Add pkce and attribute_map settings to OIDC and Okta connections

auth0 · Sep 7, 2023 · 8a4fcf4 · 8a4fcf4
1 parent d292300
commit 8a4fcf4
Show file tree

Hide file tree

Showing 12 changed files with 1,714 additions and 1,057 deletions.
diff --git a/docs/data-sources/connection.md b/docs/data-sources/connection.md
@@ -51,13 +51,15 @@ Read-Only:
 - `allowed_audiences` (Set of String)
 - `api_enable_users` (Boolean)
 - `app_id` (String)
+- `attribute_map` (List of Object) (see [below for nested schema](#nestedobjatt--options--attribute_map))
 - `auth_params` (Map of String)
 - `authorization_endpoint` (String)
 - `brute_force_protection` (Boolean)
 - `client_id` (String)
 - `client_secret` (String)
 - `community_base_url` (String)
 - `configuration` (Map of String)
+- `connection_settings` (List of Object) (see [below for nested schema](#nestedobjatt--options--connection_settings))
 - `custom_scripts` (Map of String)
 - `debug` (Boolean)
 - `decryption_key` (List of Object) (see [below for nested schema](#nestedobjatt--options--decryption_key))
@@ -135,6 +137,24 @@ Read-Only:
 - `waad_common_endpoint` (Boolean)
 - `waad_protocol` (String)
 
+<a id="nestedobjatt--options--attribute_map"></a>
+### Nested Schema for `options.attribute_map`
+
+Read-Only:
+
+- `attributes` (String)
+- `mapping_mode` (String)
+- `userinfo_scope` (String)
+
+
+<a id="nestedobjatt--options--connection_settings"></a>
+### Nested Schema for `options.connection_settings`
+
+Read-Only:
+
+- `pkce` (String)
+
+
 <a id="nestedobjatt--options--decryption_key"></a>
 ### Nested Schema for `options.decryption_key`
 

diff --git a/docs/resources/connection.md b/docs/resources/connection.md
@@ -544,14 +544,12 @@ resource "auth0_connection" "oidc" {
   show_as_button = false
 
