Bump goauthentik.io/api/v3 from 3.2024102.2 to 3.2024102.3 (#593)

Bumps [goauthentik.io/api/v3](https://github.com/goauthentik/client-go)
from 3.2024102.2 to 3.2024102.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/goauthentik/client-go/releases">goauthentik.io/api/v3's
releases</a>.</em></p>
<blockquote>
<h2>v3.2024102.3</h2>
<p>Update API Client</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/goauthentik/client-go/commit/cebc48b166840ba210d4724302abbaeb26050b87"><code>cebc48b</code></a>
Update API Client</li>
<li><a
href="https://github.com/goauthentik/client-go/commit/61e7a47b0523c739aad4fbd056edd24766a01080"><code>61e7a47</code></a>
upgrade generator (<a
href="https://redirect.github.com/goauthentik/client-go/issues/12">#12</a>)</li>
<li>See full diff in <a
href="https://github.com/goauthentik/client-go/compare/v3.2024102.2...v3.2024102.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=goauthentik.io/api/v3&package-manager=go_modules&previous-version=3.2024102.2&new-version=3.2024102.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

docs/resources/provider_oauth2.md

@@ -17,6 +17,12 @@ description: |-
 resource "authentik_provider_oauth2" "name" {
   name      = "grafana"
   client_id = "grafana"
+  allowed_redirect_uris = [
+    {
+      matching_mode = "strict",
+      url           = "http://localhost",
+    }
+  ]
 }
 
 resource "authentik_application" "name" {
@@ -40,6 +46,7 @@ resource "authentik_application" "name" {
 
 - `access_code_validity` (String) Defaults to `minutes=1`.
 - `access_token_validity` (String) Defaults to `minutes=10`.
+- `allowed_redirect_uris` (List of Map of String)
 - `authentication_flow` (String)
 - `client_secret` (String, Sensitive) Generated.
 - `client_type` (String) Allowed values:
@@ -54,7 +61,6 @@ resource "authentik_application" "name" {
  Defaults to `per_provider`.
 - `jwks_sources` (List of String) JWTs issued by keys configured in any of the selected sources can be used to authenticate on behalf of this provider.
 - `property_mappings` (List of String)
-- `redirect_uris` (List of String)
 - `refresh_token_validity` (String) Defaults to `days=30`.
 - `signing_key` (String)
 - `sub_mode` (String) Allowed values:

examples/resources/authentik_provider_oauth2/resource.tf

@@ -3,6 +3,12 @@
 resource "authentik_provider_oauth2" "name" {
   name      = "grafana"
   client_id = "grafana"
+  allowed_redirect_uris = [
+    {
+      matching_mode = "strict",
+      url           = "http://localhost",
+    }
+  ]
 }
 
 resource "authentik_application" "name" {

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0
 	github.com/stretchr/testify v1.9.0
-	goauthentik.io/api/v3 v3.2024102.2
+	goauthentik.io/api/v3 v3.2024102.6
 )
 
 require (

go.sum

@@ -480,8 +480,8 @@ go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucg
 go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
 go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
-goauthentik.io/api/v3 v3.2024102.2 h1:k2sIU7TkT2fOomBYo5KEc/mz5ipzaZUp5TuEOJLPX4g=
-goauthentik.io/api/v3 v3.2024102.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024102.6 h1:O5XIKh1SGtByterAAnMVzamCP4hBlnzc4hu+Mbt4p7Y=
+goauthentik.io/api/v3 v3.2024102.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/provider/resource_provider_oauth2.go

@@ -3,7 +3,6 @@ package provider
 import (
 	"context"
 	"strconv"
-	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -89,11 +88,11 @@ func resourceProviderOAuth2() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
-			"redirect_uris": {
+			"allowed_redirect_uris": {
 				Type:     schema.TypeList,
 				Optional: true,
 				Elem: &schema.Schema{
-					Type: schema.TypeString,
+					Type: schema.TypeMap,
 				},
 			},
 			"sub_mode": {
@@ -153,11 +152,45 @@ func resourceProviderOAuth2SchemaToProvider(d *schema.ResourceData) *api.OAuth2P
 		r.EncryptionKey.Set(api.PtrString(s.(string)))
 	}
 
-	redirectUris := castSlice[string](d.Get("redirect_uris").([]interface{}))
-	r.RedirectUris = api.PtrString(strings.Join(redirectUris, "\n"))
+	r.RedirectUris = listToRedirectURIsRequest(d.Get("allowed_redirect_uris").([]interface{}))
 	return &r
 }
 
+func listToRedirectURIsRequest(raw []interface{}) []api.RedirectURIRequest {
+	rus := []api.RedirectURIRequest{}
+	for _, rr := range raw {
+		rd := rr.(map[string]interface{})
+		rus = append(rus, api.RedirectURIRequest{
+			MatchingMode: api.MatchingModeEnum(rd["matching_mode"].(string)),
+			Url:          rd["url"].(string),
+		})
+	}
+	return rus
+}
+
+func listToRedirectURIs(raw []interface{}) []api.RedirectURI {
+	rus := []api.RedirectURI{}
+	for _, rr := range raw {
+		rd := rr.(map[string]interface{})
+		rus = append(rus, api.RedirectURI{
+			MatchingMode: api.MatchingModeEnum(rd["matching_mode"].(string)),
+			Url:          rd["url"].(string),
+		})
+	}
+	return rus
+}
+
+func redirectURIsToList(raw []api.RedirectURI) []map[string]interface{} {
+	rus := []map[string]interface{}{}
+	for _, rr := range raw {
+		rus = append(rus, map[string]interface{}{
+			"matching_mode": string(rr.MatchingMode),
+			"url":           rr.Url,
+		})
+	}
+	return rus
+}
+
 func resourceProviderOAuth2Create(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	c := m.(*APIClient)
 
@@ -195,11 +228,8 @@ func resourceProviderOAuth2Read(ctx context.Context, d *schema.ResourceData, m i
 	setWrapper(d, "issuer_mode", res.IssuerMode)
 	localMappings := castSlice[string](d.Get("property_mappings").([]interface{}))
 	setWrapper(d, "property_mappings", listConsistentMerge(localMappings, res.PropertyMappings))
-	if *res.RedirectUris != "" {
-		setWrapper(d, "redirect_uris", strings.Split(*res.RedirectUris, "\n"))
-	} else {
-		setWrapper(d, "redirect_uris", []string{})
-	}
+	localRedirectURIs := listToRedirectURIs(d.Get("allowed_redirect_uris").([]interface{}))
+	setWrapper(d, "allowed_redirect_uris", redirectURIsToList(castSlice[api.RedirectURI](listConsistentMerge(localRedirectURIs, res.RedirectUris))))
 	if res.SigningKey.IsSet() {
 		setWrapper(d, "signing_key", res.SigningKey.Get())
 	}

internal/provider/resource_provider_oauth2_test.go

@@ -87,6 +87,12 @@ resource "authentik_provider_oauth2" "name" {
   signing_key = data.authentik_certificate_key_pair.generated.id
   authorization_flow = data.authentik_flow.default-authorization-flow.id
   invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id
+  allowed_redirect_uris = [
+    {
+      matching_mode = "strict",
+	  url = "http://localhost",
+    }
+  ]
 }
 
 resource "authentik_application" "name" {