Add more configuration options for JWT Auth Backend

vault/resource_jwt_auth_backend.go

@@ -78,6 +78,19 @@ func jwtAuthBackendResource() *schema.Resource {
 				Description: "Client Secret used for OIDC",
 			},
 
+			"oidc_response_mode": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.",
+			},
+
+			"oidc_response_types": {
+				Type:        schema.TypeList,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Optional:    true,
+				Description: "The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.",
+			},
+
 			"jwks_url": {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -123,13 +136,15 @@ func jwtAuthBackendResource() *schema.Resource {
 				Computed:    true,
 				Description: "The accessor of the JWT auth backend",
 			},
+
 			"local": {
 				Type:        schema.TypeBool,
 				ForceNew:    true,
 				Optional:    true,
 				Default:     false,
 				Description: "Specifies if the auth method is local only",
 			},
+
 			"provider_config": {
 				Type:        schema.TypeMap,
 				Optional:    true,
@@ -138,6 +153,14 @@ func jwtAuthBackendResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+
+			"namespace_in_state": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+				Description: "Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.",
+			},
+
 			"tune": authMountTuneSchema(),
 		},
 	}
@@ -171,13 +194,16 @@ var (
 		"oidc_discovery_ca_pem",
 		"oidc_client_id",
 		"oidc_client_secret",
+		"oidc_response_mode",
+		"oidc_response_types",
 		"jwks_url",
 		"jwks_ca_pem",
 		"jwt_validation_pubkeys",
 		"bound_issuer",
 		"jwt_supported_algs",
 		"default_role",
 		"provider_config",
+		"namespace_in_state",
 	}
 )
 

vault/resource_jwt_auth_backend_test.go

@@ -98,6 +98,9 @@ func TestAccJWTAuthBackend_OIDC(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "bound_issuer", "api://default"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "oidc_client_id", "client"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "oidc_client_secret", "secret"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "oidc_response_mode", "query"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "oidc_response_types.#", "1"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "oidc_response_types.0", "code"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "type", "oidc"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.oidc", "default_role", "api"),
 				),
@@ -201,6 +204,8 @@ resource "vault_jwt_auth_backend" "oidc" {
   path = "%s"
   type = "oidc"
   default_role = "api"
+  oidc_response_mode  = "query"
+  oidc_response_types = ["code"]
 }
 `, path)
 }

website/docs/r/jwt_auth_backend.html.md

@@ -77,6 +77,10 @@ The following arguments are supported:
 
 * `oidc_client_secret` - (Optional) Client Secret used for OIDC backends
 
+* `oidc_response_mode` - (Optional) The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
+
+* `oidc_response_types` - (Optional) List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
+
 * `jwks_url` - (Optional) JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
 
 * `jwks_ca_pem` - (Optional) The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
@@ -93,6 +97,8 @@ The following arguments are supported:
 
 * `local` - (Optional) Specifies if the auth method is local only.
 
+* `namespace_in_state` - (Optional) Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
+
 * tune - (Optional) Extra configuration block. Structure is documented below.
 
 The `tune` block is used to tune the auth backend: