Add OIDC session management and request scopes #1181
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
henryrecker-pingidentity
approved these changes
Dec 10, 2025
Contributor
henryrecker-pingidentity
left a comment
henryrecker-pingidentity
left a comment
There was a problem hiding this comment.
Looks good to me pending the SDK release 👍
patrickcping
approved these changes
Dec 15, 2025
Collaborator
patrickcping
left a comment
patrickcping
left a comment
There was a problem hiding this comment.
Couple of very minor points, LGTM 🚀 🚀
| @@ -0,0 +1,7 @@ | |||
| ```release-note:enhancement | |||
| resource/pingone_application: Added `include_x5t`, `op_session_check_enabled` and `request_scopes_for_multiple_resources_enabled` attributes to the `oidc_options` block | |||
Collaborator
There was a problem hiding this comment.
For visual consistency on the changelog, the resource/pingone_application and data-source/pingone_application references should be in tick notation (`)
| grant_types = ["CLIENT_CREDENTIALS"] | ||
| token_endpoint_auth_method = "CLIENT_SECRET_BASIC" | ||
| include_x5t = true |
Collaborator
There was a problem hiding this comment.
We can leave out both attrs from the worker client credentials application
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Description
CDI-657: Add support to
pingone_applicationresource foroidc_options:include_x5top_session_check_enabledrequest_scopes_for_multiple_resources_enabledChange Characteristics
Checklist
All full (or complete) PRs that need review prior to merge should have the following box checked.
If contributing a partial or incomplete change (expecting the development team to complete the remaining work) please leave the box unchecked
Required SDK Upgrades
github.com/patrickcping/pingone-go-sdk-v2/management v0.63.0Testing
This PR has been tested with:
Shell Command(s)
Testing Results
Expand Results
=== RUN TestAccApplication_RemovalDrift === PAUSE TestAccApplication_RemovalDrift === RUN TestAccApplication_NewEnv === PAUSE TestAccApplication_NewEnv === RUN TestAccApplication_OIDCFullWeb === PAUSE TestAccApplication_OIDCFullWeb === RUN TestAccApplication_OIDCMinimalWeb === PAUSE TestAccApplication_OIDCMinimalWeb === RUN TestAccApplication_OIDCWebUpdate === PAUSE TestAccApplication_OIDCWebUpdate === RUN TestAccApplication_OIDCFullNative === PAUSE TestAccApplication_OIDCFullNative === RUN TestAccApplication_OIDCMinimalNative === PAUSE TestAccApplication_OIDCMinimalNative === RUN TestAccApplication_OIDCNativeUpdate === PAUSE TestAccApplication_OIDCNativeUpdate === RUN TestAccApplication_NativeKerberos === PAUSE TestAccApplication_NativeKerberos === RUN TestAccApplication_NativeMobile === PAUSE TestAccApplication_NativeMobile === RUN TestAccApplication_NativeMobile_IntegrityDetection === PAUSE TestAccApplication_NativeMobile_IntegrityDetection === RUN TestAccApplication_OIDCFullCustom === PAUSE TestAccApplication_OIDCFullCustom === RUN TestAccApplication_OIDCMinimalCustom === PAUSE TestAccApplication_OIDCMinimalCustom === RUN TestAccApplication_OIDCCustomUpdate === PAUSE TestAccApplication_OIDCCustomUpdate === RUN TestAccApplication_OIDCCustom_Device === PAUSE TestAccApplication_OIDCCustom_Device === RUN TestAccApplication_OIDCFullService === PAUSE TestAccApplication_OIDCFullService === RUN TestAccApplication_OIDCMinimalService === PAUSE TestAccApplication_OIDCMinimalService === RUN TestAccApplication_OIDCServiceUpdate === PAUSE TestAccApplication_OIDCServiceUpdate === RUN TestAccApplication_OIDCFullSPA === PAUSE TestAccApplication_OIDCFullSPA === RUN TestAccApplication_OIDCMinimalSPA === PAUSE TestAccApplication_OIDCMinimalSPA === RUN TestAccApplication_OIDCSPAUpdate === PAUSE TestAccApplication_OIDCSPAUpdate === RUN TestAccApplication_OIDCFullWorker === PAUSE TestAccApplication_OIDCFullWorker === RUN TestAccApplication_OIDCMinimalWorker === PAUSE TestAccApplication_OIDCMinimalWorker === RUN TestAccApplication_OIDCWorkerUpdate === PAUSE TestAccApplication_OIDCWorkerUpdate === RUN TestAccApplication_OIDC_WildcardInRedirectURI === PAUSE