Added support for OIDC Client 'useRefreshTokens'

[whiskeysierra]

Fixes #570

[whiskeysierra]

I just realized that I'm not trying the value. I took exclude_session_state_from_auth_response as blueprint and that's not read either. Wouldn't that cause issues with diff and drift detection?

[mrparkers]

Hey @whiskeysierra, thanks for the PR!

The reason the tests were failing initially is because the setOpenidClientData function was never modified to persist this new schema attribute to state. You did correctly change the getOpenidClientFromData function, which will allow Terraform to read your attribute and create / update openid clients with this setting in Keycloak, but when Terraform performs a read for the openid client, this attribute won't be correctly updated in state.

This is important for the import step, which wants read the entire openid client into state so a following terraform plan is clean. It's also important for when changes are manually made to the openid client in Keycloak - Terraform would want to show you that these changes were made, and prompt you to change them back to the value that's in your HCL when you run a terraform plan.

So to get this change working correctly, you'll want to remove the test changes that are adding ImportStateVerifyIgnore, and update the getOpenidClientFromData function to set the value for this attribute in state (via data.Set())

[whiskeysierra]

So to get this change working correctly, you'll want to remove the test changes that are adding ImportStateVerifyIgnore, and update the getOpenidClientFromData function to set the value for this attribute in state (via data.Set())

I guess you meant setOpenidClientData there?

I tried that but now I'm hitting:

panic: Invalid address to set: []string{"use_refresh_tokens"}

goroutine 34037 [running]:
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*ResourceData).Set(0xc000b8c080, 0x1e1ad0c, 0x12, 0x1ca7420, 0x2624520, 0x0, 0x0)
	/Users/willi.schoenborn/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource_data.go:230 +0x371
github.com/mrparkers/terraform-provider-keycloak/provider.setOpenidClientData(0xc000112360, 0xc000b8c080, 0xc000a8cea0, 0xc0020fc39a, 0x6)
	/Users/willi.schoenborn/Projects/terraform-provider-keycloak/provider/resource_keycloak_openid_client.go:366 +0x71b
github.com/mrparkers/terraform-provider-keycloak/provider.dataSourceKeycloakOpenidClientRead(0xc000b8c080, 0x1e0a160, 0xc000112360, 0x26dca80, 0xc000100d80)
	/Users/willi.schoenborn/Projects/terraform-provider-keycloak/provider/data_source_keycloak_openid_client.go:185 +0x130
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc00020c7e0, 0x20211e8, 0xc001da3340, 0xc000b8c080, 0x1e0a160, 0xc000112360, 0x0, 0x0, 0x0)
	/Users/willi.schoenborn/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:335 +0x1ee
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).ReadDataApply(0xc00020c7e0, 0x20211e8, 0xc001da3340, 0xc0020012a0, 0x1e0a160, 0xc000112360, 0xc000112360, 0xc0020012a0, 0x0, 0x0)
	/Users/willi.schoenborn/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:558 +0xfd
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadDataSource(0xc000cbabd0, 0x20211e8, 0xc001da3340, 0xc002000e80, 0xc001da3340, 0x100d725, 0x1d79d60)
	/Users/willi.schoenborn/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/grpc_provider.go:1105 +0x4d6
github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ReadDataSource(0xc001e8a860, 0x2021290, 0xc001da3340, 0xc001ffd4a0, 0xc001e8a860, 0xc001639b60, 0xc000958ba0)
	/Users/willi.schoenborn/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/server/server.go:247 +0xe5
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadDataSource_Handler(0x1dbcd80, 0xc001e8a860, 0x2021290, 0xc001639b60, 0xc00200ede0, 0x0, 0x2021290, 0xc001639b60, 0xc0002422c0, 0x2b9)
	/Users/willi.schoenborn/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:416 +0x214
google.golang.org/grpc.(*Server).processUnaryRPC(0xc000633340, 0x202aa58, 0xc001daf980, 0xc000cce600, 0xc001540f90, 0x269a570, 0x0, 0x0, 0x0)
	/Users/willi.schoenborn/go/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:1194 +0x52b
google.golang.org/grpc.(*Server).handleStream(0xc000633340, 0x202aa58, 0xc001daf980, 0xc000cce600, 0x0)
	/Users/willi.schoenborn/go/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:1517 +0xd0c
google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc0009c8cb0, 0xc000633340, 0x202aa58, 0xc001daf980, 0xc000cce600)
	/Users/willi.schoenborn/go/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:859 +0xab
created by google.golang.org/grpc.(*Server).serveStreams.func1
	/Users/willi.schoenborn/go/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:857 +0x1fd
FAIL	github.com/mrparkers/terraform-provider-keycloak/provider	356.848s
FAIL

[whiskeysierra]

I added:

data.Set("use_refresh_tokens", client.Attributes.UseRefreshTokens)

[mrparkers]

I guess you meant setOpenidClientData there?

Yes, thanks 😅

That new error is due to the keycloak_openid_client data source, which also consumes setOpenidClientData. I missed that in the initial review - we also want to add this schema attribute to the data source. The error you're seeing now is due to the data source trying to set this attribute, and being unable to due to the schema not containing this new attribute.

[whiskeysierra]

Thanks for the tips - fixed it now. Can you take another look?

[mrparkers]

LGTM, thanks for the contribution!

[whiskeysierra]

Thank you! Any plans for a new release?

…

On Mon, 9 Aug 2021, 16:54 Michael Parker, ***@***.***> wrote: Merged #573 <#573> into master. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#573 (comment)>, or unsubscribe </~https://github.com/notifications/unsubscribe-auth/AADI7HJUYQXYGZ63M6U43BLT37TZFANCNFSM5BU25EYA> .

[mrparkers]

I pushed the v3.3.0 tag just now. The release job should be done in a half hour or so (still needs to run tests, then cut the release)

[phungy]

Hi,
I have question about the new attribute "use_refresh_tokens" introduced in recent release version 3.3.0
Today I ran a terraform plan with the latest version of mrparkers/keycloak (3.3.0) and got change notification about client
For example:
# keycloak_openid_client.my-client will be updated in-place ~ resource "keycloak_openid_client" "my-client" { id = "d9804e6c-c740-3b18-bb47-af4d01f1c47b" name = "my-client" ~ use_refresh_tokens = false -> true }

Before version 3.3.0 that attribute doesn't exist so we didn't set it. But in version 3.3.0 its default value is set at True now.

I don't know if there is any difference with "Use Refresh Tokens For Client Credentials Grant" attribute that is already there.

Now the default value is set at True. Does it mean we have to set that attribute at False to keep the existing behavior for our project?

Thanks for your guidance.
Phung Nguyen

[whiskeysierra]

@phungy Check my screenshot over at #570. It's a different attribute/flag. Seems like your keycloak version doesn't have it yet. I'd assume that adding client attributes is a safe operation and that keycloak ignores unknown ones. But I haven't checked.

For newer keycloak versions, which do have support for it, the default value from keycloak is true. (The switch is blue/enabled by default for new OIDC clients.)

[phungy]

Thanks @whiskeysierra for your feedback. I think I got the answer I am looking for :)