   options {
-    client_id     = "1234567"
-    client_secret = "1234567"
-    domain_aliases = [
-      "example.com"
-    ]
+    client_id                = "1234567"
+    client_secret            = "1234567"
+    domain_aliases           = ["example.com"]
     tenant_domain            = ""
     icon_url                 = "https://example.com/assets/logo.png"
-    type                     = "front_channel"
+    type                     = "back_channel"
     issuer                   = "https://www.paypalobjects.com"
     jwks_uri                 = "https://api.paypal.com/v1/oauth2/certs"
     discovery_url            = "https://www.paypalobjects.com/.well-known/openid-configuration"
@@ -561,6 +559,20 @@ resource "auth0_connection" "oidc" {
     scopes                   = ["openid", "email"]
     set_user_root_attributes = "on_first_login"
     non_persistent_attrs     = ["ethnicity", "gender"]
+
+    attribute_map {
+      mapping_mode   = "basic_profile"
+      userinfo_scope = "openid email profile groups"
+      attributes = jsonencode({
+        "name" : "$${context.tokenset.name}",
+        "email" : "$${context.tokenset.email}",
+        "email_verified" : "$${context.tokenset.email_verified}",
+        "nickname" : "$${context.tokenset.nickname}",
+        "picture" : "$${context.tokenset.picture}",
+        "given_name" : "$${context.tokenset.given_name}",
+        "family_name" : "$${context.tokenset.family_name}"
+      })
+    }
   }
 }
 ```
@@ -594,6 +606,20 @@ resource "auth0_connection" "okta" {
         "alias" : "login_hint"
       }
     })
+
+    attribute_map {
+      mapping_mode   = "basic_profile"
+      userinfo_scope = "openid email profile groups"
+      attributes = jsonencode({
+        "name" : "$${context.tokenset.name}",
+        "email" : "$${context.tokenset.email}",
+        "email_verified" : "$${context.tokenset.email_verified}",
+        "nickname" : "$${context.tokenset.nickname}",
+        "picture" : "$${context.tokenset.picture}",
+        "given_name" : "$${context.tokenset.given_name}",
+        "family_name" : "$${context.tokenset.family_name}"
+      })
+    }
   }
 }
 ```
@@ -628,13 +654,15 @@ Optional:
 - `allowed_audiences` (Set of String) List of allowed audiences.
 - `api_enable_users` (Boolean) Enable API Access to users.
 - `app_id` (String) App ID.
+- `attribute_map` (Block List, Max: 1) OpenID Connect and Okta Workforce connections can automatically map claims received from the identity provider (IdP). You can configure this mapping through a library template provided by Auth0 or by entering your own template directly. Click [here](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/configure-pkce-claim-mapping-for-oidc#map-claims-for-oidc-connections) for more info. (see [below for nested schema](#nestedblock--options--attribute_map))
 - `auth_params` (Map of String) Query string parameters to be included as part of the generated passwordless email link.
 - `authorization_endpoint` (String) Authorization endpoint.
 - `brute_force_protection` (Boolean) Indicates whether to enable brute force protection, which will limit the number of signups and failed logins from a suspicious IP address.
 - `client_id` (String) The strategy's client ID.
 - `client_secret` (String, Sensitive) The strategy's client secret.
 - `community_base_url` (String) Salesforce community base URL.
 - `configuration` (Map of String, Sensitive) A case-sensitive map of key value pairs used as configuration variables for the `custom_script`.
+- `connection_settings` (Block List, Max: 1) Proof Key for Code Exchange (PKCE) configuration settings for an OIDC or Okta Workforce connection. (see [below for nested schema](#nestedblock--options--connection_settings))
 - `custom_scripts` (Map of String) A map of scripts used to integrate with a custom database.
 - `debug` (Boolean) When enabled, additional debug information will be generated.
 - `decryption_key` (Block List, Max: 1) The key used to decrypt encrypted responses from the connection. Uses the `key` and `cert` properties to provide the private key and certificate respectively. (see [below for nested schema](#nestedblock--options--decryption_key))
@@ -712,6 +740,27 @@ Optional:
 - `waad_common_endpoint` (Boolean) Indicates whether to use the common endpoint rather than the default endpoint. Typically enabled if you're using this for a multi-tenant application in Azure AD.
 - `waad_protocol` (String) Protocol to use.
 
+<a id="nestedblock--options--attribute_map"></a>
+### Nested Schema for `options.attribute_map`
+
+Required:
+
+- `mapping_mode` (String) Method used to map incoming claims. Possible values: `use_map`, `bind_all` or `basic_profile`.
+
+Optional:
+
+- `attributes` (String) This property is an object containing mapping information that allows Auth0 to interpret incoming claims from the IdP. Mapping information must be provided as key/value pairs.
+- `userinfo_scope` (String) This property defines the scopes that Auth0 sends to the IdP’s UserInfo endpoint when requested.
+
+
+<a id="nestedblock--options--connection_settings"></a>
+### Nested Schema for `options.connection_settings`
+
+Required:
+
+- `pkce` (String) PKCE configuration. Possible values: `auth0` (uses the strongest algorithm available), `s256` (uses the SHA-256 algorithm), `plain` (uses plaintext as described in the PKCE specification) or `disabled` (disables support for PKCE).
+
+
 <a id="nestedblock--options--decryption_key"></a>
 ### Nested Schema for `options.decryption_key`
 

diff --git a/examples/resources/auth0_connection/resource_with_oidc.tf b/examples/resources/auth0_connection/resource_with_oidc.tf
@@ -7,14 +7,12 @@ resource "auth0_connection" "oidc" {
   show_as_button = false
 
