DXCDT-563: Add support for customize_mfa_in_postlogin_action tenant…

… setting (#871)
auth0 · Oct 31, 2023 · a175322 · a175322
1 parent 2188ecc
commit a175322
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 64 deletions.
diff --git a/docs/data-sources/tenant.md b/docs/data-sources/tenant.md
@@ -21,6 +21,7 @@ data "auth0_tenant" "my_tenant" {}
 
 - `allow_organization_name_in_authentication_api` (Boolean) Whether to accept an organization name instead of an ID on auth endpoints.
 - `allowed_logout_urls` (List of String) URLs that Auth0 may redirect to after logout.
+- `customize_mfa_in_postlogin_action` (Boolean) Whether to enable flexible factors for MFA in the PostLogin action.
 - `default_audience` (String) API Audience to use by default for API Authorization flows. This setting is equivalent to appending the audience to every authorization request made to the tenant for every application.
 - `default_directory` (String) Name of the connection to be used for Password Grant exchanges. Options include `auth0-adldap`, `ad`, `auth0`, `email`, `sms`, `waad`, and `adfs`.
 - `default_redirection_uri` (String) The default absolute redirection URI. Must be HTTPS or an empty string.

diff --git a/docs/resources/tenant.md b/docs/resources/tenant.md
@@ -51,6 +51,7 @@ resource "auth0_tenant" "my_tenant" {
 
 - `allow_organization_name_in_authentication_api` (Boolean) Whether to accept an organization name instead of an ID on auth endpoints.
 - `allowed_logout_urls` (List of String) URLs that Auth0 may redirect to after logout.
+- `customize_mfa_in_postlogin_action` (Boolean) Whether to enable flexible factors for MFA in the PostLogin action.
 - `default_audience` (String) API Audience to use by default for API Authorization flows. This setting is equivalent to appending the audience to every authorization request made to the tenant for every application.
 - `default_directory` (String) Name of the connection to be used for Password Grant exchanges. Options include `auth0-adldap`, `ad`, `auth0`, `email`, `sms`, `waad`, and `adfs`.
 - `default_redirection_uri` (String) The default absolute redirection URI. Must be HTTPS or an empty string.

diff --git a/internal/auth0/tenant/expand.go b/internal/auth0/tenant/expand.go
@@ -15,21 +15,22 @@ func expandTenant(data *schema.ResourceData) *management.Tenant {
 	idleSessionLifetime := data.Get("idle_session_lifetime").(float64) // Handling separately to preserve default values not honored by `d.GetRawConfig()`.
 
 	tenant := &management.Tenant{
-		DefaultAudience:       value.String(config.GetAttr("default_audience")),
-		DefaultDirectory:      value.String(config.GetAttr("default_directory")),
-		DefaultRedirectionURI: value.String(config.GetAttr("default_redirection_uri")),
-		FriendlyName:          value.String(config.GetAttr("friendly_name")),
-		PictureURL:            value.String(config.GetAttr("picture_url")),
-		SupportEmail:          value.String(config.GetAttr("support_email")),
-		SupportURL:            value.String(config.GetAttr("support_url")),
-		AllowedLogoutURLs:     value.Strings(config.GetAttr("allowed_logout_urls")),
-		SessionLifetime:       &sessionLifetime,
-		SandboxVersion:        value.String(config.GetAttr("sandbox_version")),
-		EnabledLocales:        value.Strings(config.GetAttr("enabled_locales")),
-		Flags:                 expandTenantFlags(config.GetAttr("flags")),
-		SessionCookie:         expandTenantSessionCookie(config.GetAttr("session_cookie")),
-		Sessions:              expandTenantSessions(config.GetAttr("sessions")),
-		AllowOrgNameInAuthAPI: value.Bool(config.GetAttr("allow_organization_name_in_authentication_api")),
+		DefaultAudience:               value.String(config.GetAttr("default_audience")),
+		DefaultDirectory:              value.String(config.GetAttr("default_directory")),
+		DefaultRedirectionURI:         value.String(config.GetAttr("default_redirection_uri")),
+		FriendlyName:                  value.String(config.GetAttr("friendly_name")),
+		PictureURL:                    value.String(config.GetAttr("picture_url")),
+		SupportEmail:                  value.String(config.GetAttr("support_email")),
+		SupportURL:                    value.String(config.GetAttr("support_url")),
+		AllowedLogoutURLs:             value.Strings(config.GetAttr("allowed_logout_urls")),
+		SessionLifetime:               &sessionLifetime,
+		SandboxVersion:                value.String(config.GetAttr("sandbox_version")),
+		EnabledLocales:                value.Strings(config.GetAttr("enabled_locales")),
+		Flags:                         expandTenantFlags(config.GetAttr("flags")),
+		SessionCookie:                 expandTenantSessionCookie(config.GetAttr("session_cookie")),
+		Sessions:                      expandTenantSessions(config.GetAttr("sessions")),
+		AllowOrgNameInAuthAPI:         value.Bool(config.GetAttr("allow_organization_name_in_authentication_api")),
+		CustomizeMFAInPostLoginAction: value.Bool(config.GetAttr("customize_mfa_in_postlogin_action")),
 	}
 
