Merge branch 'main' into DXCDT-673-terraform-support-for-forms

CHANGELOG.md

@@ -1,18 +1,29 @@
+## v1.6.1
+
+BUG FIXES:
+
+- `resource/auth0_client`: Fixed an issue where the `default_organization` plan failed due to `ConflictsWith` and `RequiredWith` clauses in the schema ([#1021](https://github.com/auth0/terraform-provider-auth0/pull/1021))
+
+
 ## v1.6.0
 
 FEATURES:
+
 - `resource/auth0_prompt_screen_partial`: Add new resource to manage customized sign up and login experience. (1:1) ([#1013](https://github.com/auth0/terraform-provider-auth0/pull/1013))
 - `resource/auth0_prompt_screen_partials`: Add new resource to manage customized sign up and login experience. (1:many) ([#1013](https://github.com/auth0/terraform-provider-auth0/pull/1013))
 - `data_source/auth0_prompt_screen_partials`: Add new data source to retrieve prompt screen partials. ([#1013](https://github.com/auth0/terraform-provider-auth0/pull/1013))
 
-- ENHANCEMENTS:
+ENHANCEMENTS:
+
 - `resource/auth0_client`: Add Organizations for Client Credentials. ([#1009](https://github.com/auth0/terraform-provider-auth0/pull/1009))
 - `resource/auth0_prompt_custom_text`: Add support for fetching the language list from a CDN for prompt custom text. ([#1006](https://github.com/auth0/terraform-provider-auth0/pull/1016))
 
 BUG FIXES:
+
 - `resource/auth0_connection`: Remove MinItems validation for precedence. ([#1017](https://github.com/auth0/terraform-provider-auth0/pull/1017))
 
 NOTES:
+
 - `resource/auth0_prompt_partials`: Deprecated in favor of `resource/auth0_prompt_screen_partial` and `resource/auth0_prompt_screen_partials`. ([#1013](https://github.com/auth0/terraform-provider-auth0/pull/1013))
 
 

docs/data-sources/client.md

@@ -39,8 +39,10 @@ data "auth0_client" "some-client-by-id" {
 - `app_type` (String) Type of application the client represents. Possible values are: `native`, `spa`, `regular_web`, `non_interactive`, `sso_integration`. Specific SSO integrations types accepted as well are: `rms`, `box`, `cloudbees`, `concur`, `dropbox`, `mscrm`, `echosign`, `egnyte`, `newrelic`, `office365`, `salesforce`, `sentry`, `sharepoint`, `slack`, `springcm`, `zendesk`, `zoom`.
 - `callbacks` (List of String) URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.
 - `client_aliases` (List of String) List of audiences/realms for SAML protocol. Used by the wsfed addon.
+- `client_authentication_methods` (Set of Object) Defines client authentication methods. (see [below for nested schema](#nestedatt--client_authentication_methods))
 - `client_metadata` (Map of String) Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: `:,-+=_*?"/\()<>@ [Tab] [Space]`.
 - `client_secret` (String, Sensitive) Secret for the client. Keep this private. To access this attribute you need to add the `read:client_keys` scope to the Terraform client. Otherwise, the attribute will contain an empty string.
+- `compliance_level` (String) Defines the compliance level for this client, which may restrict it's capabilities. Can be one of `none`, `fapi1_adv_pkj_par`, `fapi1_adv_mtls_par`.
 - `cross_origin_auth` (Boolean) Whether this client can be used to make cross-origin authentication requests (`true`) or it is not allowed to make such requests (`false`).
 - `cross_origin_loc` (String) URL of the location in your site where the cross-origin verification takes place for the cross-origin auth flow when performing authentication in your own domain instead of Auth0 Universal Login page.
 - `custom_login_page` (String) The content (HTML, CSS, JS) of the custom login page.
@@ -63,11 +65,13 @@ data "auth0_client" "some-client-by-id" {
 - `organization_require_behavior` (String) Defines how to proceed during an authentication transaction when `organization_usage = "require"`. Can be `no_prompt` (default), `pre_login_prompt` or  `post_login_prompt`.
 - `organization_usage` (String) Defines how to proceed during an authentication transaction with regards to an organization. Can be `deny` (default), `allow` or `require`.
 - `refresh_token` (List of Object) Configuration settings for the refresh tokens issued for this client. (see [below for nested schema](#nestedatt--refresh_token))
+- `require_proof_of_possession` (Boolean) Makes the use of Proof-of-Possession mandatory for this client.
 - `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for this client. This feature currently needs to be enabled on the tenant in order to make use of it.
+- `signed_request_object` (Set of Object) Configuration for JWT-secured Authorization Requests(JAR). (see [below for nested schema](#nestedatt--signed_request_object))
 - `signing_keys` (List of Map of String) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.
 - `sso` (Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).
 - `sso_disabled` (Boolean) Indicates whether or not SSO is disabled.
-- `token_endpoint_auth_method` (String) The authentication method for the token endpoint. Results include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic). Managing a client's authentication method can be done via the `auth0_client_credentials` resource.
+- `token_endpoint_auth_method` (String) The authentication method for the token endpoint. Results include `none` (public client without a client secret), `client_secret_post` (client uses HTTP POST parameters), `client_secret_basic` (client uses HTTP Basic), Managing a client's authentication method can be done via the `auth0_client_credentials` resource.
 - `web_origins` (List of String) URLs that represent valid web origins for use with web message response mode.
 
