Added 'groups_claim' to the okta_app_oauth resource

examples/okta_app_oauth/basic.tf

@@ -8,4 +8,9 @@ resource "okta_app_oauth" "test" {
   client_id                  = "something_from_somewhere"
   token_endpoint_auth_method = "client_secret_basic"
   consent_method             = "TRUSTED"
+  groups_claim {
+    type        = "EXPRESSION"
+    value       = "aa"
+    name        = "bb"
+  }
 }

okta/resource_okta_app_oauth.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/okta/okta-sdk-golang/v2/okta"
 	"github.com/okta/okta-sdk-golang/v2/okta/query"
+	"github.com/okta/terraform-provider-okta/sdk"
 )
 
 type (
@@ -315,6 +316,38 @@ func resourceAppOAuth() *schema.Resource {
 				Description:   "*Early Access Property*. Enable Federation Broker Mode.",
 				ConflictsWith: []string{"groups", "users"},
 			},
+			"groups_claim": {
+				Type:        schema.TypeSet,
+				MaxItems:    1,
+				Description: "Groups claim for an OpenID Connect client application",
+				Optional:    true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"type": {
+							Description:      "Groups claim type.",
+							Type:             schema.TypeString,
+							Required:         true,
+							ValidateDiagFunc: stringInSlice([]string{"FILTER", "EXPRESSION"}),
+						},
+						"filter_type": {
+							Description:      "Groups claim filter. Can only be set if type is FILTER.",
+							Type:             schema.TypeString,
+							Optional:         true,
+							ValidateDiagFunc: stringInSlice([]string{"EQUALS", "STARTS_WITH", "CONTAINS", "REGEX"}),
+						},
+						"name": {
+							Description: "Name of the claim that will be used in the token.",
+							Type:        schema.TypeString,
+							Required:    true,
+						},
+						"value": {
+							Description: "Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.",
+							Type:        schema.TypeString,
+							Required:    true,
+						},
+					},
+				},
+			},
 		}),
 	}
 }
@@ -350,9 +383,50 @@ func resourceAppOAuthCreate(ctx context.Context, d *schema.ResourceData, m inter
 	if err != nil {
 		return diag.Errorf("failed to upload logo for OAuth application: %v", err)
 	}
+	err = setAppOauthGroupsClaim(ctx, d, m)
+	if err != nil {
+		return diag.Errorf("failed to update groups claim for an OAuth application: %v", err)
+	}
 	return resourceAppOAuthRead(ctx, d, m)
 }
 
+func setAppOauthGroupsClaim(ctx context.Context, d *schema.ResourceData, m interface{}) error {
+	raw, ok := d.GetOk("groups_claim")
+	if !ok {
+		return nil
+	}
+	groupsClaim := raw.(*schema.Set).List()[0].(map[string]interface{})
+	gc := &sdk.AppOauthGroupClaim{
+		IssuerMode: "ORG_URL",
+		Name:       groupsClaim["name"].(string),
+		Value:      groupsClaim["value"].(string),
+	}
+	gct := groupsClaim["type"].(string)
+	if gct == "FILTER" {
+		gc.ValueType = "GROUPS"
+		gc.GroupFilterType = groupsClaim["filter_type"].(string)
+	} else {
+		gc.ValueType = gct
+	}
+	_, err := getSupplementFromMetadata(m).UpdateAppOauthGroupsClaim(ctx, d.Id(), gc)
+	return err
+}
+
+func updateAppOauthGroupsClaim(ctx context.Context, d *schema.ResourceData, m interface{}) error {
+	raw, ok := d.GetOk("groups_claim")
+	if !ok {
+		return nil
+	}
+	if len(raw.(*schema.Set).List()) == 0 {
+		gc := &sdk.AppOauthGroupClaim{
+			IssuerMode: "ORG_URL",
+		}
+		_, err := getSupplementFromMetadata(m).UpdateAppOauthGroupsClaim(ctx, d.Id(), gc)
+		return err
+	}
+	return setAppOauthGroupsClaim(ctx, d, m)
+}
+
 func resourceAppOAuthRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	app := okta.NewOpenIdConnectApplication()
 	err := fetchApp(ctx, d, m, app)
@@ -452,6 +526,27 @@ func resourceAppOAuthRead(ctx context.Context, d *schema.ResourceData, m interfa
 	if err != nil {
 		return diag.Errorf("failed to set OAuth application properties: %v", err)
 	}
+	gc, _, err := getSupplementFromMetadata(m).GetAppOauthGroupsClaim(ctx, d.Id())
+	if err != nil {
+		return diag.Errorf("failed to get groups claim for OAuth application: %v", err)
+	}
+	if gc.Name != "" {
+		arr := []map[string]interface{}{
+			{
+				"name":  gc.Name,
+				"value": gc.Value,
+				"type":  gc.ValueType,
+			},
+		}
+		if gc.ValueType == "GROUPS" {
+			arr[0]["type"] = "FILTER"
+			arr[0]["filter_type"] = gc.GroupFilterType
+		}
+		err = setNonPrimitives(d, map[string]interface{}{"groups_claim": arr})
+		if err != nil {
+			return diag.Errorf("failed to set OAuth application properties: %v", err)
+		}
+	}
 	return nil
 }
 