   options {
-    client_id     = "1234567"
-    client_secret = "1234567"
-    domain_aliases = [
-      "example.com"
-    ]
+    client_id                = "1234567"
+    client_secret            = "1234567"
+    domain_aliases           = ["example.com"]
     tenant_domain            = ""
     icon_url                 = "https://example.com/assets/logo.png"
-    type                     = "front_channel"
+    type                     = "back_channel"
     issuer                   = "https://www.paypalobjects.com"
     jwks_uri                 = "https://api.paypal.com/v1/oauth2/certs"
     discovery_url            = "https://www.paypalobjects.com/.well-known/openid-configuration"
@@ -24,5 +22,19 @@ resource "auth0_connection" "oidc" {
     scopes                   = ["openid", "email"]
     set_user_root_attributes = "on_first_login"
     non_persistent_attrs     = ["ethnicity", "gender"]
+
+    attribute_map {
+      mapping_mode   = "basic_profile"
+      userinfo_scope = "openid email profile groups"
+      attributes = jsonencode({
+        "name" : "$${context.tokenset.name}",
+        "email" : "$${context.tokenset.email}",
+        "email_verified" : "$${context.tokenset.email_verified}",
+        "nickname" : "$${context.tokenset.nickname}",
+        "picture" : "$${context.tokenset.picture}",
+        "given_name" : "$${context.tokenset.given_name}",
+        "family_name" : "$${context.tokenset.family_name}"
+      })
+    }
   }
 }
diff --git a/examples/resources/auth0_connection/resource_with_okta.tf b/examples/resources/auth0_connection/resource_with_okta.tf
@@ -24,5 +24,19 @@ resource "auth0_connection" "okta" {
         "alias" : "login_hint"
       }
     })
+
+    attribute_map {
+      mapping_mode   = "basic_profile"
+      userinfo_scope = "openid email profile groups"
+      attributes = jsonencode({
+        "name" : "$${context.tokenset.name}",
+        "email" : "$${context.tokenset.email}",
+        "email_verified" : "$${context.tokenset.email_verified}",
+        "nickname" : "$${context.tokenset.nickname}",
+        "picture" : "$${context.tokenset.picture}",
+        "given_name" : "$${context.tokenset.given_name}",
+        "family_name" : "$${context.tokenset.family_name}"
+      })
+    }
   }
 }
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.21
 
 require (
 	github.com/PuerkitoBio/rehttp v1.2.0
-	github.com/auth0/go-auth0 v1.0.2
+	github.com/auth0/go-auth0 v0.0.0-20230907130438-391c025977f6
 	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-multierror v1.1.1
@@ -66,13 +66,13 @@ require (
 	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/zclconf/go-cty v1.13.2 // indirect
-	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df // indirect
 	golang.org/x/mod v0.11.0 // indirect
-	golang.org/x/net v0.14.0 // indirect
-	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/net v0.15.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.1 // indirect

diff --git a/go.sum b/go.sum
@@ -21,8 +21,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkE
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/auth0/go-auth0 v1.0.2 h1:kmno85ry9oYIj+Fob0m2E0oSinnPgn3piY+VXM5GIco=
-github.com/auth0/go-auth0 v1.0.2/go.mod h1:C1pQxs66t2TtHsV5B+UxyDveWCWbAlgxQIG4syIPEMg=
+github.com/auth0/go-auth0 v0.0.0-20230907130438-391c025977f6 h1:yaV7PsY1clGaVxZoZfDLnvJIjgLIvHaA5NtHfspxYD4=
+github.com/auth0/go-auth0 v0.0.0-20230907130438-391c025977f6/go.mod h1:Pam0JFLfS/MTsbH5equHO2+f1e6mk+xBxkLuCq5CpC4=
 github.com/aybabtme/iocontrol v0.0.0-20150809002002-ad15bcfc95a0 h1:0NmehRCgyk5rljDQLKUO+cRJCnduDyn11+zGZIc9Z48=
 github.com/aybabtme/iocontrol v0.0.0-20150809002002-ad15bcfc95a0/go.mod h1:6L7zgvqo0idzI7IO8de6ZC051AfXb5ipkIJ7bIA2tGA=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -207,8 +207,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df h1:UA2aFVmmsIlefxMk29Dp2juaUSth8Pyn3Tq5Y5mJGME=
 golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
@@ -217,10 +217,10 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
-golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4=
+golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -234,15 +234,15 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=

diff --git a/internal/auth0/connection/expand.go b/internal/auth0/connection/expand.go
@@ -612,9 +612,31 @@ func expandConnectionOptionsOIDC(data *schema.ResourceData, config cty.Value) (i
 		NonPersistentAttrs:    value.Strings(config.GetAttr("non_persistent_attrs")),
 	}
 