 	if data.IsNewResource() || data.HasChange("idle_session_lifetime") {

diff --git a/internal/auth0/tenant/flatten.go b/internal/auth0/tenant/flatten.go
@@ -24,6 +24,7 @@ func flattenTenant(data *schema.ResourceData, tenant *management.Tenant) error {
 		data.Set("session_cookie", flattenTenantSessionCookie(tenant.GetSessionCookie())),
 		data.Set("sessions", flattenTenantSessions(tenant.GetSessions())),
 		data.Set("allow_organization_name_in_authentication_api", tenant.GetAllowOrgNameInAuthAPI()),
+		data.Set("customize_mfa_in_postlogin_action", tenant.GetCustomizeMFAInPostLoginAction()),
 	)
 
 	if tenant.GetIdleSessionLifetime() == 0 {

diff --git a/internal/auth0/tenant/resource.go b/internal/auth0/tenant/resource.go
@@ -307,6 +307,12 @@ func NewResource() *schema.Resource {
 				Computed:    true,
 				Description: "Whether to accept an organization name instead of an ID on auth endpoints.",
 			},
+			"customize_mfa_in_postlogin_action": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Whether to enable flexible factors for MFA in the PostLogin action.",
+			},
 		},
 	}
 }

diff --git a/internal/auth0/tenant/resource_test.go b/internal/auth0/tenant/resource_test.go
@@ -45,6 +45,7 @@ func TestAccTenant(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_cookie.0.mode", "non-persistent"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "sessions.0.oidc_logout_prompt_enabled", "false"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "allow_organization_name_in_authentication_api", "false"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "customize_mfa_in_postlogin_action", "false"),
 				),
 			},
 			{
@@ -62,6 +63,7 @@ func TestAccTenant(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "default_redirection_uri", ""),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "sessions.0.oidc_logout_prompt_enabled", "true"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "allow_organization_name_in_authentication_api", "true"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "customize_mfa_in_postlogin_action", "true"),
 				),
 			},
 			{
@@ -97,6 +99,7 @@ resource "auth0_tenant" "my_tenant" {
 	enabled_locales         = ["en", "de", "fr"]
 
 	allow_organization_name_in_authentication_api = false
+	customize_mfa_in_postlogin_action = false
 
 	flags {
 		disable_clickjack_protection_headers   = true
@@ -134,6 +137,7 @@ resource "auth0_tenant" "my_tenant" {
 	enabled_locales         = ["de", "fr"]
 
 	allow_organization_name_in_authentication_api = true
+	customize_mfa_in_postlogin_action = true
 
 	flags {
 		enable_public_signup_user_exists_error = true