TestAccApplication_OIDC_WildcardInRedirectURI === RUN TestAccApplication_OIDC_LocalhostAddresses === PAUSE TestAccApplication_OIDC_LocalhostAddresses === RUN TestAccApplication_OIDC_NativeAppAddresses === PAUSE TestAccApplication_OIDC_NativeAppAddresses === RUN TestAccApplication_OIDC_JwtTokenAuth === PAUSE TestAccApplication_OIDC_JwtTokenAuth === RUN TestAccApplication_SAMLFull === PAUSE TestAccApplication_SAMLFull === RUN TestAccApplication_SAMLMinimal === PAUSE TestAccApplication_SAMLMinimal === RUN TestAccApplication_SAMLVirtualServerIdSettingsOrdering === PAUSE TestAccApplication_SAMLVirtualServerIdSettingsOrdering === RUN TestAccApplication_ExternalLinkFull === PAUSE TestAccApplication_ExternalLinkFull === RUN TestAccApplication_ExternalLinkMinimal === PAUSE TestAccApplication_ExternalLinkMinimal === RUN TestAccApplication_WSFedFull === PAUSE TestAccApplication_WSFedFull === RUN TestAccApplication_WSFedMinimal === PAUSE TestAccApplication_WSFedMinimal === RUN TestAccApplication_WSFedMinimalMaximal === PAUSE TestAccApplication_WSFedMinimalMaximal === RUN TestAccApplication_Enabled === PAUSE TestAccApplication_Enabled === RUN TestAccApplication_BadParameters === PAUSE TestAccApplication_BadParameters === CONT TestAccApplication_RemovalDrift === CONT TestAccApplication_OIDCMinimalSPA === CONT TestAccApplication_NativeMobile_IntegrityDetection === CONT TestAccApplication_OIDCFullNative === CONT TestAccApplication_SAMLMinimal === CONT TestAccApplication_BadParameters === CONT TestAccApplication_OIDCFullSPA === CONT TestAccApplication_OIDCWebUpdate === CONT TestAccApplication_OIDCFullService === CONT TestAccApplication_OIDCCustomUpdate === NAME TestAccApplication_NativeMobile_IntegrityDetection acctest.go:246: PINGONE_GOOGLE_JSON_KEY is missing and must be set --- FAIL: TestAccApplication_NativeMobile_IntegrityDetection (0.00s) === CONT TestAccApplication_OIDCMinimalWorker === CONT TestAccApplication_OIDCSPAUpdate === CONT TestAccApplication_OIDC_JwtTokenAuth === CONT TestAccApplication_SAMLFull === CONT TestAccApplication_OIDCWorkerUpdate === NAME TestAccApplication_SAMLMinimal acctest.go:234: PINGONE_KEY_PKCS7_CERT is missing and must be set --- FAIL: TestAccApplication_SAMLMinimal (0.00s) === CONT TestAccApplication_OIDCFullWorker === CONT TestAccApplication_OIDCCustom_Device === CONT TestAccApplication_OIDCMinimalCustom === NAME TestAccApplication_SAMLFull acctest.go:234: PINGONE_KEY_PKCS7_CERT is missing and must be set --- FAIL: TestAccApplication_SAMLFull (0.00s) === CONT TestAccApplication_OIDCNativeUpdate --- PASS: TestAccApplication_OIDCMinimalSPA (13.71s) === CONT TestAccApplication_NativeMobile --- PASS: TestAccApplication_OIDCMinimalCustom (14.66s) === CONT TestAccApplication_NativeKerberos --- PASS: TestAccApplication_OIDCMinimalWorker (17.51s) === CONT TestAccApplication_OIDC_NativeAppAddresses === NAME TestAccApplication_NativeKerberos resource_application_test.go:857: Step 1/22, expected an error with pattern, no match on: Error running pre-apply plan: exit status 1 Error: Cannot find environment from name with data.pingone_environment.workforce_test, on terraform_plugin_test.tf line 13, in data "pingone_environment" "workforce_test": 13: data "pingone_environment" "workforce_test" { The environment "tf-testacc-static-workforce-test" cannot be found --- FAIL: TestAccApplication_NativeKerberos (5.18s) === CONT TestAccApplication_OIDC_LocalhostAddresses --- PASS: TestAccApplication_OIDCFullNative (22.52s) === CONT TestAccApplication_OIDCServiceUpdate --- PASS: TestAccApplication_BadParameters (22.75s) === CONT TestAccApplication_OIDCMinimalNative --- PASS: TestAccApplication_OIDCFullWorker (26.22s) === CONT TestAccApplication_OIDCFullWeb --- PASS: TestAccApplication_OIDCFullSPA (26.63s) === CONT TestAccApplication_OIDCMinimalWeb --- PASS: TestAccApplication_OIDCFullService (29.83s) === CONT TestAccApplication_OIDCFullCustom --- PASS: TestAccApplication_OIDC_NativeAppAddresses (15.01s) === CONT TestAccApplication_OIDCMinimalService --- PASS: TestAccApplication_OIDCMinimalNative (14.92s) === CONT