currently apply to any other grant.
+    - `provided_scope_policy` - (Optional) Configures which of the default scopes are enabled and required.
+        * `address`
+          * `enabled` - (Optional)
+          * `required` - (Optional)
+        * `email`
+          * `enabled` - (Optional)
+          * `required` - (Optional)
+        * `phone`
+            * `enabled` - (Optional)
+            * `required` - (Optional)
+        * `profile`
+            * `enabled` - (Optional)
+            * `required` - (Optional)
 * `registration_configuration` - (Optional)
     - `birth_date` - (Optional)
         * `enabled` - (Optional)

diff --git a/fusionauth/resource_fusionauth_application.go b/fusionauth/resource_fusionauth_application.go
@@ -686,6 +686,11 @@ func newOAuthConfiguration() *schema.Resource {
 				Default:     false,
 				Description: "When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not currently apply to any other grant.",
 			},
+			"provided_scope_policy": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem:     newOAuthConfigurationScopePolicy(),
+			},
 		},
 	}
 }
@@ -854,3 +859,51 @@ func newRegistrationConfiguration() *schema.Resource {
 		},
 	}
 }
+
+func newOAuthConfigurationScopePolicy() *schema.Resource {
+	requireable := func() *schema.Resource {
+		return &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"enabled": {
+					Type:     schema.TypeBool,
+					Optional: true,
+					Default:  true,
+				},
+				"required": {
+					Type:     schema.TypeBool,
+					Optional: true,
+					Default:  false,
+				},
+			},
+		}
+	}
+
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"address": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem:     requireable(),
+			},
+			"email": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem:     requireable(),
+			},
+			"phone": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem:     requireable(),
+			},
+			"profile": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem:     requireable(),
+			},
+		},
+	}
+}
diff --git a/fusionauth/resource_fusionauth_application_helpers.go b/fusionauth/resource_fusionauth_application_helpers.go
@@ -76,6 +76,12 @@ func buildApplication(data *schema.ResourceData) fusionauth.Application {
 			LogoutBehavior:                fusionauth.LogoutBehavior(data.Get("oauth_configuration.0.logout_behavior").(string)),
 			EnabledGrants:                 buildGrants("oauth_configuration.0.enabled_grants", data),
 			RequireRegistration:           data.Get("oauth_configuration.0.require_registration").(bool),
+			ProvidedScopePolicy: fusionauth.ProvidedScopePolicy{
+				Address: buildRequireable("oauth_configuration.0.provided_scope_policy.0.address", data),
+				Email:   buildRequireable("oauth_configuration.0.provided_scope_policy.0.email", data),
+				Phone:   buildRequireable("oauth_configuration.0.provided_scope_policy.0.phone", data),
+				Profile: buildRequireable("oauth_configuration.0.provided_scope_policy.0.profile", data),
+			},
 		},
 		PasswordlessConfiguration: fusionauth.PasswordlessConfiguration{
 			Enableable: buildEnableable("passwordless_configuration_enabled", data),