@@ -491,6 +586,10 @@ func resourceAppOAuthUpdate(ctx context.Context, d *schema.ResourceData, m inter
 			return diag.Errorf("failed to upload logo for OAuth application: %v", err)
 		}
 	}
+	err = updateAppOauthGroupsClaim(ctx, d, m)
+	if err != nil {
+		return diag.Errorf("failed to update groups claim for an OAuth application: %v", err)
+	}
 	return resourceAppOAuthRead(ctx, d, m)
 }
 
@@ -638,6 +737,19 @@ func validateAppOAuth(d *schema.ResourceData) error {
 	if rtr.(string) == "STATIC" && rtl.(int) != 0 {
 		return errors.New("you can not set 'refresh_token_leeway' when 'refresh_token_rotation' is static")
 	}
+	raw, ok := d.GetOk("groups_claim")
+	if ok {
+		groupsClaim := raw.(*schema.Set).List()[0].(map[string]interface{})
+		if groupsClaim["type"].(string) == "EXPRESSION" && groupsClaim["filter_type"].(string) != "" {
+			return errors.New("'filter_type' in 'groups_claim' can only be set when 'type' is set to 'FILTER'")
+		}
+		if groupsClaim["type"].(string) == "FILTER" && groupsClaim["filter_type"].(string) == "" {
+			return errors.New("'filter_type' in 'groups_claim' is required when 'type' is set to 'FILTER'")
+		}
+		if groupsClaim["name"].(string) == "" || groupsClaim["value"].(string) == "" {
+			return errors.New("'name' 'value' and in 'groups_claim' should not be empty")
+		}
+	}
 	if _, ok := d.GetOk("jwks"); !ok && d.Get("token_endpoint_auth_method").(string) == "private_key_jwt" {
 		return errors.New("'jwks' is required when 'token_endpoint_auth_method' is 'private_key_jwt'")
 	}

okta/resource_okta_app_oauth_test.go

@@ -44,6 +44,9 @@ func TestAccAppOauth_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "client_secret", "something_from_somewhere"),
 					resource.TestCheckResourceAttr(resourceName, "client_id", "something_from_somewhere"),
 					resource.TestCheckResourceAttrSet(resourceName, "logo_url"),
+					resource.TestCheckResourceAttr(resourceName, "groups_claim.0.type", "EXPRESSION"),
+					resource.TestCheckResourceAttr(resourceName, "groups_claim.0.value", "aa"),
+					resource.TestCheckResourceAttr(resourceName, "groups_claim.0.name", "bb"),
 				),
 			},
 			{
@@ -60,6 +63,7 @@ func TestAccAppOauth_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "client_secret"),
 					resource.TestCheckResourceAttrSet(resourceName, "client_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "logo_url"),
+					resource.TestCheckResourceAttr(resourceName, "groups_claim.#", "0"),
 				),
 			},
 			{

sdk/app_oauth_group_claim.go

@@ -0,0 +1,40 @@
+package sdk
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/okta/okta-sdk-golang/v2/okta"
+)
+
+type AppOauthGroupClaim struct {
+	ValueType       string `json:"valueType,omitempty"`
+	GroupFilterType string `json:"groupFilterType,omitempty"`
+	Issuer          string `json:"issuer,omitempty"`
+	OrgURL          string `json:"orgUrl,omitempty"`
+	Audience        string `json:"audience,omitempty"`
+	IssuerMode      string `json:"issuerMode,omitempty"`
+	Name            string `json:"name,omitempty"`
+	Value           string `json:"value,omitempty"`
+}
+
+func (m *ApiSupplement) UpdateAppOauthGroupsClaim(ctx context.Context, appID string, gc *AppOauthGroupClaim) (*okta.Response, error) {
+	url := fmt.Sprintf("/api/v1/internal/apps/%s/settings/oauth/idToken", appID)
+	req, err := m.RequestExecutor.NewRequest(http.MethodPost, url, gc)
+	if err != nil {
+		return nil, err
+	}
+	return m.RequestExecutor.Do(ctx, req, nil)
+}
+
+func (m *ApiSupplement) GetAppOauthGroupsClaim(ctx context.Context, appID string) (*AppOauthGroupClaim, *okta.Response, error) {
+	url := fmt.Sprintf("/api/v1/internal/apps/%s/settings/oauth/idToken", appID)
+	req, err := m.RequestExecutor.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	gc := &AppOauthGroupClaim{}
+	resp, err := m.RequestExecutor.Do(ctx, req, gc)
+	return gc, resp, err
+}

website/docs/r/app_oauth.html.markdown

@@ -108,6 +108,12 @@ The following arguments are supported:
 
 - `logo` (Optional) Application logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
 
+- `groups_claim` - (Optional) Groups claim for an OpenID Connect client application.
+  - `type` - (Required) Groups claim type. Valid values: `"FILTER"`, `"EXPRESSION"`.
+  - `filter_type` - (Optional) Groups claim filter. Can only be set if type is `"FILTER"`. Valid values: `"EQUALS"`, `"STARTS_WITH"`, `"CONTAINS"`, `"REGEX"`.
+  - `name` - (Required) Name of the claim that will be used in the token.
+  - `value` - (Required) Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
+
 ## Attributes Reference
 
 - `id` - ID of the application.