TestAccApplication_WSFedFull --- PASS: TestAccApplication_OIDCCustomUpdate (38.43s) === CONT TestAccApplication_Enabled --- PASS: TestAccApplication_OIDCSPAUpdate (38.96s) === CONT TestAccApplication_WSFedMinimalMaximal --- PASS: TestAccApplication_OIDCWorkerUpdate (38.97s) === CONT TestAccApplication_WSFedMinimal --- PASS: TestAccApplication_OIDCWebUpdate (42.41s) === CONT TestAccApplication_ExternalLinkFull --- PASS: TestAccApplication_OIDCMinimalWeb (18.36s) === CONT TestAccApplication_ExternalLinkMinimal --- PASS: TestAccApplication_OIDCMinimalService (13.05s) === CONT TestAccApplication_NewEnv --- PASS: TestAccApplication_OIDCFullWeb (20.03s) === CONT TestAccApplication_SAMLVirtualServerIdSettingsOrdering acctest.go:234: PINGONE_KEY_PKCS7_CERT is missing and must be set --- FAIL: TestAccApplication_SAMLVirtualServerIdSettingsOrdering (0.00s) === CONT TestAccApplication_OIDC_WildcardInRedirectURI --- PASS: TestAccApplication_OIDCNativeUpdate (50.88s) --- PASS: TestAccApplication_OIDCFullCustom (21.59s) --- PASS: TestAccApplication_OIDCServiceUpdate (29.53s) --- PASS: TestAccApplication_OIDC_LocalhostAddresses (33.58s) --- PASS: TestAccApplication_OIDC_WildcardInRedirectURI (9.53s) --- PASS: TestAccApplication_ExternalLinkMinimal (12.67s) --- PASS: TestAccApplication_ExternalLinkFull (15.51s) --- PASS: TestAccApplication_Enabled (23.62s) --- PASS: TestAccApplication_OIDCCustom_Device (63.85s) --- PASS: TestAccApplication_WSFedMinimalMaximal (32.61s) --- PASS: TestAccApplication_NativeMobile (61.72s) --- PASS: TestAccApplication_OIDC_JwtTokenAuth (77.57s) --- PASS: TestAccApplication_WSFedFull (43.82s) --- PASS: TestAccApplication_WSFedMinimal (46.57s) --- PASS: TestAccApplication_NewEnv (42.66s) --- PASS: TestAccApplication_RemovalDrift (95.73s) FAIL exit status 1 FAIL github.com/pingidentity/terraform-provider-pingone/internal/service/sso 96.504s=== RUN TestAccApplicationDataSource_OIDCAppByID === PAUSE TestAccApplicationDataSource_OIDCAppByID === RUN TestAccApplicationDataSource_OIDCAppByName === PAUSE TestAccApplicationDataSource_OIDCAppByName === RUN TestAccApplicationDataSource_ExternalLinkAppByID === PAUSE TestAccApplicationDataSource_ExternalLinkAppByID === RUN TestAccApplicationDataSource_ExternalLinkAppByName === PAUSE TestAccApplicationDataSource_ExternalLinkAppByName === RUN TestAccApplicationDataSource_SAMLAppByID === PAUSE TestAccApplicationDataSource_SAMLAppByID === RUN TestAccApplicationDataSource_SAMLAppByName === PAUSE TestAccApplicationDataSource_SAMLAppByName === RUN TestAccApplicationDataSource_WSFedAppByID === PAUSE TestAccApplicationDataSource_WSFedAppByID === RUN TestAccApplicationDataSource_WSFedAppByName === PAUSE TestAccApplicationDataSource_WSFedAppByName === RUN TestAccApplicationDataSource_FailureChecks === PAUSE TestAccApplicationDataSource_FailureChecks === CONT TestAccApplicationDataSource_OIDCAppByID === CONT TestAccApplicationDataSource_SAMLAppByName === CONT TestAccApplicationDataSource_ExternalLinkAppByName === CONT TestAccApplicationDataSource_ExternalLinkAppByID === CONT TestAccApplicationDataSource_OIDCAppByName === CONT TestAccApplicationDataSource_WSFedAppByName === CONT TestAccApplicationDataSource_FailureChecks === CONT TestAccApplicationDataSource_WSFedAppByID === CONT TestAccApplicationDataSource_SAMLAppByID acctest.go:234: PINGONE_KEY_PKCS7_CERT is missing and must be set --- FAIL: TestAccApplicationDataSource_SAMLAppByID (0.00s) --- PASS: TestAccApplicationDataSource_FailureChecks (3.75s) --- PASS: TestAccApplicationDataSource_ExternalLinkAppByID (7.40s) --- PASS: TestAccApplicationDataSource_ExternalLinkAppByName (7.47s) --- PASS: TestAccApplicationDataSource_WSFedAppByName (8.05s) --- PASS: TestAccApplicationDataSource_SAMLAppByName (8.33s) --- PASS: TestAccApplicationDataSource_OIDCAppByID (8.94s) --- PASS: TestAccApplicationDataSource_OIDCAppByName (12.21s) --- PASS: TestAccApplicationDataSource_WSFedAppByID (43.29s) FAIL exit status 1 FAIL github.com/pingidentity/terraform-provider-pingone/internal/service/sso 43.777sEnd-to-end Tests Workflow Links