 <a id="nestedatt--addons"></a>
@@ -403,6 +407,80 @@ Read-Only:
 
 
 
+<a id="nestedatt--client_authentication_methods"></a>
+### Nested Schema for `client_authentication_methods`
+
+Read-Only:
+
+- `private_key_jwt` (Set of Object) (see [below for nested schema](#nestedobjatt--client_authentication_methods--private_key_jwt))
+- `self_signed_tls_client_auth` (Set of Object) (see [below for nested schema](#nestedobjatt--client_authentication_methods--self_signed_tls_client_auth))
+- `tls_client_auth` (Set of Object) (see [below for nested schema](#nestedobjatt--client_authentication_methods--tls_client_auth))
+
+<a id="nestedobjatt--client_authentication_methods--private_key_jwt"></a>
+### Nested Schema for `client_authentication_methods.private_key_jwt`
+
+Read-Only:
+
+- `credentials` (List of Object) (see [below for nested schema](#nestedobjatt--client_authentication_methods--private_key_jwt--credentials))
+
+<a id="nestedobjatt--client_authentication_methods--private_key_jwt--credentials"></a>
+### Nested Schema for `client_authentication_methods.private_key_jwt.credentials`
+
+Read-Only:
+
+- `algorithm` (String)
+- `created_at` (String)
+- `credential_type` (String)
+- `expires_at` (String)
+- `id` (String)
+- `key_id` (String)
+- `name` (String)
+- `updated_at` (String)
+
+
+
+<a id="nestedobjatt--client_authentication_methods--self_signed_tls_client_auth"></a>
+### Nested Schema for `client_authentication_methods.self_signed_tls_client_auth`
+
+Read-Only:
+
+- `credentials` (List of Object) (see [below for nested schema](#nestedobjatt--client_authentication_methods--self_signed_tls_client_auth--credentials))
+
+<a id="nestedobjatt--client_authentication_methods--self_signed_tls_client_auth--credentials"></a>
+### Nested Schema for `client_authentication_methods.self_signed_tls_client_auth.credentials`
+
+Read-Only:
+
+- `created_at` (String)
+- `credential_type` (String)
+- `id` (String)
+- `name` (String)
+- `updated_at` (String)
+
+
+
+<a id="nestedobjatt--client_authentication_methods--tls_client_auth"></a>
+### Nested Schema for `client_authentication_methods.tls_client_auth`
+
+Read-Only:
+
+- `credentials` (List of Object) (see [below for nested schema](#nestedobjatt--client_authentication_methods--tls_client_auth--credentials))
+
+<a id="nestedobjatt--client_authentication_methods--tls_client_auth--credentials"></a>
+### Nested Schema for `client_authentication_methods.tls_client_auth.credentials`
+
+Read-Only:
+
+- `created_at` (String)
+- `credential_type` (String)
+- `id` (String)
+- `name` (String)
+- `subject_dn` (String)
+- `updated_at` (String)
+
+
+
+
 <a id="nestedatt--default_organization"></a>
 ### Nested Schema for `default_organization`
 
