okta_org_metadata data source outputs null organization url value, and has default org url as value for alternate where custom url is expected

[stmyers]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.5.7
on linux_amd64

Affected Resource(s)

• okta_org_metadata (data resource)

Terraform Configuration Files

data "okta_org_metadata" "this" {}
output "test" {
  value = data.okta_org_metadata.this.domains
}

Changes to Outputs:
  + test                       = {
      + alternate    = "https://mydomain.okta.com"
      + organization = null
    }

Expected Behavior

Expected output

Changes to Outputs:
  + test                       = {
      + alternate    = "https://mycustom.domain.com"
      + organization = "https://mydomain.okta.com"
    }

Can this be done in the Admin UI?

Can this be done in the actual API call?

Yes - when I go to https://mydomain.okta.com/.well-known/okta-organization I see expected values

Actual Behavior

Changes to Outputs:
  + test                       = {
      + alternate    = "https://mydomain.okta.com"
      + organization = null
    }

Steps to Reproduce

See config files

1. terraform plan

Important Factoids

References

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-665607

[monde]

@stmyers I confirmed the bug and fixed it in #1810 - organization wasn't being set correctly. I looked at the Okta service code for the GET /.well-known/okta-organization endpoint. I think alternate will always be blank if you are calling the Okta API with our your okta domain name. In my example below org name and base url are OKTA_ORG_NAME=abc and OKTA_BASE_URL=okta.com for terraform.

curl --silent https://abc.okta.com/.well-known/okta-organization | jq .
{
  "id": "abc",
  "cell": "abc",
  "_links": {
    "organization": {
      "href": "https://abc.okta.com"
    }
  },
  "pipeline": "idx",
  "settings": {
    "analyticsCollectionEnabled": false,
    "bugReportingEnabled": true,
    "omEnabled": false,
    "pssoEnabled": false,
    "desktopMFAEnabled": false
  }
}

I don't have a custom domain to experiment with but it appears if you have a custom domain like test.example.com for abc.okta.com then the API response would be something like the following. In this example your ENV VARs would be OKTA_ORG_NAME=test and OKTA_BASE_URL=example.com.

curl --silent https://test.example.com/.well-known/okta-organization | jq .
{
  "id": "abc",
  "cell": "abc",
  "_links": {
    "alternate": {
      "href": "https://test.example.com"
    },
    "organization": {
      "href": "https://abc.okta.com"
    }
  },
  "pipeline": "idx",
  "settings": {
    "analyticsCollectionEnabled": false,
    "bugReportingEnabled": true,
    "omEnabled": false,
    "pssoEnabled": false,
    "desktopMFAEnabled": false
  }
}

[monde]

@stmyers can you curl the well known endpoint on your custom domain and let me know if you do indeed see an alternate value? Thanks

[stmyers]

I get identical output when I curl either URL

$ curl -sS https://login.myorg.com/.well-known/okta-organization | jq .
{
  "id": "123",
  "cell": "123",
  "_links": {
    "organization": {
      "href": "https://myorg.okta.com"
    },
    "alternate": {
      "href": "https://login.myorg.com"
    }
  },
  "pipeline": "idx",
  "settings": {
    "analyticsCollectionEnabled": false,
    "bugReportingEnabled": false,
    "omEnabled": false,
    "pssoEnabled": false,
    "desktopMFAEnabled": false
  }
}

$ curl -sS https://myorg.okta.com/.well-known/okta-organization | jq .
{
  "id": "123",
  "cell": "123",
  "_links": {
    "organization": {
      "href": "https://myorg.okta.com"
    },
    "alternate": {
      "href": "https://login.myorg.com"
    }
  },
  "pipeline": "idx",
  "settings": {
    "analyticsCollectionEnabled": false,
    "bugReportingEnabled": false,
    "omEnabled": false,
    "pssoEnabled": false,
    "desktopMFAEnabled": false
  }
}

I don't have a custom domain to experiment with but it appears if you have a custom domain like test.example.com for abc.okta.com then the API response would be something like the following. In this example your ENV VARs would be OKTA_ORG_NAME=test and OKTA_BASE_URL=example.com.

I've tried this in the past and it didn't pass validation. I will try testing again.

[monde]

@stmyers Let me know what you think:

I set up a custom domain on one of my test orgs. Given the PR #1810 and your config

data "okta_org_metadata" "this" {}
output "test" {
  value = data.okta_org_metadata.this.domains
}

On an org with custom domain I get this output

Outputs:

test = {
  "alternate" = "https://test.example.com"
  "organization" = "https://abc.okta.com"
}

On an org without custom domain I get this output

test = {
  "alternate" = tostring(null)
  "organization" = "https://xyz.okta.com"
}

I also see the this on a curl to the org with the custom domain, just like you are seeing, so my reading of the Okta source code was a little off (and I should have just set up a custom domain in the first place):

curl --silent https://abc.okta.com/.well-known/okta-organization | jq .
{
  "id": "xxx",
  "cell": "xxx",
  "_links": {
    "organization": {
      "href": "https://abc.okta.com"
    },
    "alternate": {
      "href": "https://test.example.com"
    }
  },
  "pipeline": "idx",
  "settings": {
    "analyticsCollectionEnabled": false,
    "bugReportingEnabled": true,
    "omEnabled": false,
    "pssoEnabled": false,
    "desktopMFAEnabled": false
  }
}