Add client_secret attribute on data source okta_app_oauth

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-hclog v1.3.0
 	github.com/hashicorp/go-retryablehttp v0.7.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.19.0
-	github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20220912225624-eed2478b2ec8
+	github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20220914175214-588bce2f1414
 	github.com/stretchr/testify v1.8.0
 )
 

go.sum

@@ -226,6 +226,8 @@ github.com/okta/okta-sdk-golang/v2 v2.14.0 h1:Z2Gs6lnKALHkCw4AM6+h/nLkXKzmiR5bGn
 github.com/okta/okta-sdk-golang/v2 v2.14.0/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20220912225624-eed2478b2ec8 h1:2IHWR+QxBCBTbyX3BY5093l/PAvHzPF2rYoiqv2qzwY=
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20220912225624-eed2478b2ec8/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
+github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20220914175214-588bce2f1414 h1:KlTCbr7DPfUMq9gQ+WcyLpOUaRIxrGCogYhkXCnaPjY=
+github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20220914175214-588bce2f1414/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 h1:pSCLCl6joCFRnjpeojzOpEYs4q7Vditq8fySFG5ap3Y=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

okta/data_source_okta_app_oauth.go

@@ -119,6 +119,12 @@ func dataSourceAppOauth() *schema.Resource {
 				Computed:    true,
 				Description: "OAuth client ID",
 			},
+			"client_secret": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Sensitive:   true,
+				Description: "OAuth client secret",
+			},
 			"policy_uri": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -189,6 +195,7 @@ func dataSourceAppOauthRead(ctx context.Context, d *schema.ResourceData, m inter
 	if err != nil {
 		return diag.Errorf("failed to list OAuth's app groups and users: %v", err)
 	}
+
 	d.SetId(app.Id)
 	_ = d.Set("label", app.Label)
 	_ = d.Set("name", app.Name)
@@ -208,6 +215,13 @@ func dataSourceAppOauthRead(ctx context.Context, d *schema.ResourceData, m inter
 		_ = d.Set("logo_uri", app.Settings.OauthClient.LogoUri)
 		_ = d.Set("login_uri", app.Settings.OauthClient.InitiateLoginUri)
 		_ = d.Set("client_id", app.Credentials.OauthClient.ClientId)
+
+		secret, err := getCurrentlyActiveClientSecret(ctx, m, app.Id)
+		if err != nil {
+			return diag.Errorf("failed to fetch OAuth client secret: %v", err)
+		}
+		_ = d.Set("client_secret", secret)
+
 		_ = d.Set("policy_uri", app.Settings.OauthClient.PolicyUri)
 		_ = d.Set("wildcard_redirect", app.Settings.OauthClient.WildcardRedirect)
 		for i := range app.Settings.OauthClient.ResponseTypes {
@@ -240,3 +254,28 @@ func dataSourceAppOauthRead(ctx context.Context, d *schema.ResourceData, m inter
 	_ = d.Set("links", string(p))
 	return nil
 }
+
+// getCurrentlyActiveClientSecret See: https://developer.okta.com/docs/reference/api/apps/#list-client-secrets
+func getCurrentlyActiveClientSecret(ctx context.Context, m interface{}, appId string) (string, error) {
+	secrets, _, err := getOktaClientFromMetadata(m).Application.ListClientSecretsForApplication(ctx, appId)
+	if err != nil {
+		return "", err
+	}
+
+	// There can only be two client secrets. Regardless, choose the latest created active secret.
+	var secretValue string
+	var secret *okta.ClientSecret
+	for _, s := range secrets {
+		if secret == nil && s.Status == "ACTIVE" {
+			secret = s
+		}
+		if secret != nil && s.Status == "ACTIVE" && secret.Created.Before(*s.Created) {
+			secret = s
+		}
+	}
+	if secret != nil {
+		secretValue = secret.ClientSecret
+	}
+
+	return secretValue, nil
+}

okta/data_source_okta_app_oauth_test.go

@@ -26,6 +26,7 @@ func TestAccOktaDataSourceAppOauth_read(t *testing.T) {
 				Config: config,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrSet("data.okta_app_oauth.test", "client_id"),
+					resource.TestCheckResourceAttrSet("data.okta_app_oauth.test", "client_secret"),
 					resource.TestCheckResourceAttrSet("data.okta_app_oauth.test", "grant_types.#"),
 					resource.TestCheckResourceAttrSet("data.okta_app_oauth.test", "redirect_uris.#"),
 					resource.TestCheckResourceAttrSet("data.okta_app_oauth.test", "type"),

website/docs/d/app_oauth.html.markdown

@@ -75,6 +75,8 @@ data "okta_app_oauth" "test" {
 
 - `client_id` - OAuth client ID. If set during creation, app is created with this id.
 
+- `client_secret` - The latest active client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
+
 - `client_uri` - URI to a web page providing information about the client.
 
 - `policy_uri` - URI to web page providing client policy document.