@@ -490,3 +568,26 @@ Read-Only:
 - `token_lifetime` (Number)
 
 
+<a id="nestedatt--signed_request_object"></a>
+### Nested Schema for `signed_request_object`
+
+Read-Only:
+
+- `credentials` (List of Object) (see [below for nested schema](#nestedobjatt--signed_request_object--credentials))
+- `required` (Boolean)
+
+<a id="nestedobjatt--signed_request_object--credentials"></a>
+### Nested Schema for `signed_request_object.credentials`
+
+Read-Only:
+
+- `algorithm` (String)
+- `created_at` (String)
+- `credential_type` (String)
+- `expires_at` (String)
+- `id` (String)
+- `key_id` (String)
+- `name` (String)
+- `updated_at` (String)
+
+

docs/data-sources/resource_server.md

@@ -33,18 +33,41 @@ data "auth0_resource_server" "some-resource-server-by-id" {
 ### Read-Only
 
 - `allow_offline_access` (Boolean) Indicates whether refresh tokens can be issued for this resource server.
+- `authorization_details` (List of Object) Authorization details for this resource server. (see [below for nested schema](#nestedatt--authorization_details))
+- `consent_policy` (String) Consent policy for this resource server. Options include `transactional-authorization-with-mfa`, or `null` to disable.
 - `enforce_policies` (Boolean) If this setting is enabled, RBAC authorization policies will be enforced for this API. Role and permission assignments will be evaluated during the login transaction.
 - `id` (String) The ID of this resource.
 - `name` (String) Friendly name for the resource server. Cannot include `<` or `>` characters.
+- `proof_of_possession` (List of Object) Configuration settings for proof-of-possession for this resource server. (see [below for nested schema](#nestedatt--proof_of_possession))
 - `scopes` (Set of Object) List of permissions (scopes) used by this resource server. (see [below for nested schema](#nestedatt--scopes))
-- `signing_alg` (String) Algorithm used to sign JWTs. Options include `HS256` and `RS256`.
+- `signing_alg` (String) Algorithm used to sign JWTs. Options include `HS256`, `RS256`, and `PS256`.
 - `signing_secret` (String) Secret used to sign tokens when using symmetric algorithms (HS256).
 - `skip_consent_for_verifiable_first_party_clients` (Boolean) Indicates whether to skip user consent for applications flagged as first party.
 - `token_dialect` (String) Dialect of access tokens that should be issued for this resource server. Options include `access_token`, `rfc9068_profile`, `access_token_authz`, and `rfc9068_profile_authz`. `access_token` is a JWT containing standard Auth0 claims. `rfc9068_profile` is a JWT conforming to the IETF JWT Access Token Profile. `access_token_authz` is a JWT containing standard Auth0 claims, including RBAC permissions claims. `rfc9068_profile_authz` is a JWT conforming to the IETF JWT Access Token Profile, including RBAC permissions claims. RBAC permissions claims are available if RBAC (`enforce_policies`) is enabled for this API. For more details, refer to [Access Token Profiles](https://auth0.com/docs/secure/tokens/access-tokens/access-token-profiles).
+- `token_encryption` (List of Object) Configuration for JSON Web Encryption(JWE) of tokens for this resource server. (see [below for nested schema](#nestedatt--token_encryption))
 - `token_lifetime` (Number) Number of seconds during which access tokens issued for this resource server from the token endpoint remain valid.
 - `token_lifetime_for_web` (Number) Number of seconds during which access tokens issued for this resource server via implicit or hybrid flows remain valid. Cannot be greater than the `token_lifetime` value.
 - `verification_location` (String) URL from which to retrieve JWKs for this resource server. Used for verifying the JWT sent to Auth0 for token introspection.
 
