auth0 · duedares-rvj · Feb 4, 2025 · Feb 4, 2025 · Feb 4, 2025 · Feb 4, 2025
@@ -32,13 +32,26 @@ func expandAction(data *schema.ResourceData) *management.Action {
 		action.Secrets = expandActionSecrets(config.GetAttr("secrets"))
 	}
 
-	if action.GetRuntime() == "node18" {
+	// If custom-token-exchange is part of SupportedTriggers for an action,
+	// we'd not manipulate it's runtime value.
+	// This is done, to support node18 as runtime.
+	// TODO: Remove this soon as node18 reaches EOL.
+	if action.GetRuntime() == "node18" && !isTokenExchangeInSupportedTriggers(action.SupportedTriggers) {
 		action.Runtime = auth0.String("node18-actions")
 	}
 
 	return action
 }
 
+func isTokenExchangeInSupportedTriggers(actionTriggers []management.ActionTrigger) bool {
+	for _, actionTrigger := range actionTriggers {
+		if actionTrigger.GetID() == "custom-token-exchange" {
+			return true
+		}
+	}
+	return false
+}
+
 func expandActionTriggers(triggers cty.Value) []management.ActionTrigger {
 	if triggers.IsNull() {
 		return nil

@@ -50,6 +50,7 @@ func expandClient(data *schema.ResourceData) (*management.Client, error) {
 		NativeSocialLogin:                  expandClientNativeSocialLogin(data),
 		Mobile:                             expandClientMobile(data),
 		DefaultOrganization:                expandDefaultOrganization(data),
+		TokenExchange:                      expandTokenExchange(data),
 		RequireProofOfPossession:           value.Bool(config.GetAttr("require_proof_of_possession")),
 		ComplianceLevel:                    value.String(config.GetAttr("compliance_level")),
 	}
@@ -111,6 +112,26 @@ func expandDefaultOrganization(data *schema.ResourceData) *management.ClientDefa
 	return &defaultOrg
 }
 
+func expandTokenExchange(data *schema.ResourceData) *management.ClientTokenExchange {
+	if !data.IsNewResource() && !data.HasChange("token_exchange") {
+		return nil
+	}
+	var tokenExchange management.ClientTokenExchange
+
+	config := data.GetRawConfig().GetAttr("token_exchange")
+	if config.IsNull() || config.ForEachElement(func(_ cty.Value, cfg cty.Value) (stop bool) {
+		tokenExchange.AllowAnyProfileOfType = value.Strings(cfg.GetAttr("allow_any_profile_of_type"))
+		return stop
+	}) {
+		return nil
+	}
+	if tokenExchange == (management.ClientTokenExchange{}) {
+		return nil
+	}
+
+	return &tokenExchange
+}
+
 func isDefaultOrgNull(data *schema.ResourceData) bool {
 	if !data.IsNewResource() && !data.HasChange("default_organization") {
 		return false

@@ -558,6 +558,16 @@ func flattenDefaultOrganization(defaultOrganization *management.ClientDefaultOrg
 	return []interface{}{do}
 }
 
+func flattenTokenExchange(tokenExchange *management.ClientTokenExchange) []interface{} {
+	if tokenExchange == nil {
+		return nil
+	}
+	t := map[string]interface{}{
+		"allow_any_profile_of_type": tokenExchange.AllowAnyProfileOfType,
+	}
+	return []interface{}{t}
+}
+
 func flattenClient(data *schema.ResourceData, client *management.Client) error {
 	result := multierror.Append(
 		data.Set("client_id", client.GetClientID()),
@@ -597,6 +607,7 @@ func flattenClient(data *schema.ResourceData, client *management.Client) error {
 		data.Set("oidc_logout", flattenOIDCLogout(client.GetOIDCLogout())),
 		data.Set("require_pushed_authorization_requests", client.GetRequirePushedAuthorizationRequests()),
 		data.Set("default_organization", flattenDefaultOrganization(client.GetDefaultOrganization())),
+		data.Set("token_exchange", flattenTokenExchange(client.GetTokenExchange())),
 		data.Set("require_proof_of_possession", client.GetRequireProofOfPossession()),
 		data.Set("compliance_level", client.GetComplianceLevel()),
 	)

@@ -58,7 +58,7 @@ const testAccCreateMobileClient = `
 resource "auth0_client" "my_client" {
 	name = "Acceptance Test - Mobile - {{.testName}}"
 	app_type = "native"
-
+	oidc_conformant = true
 	token_exchange {
 		allow_any_profile_of_type = ["custom_authentication"]
 	}
@@ -92,6 +92,11 @@ resource "auth0_client" "my_client" {
 	name = "Acceptance Test - Mobile - {{.testName}}"
 	app_type = "native"
 
+	oidc_conformant = true
+	token_exchange {
+		allow_any_profile_of_type = ["custom_authentication"]
+	}
+
 	mobile {
 		android {
 			app_package_name = "com.example"
@@ -121,6 +126,10 @@ resource "auth0_client" "my_client" {
 	name = "Acceptance Test - Mobile - {{.testName}}"
 	app_type = "native"
 
+	oidc_conformant = true
+	token_exchange {
+		allow_any_profile_of_type = ["custom_authentication"]
+	}
 	mobile {
 		android {
 			app_package_name = "com.example"
@@ -141,6 +150,10 @@ resource "auth0_client" "my_client" {
 	name = "Acceptance Test - Mobile - {{.testName}}"
 	app_type = "non_interactive"
 
+	oidc_conformant = true
+	token_exchange {
+		allow_any_profile_of_type = ["custom_authentication"]
+	}
 	native_social_login {
 		apple {
 			enabled = false
@@ -161,6 +174,7 @@ func TestAccClientMobile(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - Mobile - %s", t.Name())),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "native"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "oidc_conformant", "true"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "token_exchange.0.allow_any_profile_of_type.0", "custom_authentication"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.#", "1"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.0.android.#", "1"),
@@ -181,6 +195,8 @@ func TestAccClientMobile(t *testing.T) {
 				Config: acctest.ParseTestName(testAccUpdateMobileClient, t.Name()),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - Mobile - %s", t.Name())),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "oidc_conformant", "true"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "token_exchange.0.allow_any_profile_of_type.0", "custom_authentication"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "native"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.#", "1"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.0.android.#", "1"),
@@ -202,6 +218,8 @@ func TestAccClientMobile(t *testing.T) {
 				Config: acctest.ParseTestName(testAccUpdateMobileClientAgainByRemovingSomeFields, t.Name()),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - Mobile - %s", t.Name())),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "oidc_conformant", "true"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "token_exchange.0.allow_any_profile_of_type.0", "custom_authentication"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "native"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.#", "1"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.0.android.#", "1"),
@@ -228,6 +246,7 @@ func TestAccClientMobile(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - Mobile - %s", t.Name())),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "non_interactive"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "token_exchange.0.allow_any_profile_of_type.0", "custom_authentication"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.#", "1"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.0.android.#", "1"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "mobile.0.android.0.app_package_name", "com.example"),