-	expandConnectionOptionsScopes(data, options)
+	config.GetAttr("connection_settings").ForEachElement(func(_ cty.Value, config cty.Value) (stop bool) {
+		options.ConnectionSettings = &management.ConnectionOptionsOIDCConnectionSettings{
+			PKCE: value.String(config.GetAttr("pkce")),
+		}
+
+		return true
+	})
 
 	var err error
+	config.GetAttr("attribute_map").ForEachElement(func(_ cty.Value, config cty.Value) (stop bool) {
+		options.AttributeMap = &management.ConnectionOptionsOIDCAttributeMap{
+			UserInfoScope: value.String(config.GetAttr("userinfo_scope")),
+			MappingMode:   value.String(config.GetAttr("mapping_mode")),
+		}
+
+		options.AttributeMap.Attributes, err = value.MapFromJSON(config.GetAttr("attributes"))
+
+		return true
+	})
+	if err != nil {
+		return nil, diag.FromErr(err)
+	}
+
+	expandConnectionOptionsScopes(data, options)
+
 	options.UpstreamParams, err = value.MapFromJSON(config.GetAttr("upstream_params"))
 
 	return options, diag.FromErr(err)
@@ -636,9 +658,31 @@ func expandConnectionOptionsOkta(data *schema.ResourceData, config cty.Value) (i
 		LogoURL:               value.String(config.GetAttr("icon_url")),
 	}
 
-	expandConnectionOptionsScopes(data, options)
+	config.GetAttr("connection_settings").ForEachElement(func(_ cty.Value, config cty.Value) (stop bool) {
+		options.ConnectionSettings = &management.ConnectionOptionsOIDCConnectionSettings{
+			PKCE: value.String(config.GetAttr("pkce")),
+		}
+
+		return true
+	})
 
 	var err error
+	config.GetAttr("attribute_map").ForEachElement(func(_ cty.Value, config cty.Value) (stop bool) {
+		options.AttributeMap = &management.ConnectionOptionsOIDCAttributeMap{
+			UserInfoScope: value.String(config.GetAttr("userinfo_scope")),
+			MappingMode:   value.String(config.GetAttr("mapping_mode")),
+		}
+
+		options.AttributeMap.Attributes, err = value.MapFromJSON(config.GetAttr("attributes"))
+
+		return true
+	})
+	if err != nil {
+		return nil, diag.FromErr(err)
+	}
+
+	expandConnectionOptionsScopes(data, options)
+
 	options.UpstreamParams, err = value.MapFromJSON(config.GetAttr("upstream_params"))
 
 	return options, diag.FromErr(err)

diff --git a/internal/auth0/connection/flatten.go b/internal/auth0/connection/flatten.go
@@ -439,6 +439,21 @@ func flattenConnectionOptionsOIDC(options *management.ConnectionOptionsOIDC) (in
 	}
 	m["upstream_params"] = upstreamParams
 
+	attributes, err := structure.FlattenJsonToString(options.GetAttributeMap().GetAttributes())
+	if err != nil {
+		return nil, diag.FromErr(err)
+	}
+
+	if options.AttributeMap != nil {
+		m["attribute_map"] = []map[string]interface{}{
+			{
+				"mapping_mode":   options.GetAttributeMap().GetMappingMode(),
+				"userinfo_scope": options.GetAttributeMap().GetUserInfoScope(),
+				"attributes":     attributes,
+			},
+		}
+	}
+
 	return m, nil
 }
 
@@ -465,6 +480,21 @@ func flattenConnectionOptionsOkta(options *management.ConnectionOptionsOkta) (in
 	}
 	m["upstream_params"] = upstreamParams
 
+	attributes, err := structure.FlattenJsonToString(options.GetAttributeMap().GetAttributes())
+	if err != nil {
+		return nil, diag.FromErr(err)
+	}
+
+	if options.AttributeMap != nil {
+		m["attribute_map"] = []map[string]interface{}{
+			{
+				"mapping_mode":   options.GetAttributeMap().GetMappingMode(),
+				"userinfo_scope": options.GetAttributeMap().GetUserInfoScope(),
+				"attributes":     attributes,
+			},
+		}
+	}
+
 	return m, nil
 }