Deterministic OIDC Callback URL

The callback_url for an OIDC auth method is currently using the auth method ID in the path. Since we don’t know the auth method ID ahead of time, it creates a workflow where I have to:

  1. Create the application on the provider
  2. Create the auth method with the provider client id and secret
  3. Update the application on the provider with the callback url

I’m trying to do this with Terraform, but it doesn’t seem possible due to the workflow. The auth method is dependent on attributes of the application and the application is dependent on the auth method attributes.

Would it be possible to add a second callback url using the name of the auth method in the path? That way the callback url could be known before the auth method is enabled.

Thank you for the question and suggestion. Unfortunately, using the name likely creates other aliasing security issues, since it can be reused across auth-methods in different scopes and could also be pointed from one auth-method to another within the same scope.

With that said, this “chicken and egg” dilemma with oidc is a known problem. We’re still pondering solutions on our end that could make the workflow better for TF.

Thanks for the quick reply Jim! Maybe the URL could be constructed from the scope id (known before creating OIDC auth method) and the authentication method name? Or the auth method id could be set during creation by the requestor?

Definitely a chicken and egg dilemma and maybe this is one thing that doesn’t need to be 100% automated through TF.

This should land in the imminent 0.2.1 release.

Would this change be worth a bullet point in the CHANGELOG of 0.2.1?