+<a id="nestedatt--authorization_details"></a>
+### Nested Schema for `authorization_details`
+
+Read-Only:
+
+- `disable` (Boolean)
+- `type` (String)
+
+
+<a id="nestedatt--proof_of_possession"></a>
+### Nested Schema for `proof_of_possession`
+
+Read-Only:
+
+- `disable` (Boolean)
+- `mechanism` (String)
+- `required` (Boolean)
+
+
 <a id="nestedatt--scopes"></a>
 ### Nested Schema for `scopes`
 
@@ -54,3 +77,23 @@ Read-Only:
 - `name` (String)
 
 
+<a id="nestedatt--token_encryption"></a>
+### Nested Schema for `token_encryption`
+
+Read-Only:
+
+- `disable` (Boolean)
+- `encryption_key` (List of Object) (see [below for nested schema](#nestedobjatt--token_encryption--encryption_key))
+- `format` (String)
+
+<a id="nestedobjatt--token_encryption--encryption_key"></a>
+### Nested Schema for `token_encryption.encryption_key`
+
+Read-Only:
+
+- `algorithm` (String)
+- `kid` (String)
+- `name` (String)
+- `pem` (String)
+
+

docs/data-sources/tenant.md

@@ -19,20 +19,24 @@ data "auth0_tenant" "my_tenant" {}
 
 ### Read-Only
 
+- `acr_values_supported` (Set of String) List of supported ACR values.
 - `allow_organization_name_in_authentication_api` (Boolean) Whether to accept an organization name instead of an ID on auth endpoints.
 - `allowed_logout_urls` (List of String) URLs that Auth0 may redirect to after logout.
 - `customize_mfa_in_postlogin_action` (Boolean) Whether to enable flexible factors for MFA in the PostLogin action.
 - `default_audience` (String) API Audience to use by default for API Authorization flows. This setting is equivalent to appending the audience to every authorization request made to the tenant for every application.
 - `default_directory` (String) Name of the connection to be used for Password Grant exchanges. Options include `auth0-adldap`, `ad`, `auth0`, `email`, `sms`, `waad`, and `adfs`.
 - `default_redirection_uri` (String) The default absolute redirection URI. Must be HTTPS or an empty string.
+- `disable_acr_values_supported` (Boolean) Disable list of supported ACR values.
 - `domain` (String) Your Auth0 domain name.
 - `enabled_locales` (List of String) Supported locales for the user interface. The first locale in the list will be used to set the default locale.
 - `flags` (List of Object) Configuration settings for tenant flags. (see [below for nested schema](#nestedatt--flags))
 - `friendly_name` (String) Friendly name for the tenant.
 - `id` (String) The ID of this resource.
 - `idle_session_lifetime` (Number) Number of hours during which a session can be inactive before the user must log in again.
 - `management_api_identifier` (String) The identifier value of the built-in Management API resource server, which can be used as an audience when configuring client grants.
+- `mtls` (List of Object) Configuration for mTLS. (see [below for nested schema](#nestedatt--mtls))
 - `picture_url` (String) URL of logo to be shown for the tenant. Recommended size is 150px x 150px. If no URL is provided, the Auth0 logo will be used.
+- `pushed_authorization_requests_supported` (Boolean) Enable pushed authorization requests.
 - `sandbox_version` (String) Selected sandbox version for the extensibility environment, which allows you to use custom scripts to extend parts of Auth0's functionality.
 - `session_cookie` (List of Object) Alters behavior of tenant's session cookie. Contains a single `mode` property. (see [below for nested schema](#nestedatt--session_cookie))
 - `session_lifetime` (Number) Number of hours during which a session will stay valid.
@@ -66,11 +70,21 @@ Read-Only:
 - `enable_sso` (Boolean)
 - `mfa_show_factor_list_on_enrollment` (Boolean)
 - `no_disclose_enterprise_connections` (Boolean)
+- `remove_alg_from_jwks` (Boolean)
 - `require_pushed_authorization_requests` (Boolean)
 - `revoke_refresh_token_grant` (Boolean)
 - `use_scope_descriptions_for_consent` (Boolean)
 
 
+<a id="nestedatt--mtls"></a>
+### Nested Schema for `mtls`
+
+Read-Only:
+
+- `disable` (Boolean)
+- `enable_endpoint_aliases` (Boolean)
+
+
 <a id="nestedatt--session_cookie"></a>
 ### Nested Schema for `session_cookie`