Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Resource for Authorized client applications for Oauth 2 permission scope #451

Closed
drdamour opened this issue Jun 7, 2021 · 5 comments · Fixed by #472
Closed

New Resource for Authorized client applications for Oauth 2 permission scope #451

drdamour opened this issue Jun 7, 2021 · 5 comments · Fixed by #472

Comments

@drdamour
Copy link

drdamour commented Jun 7, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

kinda surprised i didn't see another request for this yet, so maybe i'm missing it in the docs or the name in another request. This is assigning permissions scopes to specific authorized clients. The main benefit being supporting Azure.Identity's visual studio provider to work.

This is the area here
image

New or Affected Resource(s)

  • azuread_application_oauth2_permission_authorized_client

Potential Terraform Configuration

resource "azuread_application" "example" {
  name = "example"
}

resource "azuread_application_oauth2_permission_scope" "example1" {
  application_object_id      = azuread_application.example.id
  admin_consent_description  = "Administer the application 1"
  admin_consent_display_name = "Administer 1"
  enabled                    = true
  type                       = "User"
  user_consent_description   = "Administer the application 1"
  user_consent_display_name  = "Administer 1"
  value                      = "administer1"
}

resource "azuread_application_oauth2_permission_scope" "example2" {
  application_object_id      = azuread_application.example.id
  admin_consent_description  = "Administer the application 2"
  admin_consent_display_name = "Administer2"
  enabled                    = true
  type                       = "User"
  user_consent_description   = "Administer the application 2"
  user_consent_display_name  = "Administer2"
  value                      = "administer2"
}

azuread_application_oauth2_permission_authorized_client "example"
{
    client_id = "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"
    scope_ids = [
       azuread_application_oauth2_permission_scope.example1.id,
       azuread_application_oauth2_permission_scope.example2.id,
    ]
}

assuming the api follows the gui which lets you assign many at one:
image

if it's just 1 to 1, then scope_ids would be scope_id...and in such a case, it'd be nice to be able to nest multiple of these under a authorized_clients block in azuread_application_oauth2_permission_scope

References

@manicminer
Copy link
Contributor

manicminer commented Jun 7, 2021

Hi @drdamour, thanks for requesting this! This is a Microsoft Graph specific feature that will be possible to implement once we reach v2.0. I'm not sure whether this could make it into v2.0 specifically, or a subsequent 2.x release, but we can definitely consider it.

In the API schema, this is actually a different property than oauth2PermissionScopes (oauth2_permission_scope block in Terraform) so my initial thoughts are that the configuration might look like this:

resource "azuread_application" "example" {
  display_name = "example-app"

  api {
    pre_authorized_application {
      application_id = azuread_application.other_app.application_id
      scope_ids      = ["uuid1", "uuid2"]
    }
    pre_authorized_application {
      application_id = azuread_application.further_app.application_id
      scope_ids      = ["uuid3", "uuid4"]
    }
  }
}

With the potential to introduce this in a new resource, e.g. azuread_application_pre_authorized_application much as you have proposed.

WDYT?

@drdamour
Copy link
Author

@manicminer i guess...you sure it's not related to the oauth2_permission_scope stuff...those are the things i get to choose from in the portal web gui IME.

@manicminer
Copy link
Contributor

manicminer commented Jun 19, 2021

@drdamour Alas it is a separate feature even though in the portal you can find them on the same page

Edit: MS Graph docs - see the preAuthorizedApplications property

@drdamour
Copy link
Author

@manicminer get it, was more saying its about oauth2 not general api, but i see the scope properties are oauth specific but nothing else

@github-actions
Copy link

github-actions bot commented Aug 2, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants