fix: sync tf provider

[moabu]

Resource	Unit Test	Acceptance Test	Status
jans_oidc_client	PASS	PASS	✅
jans_app_configuration	PASS	PASS	✅
jans_api_app_configuration	PASS	PASS	✅
jans_scope	PASS	PASS	✅
jans_script	PASS	PASS	✅
jans_group	PASS	PASS	✅
jans_user	PASS	PASS	✅
jans_organization	PASS	PASS	✅
jans_cache_configuration	PASS	PASS	✅
jans_smtp_configuration	PASS	PASS	✅
jans_fido2_configuration	PASS	PASS	✅
jans_default_authentication_method	PASS	PASS	✅
jans_scim_app_configuration	PASS	PASS	✅
jans_ldap_database_configuration	PASS	PASS	✅
jans_json_web_key	PASS	PASS	✅
jans_session_revocation	N/A	PASS	✅
jans_token_revocation	N/A	PASS	✅
jans_uma_resource	PASS	PASS	✅
jans_ssa_revocation	N/A	PASS	✅
jans_agama_deployment	N/A	PASS	✅

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13082

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • Expanded app configuration (X‑Frame options, session/token lifetimes, connection service, refresh/token/claims, logout JWT) and enhanced OIDC client options (client_name, PKCE, PAR, PAR/tx/logout script DNS, redirect regex).
  • Added example resources for Agama deployment and messaging.

• Bug Fixes

  • Fixed SAML config typo and added SAML trust relationship field.
  • Updated OAuth scopes for SSA and UMA operations.

• Documentation

  • Added resource docs/templates and examples for new resources.

• Tests

  • Added mapping and acceptance tests plus test data for multiple resources.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds many new provider schema fields and types, normalizes OAuth scopes for SSA and UMA, fixes typos, adds example resources and test data, and introduces multiple unit and acceptance tests across SAML, asset, OIDC, and other resources.

Changes

Cohort / File(s)	Summary
OAuth / Scope updates terraform-provider-jans/OAUTH_SCOPES.md, jans/ssa.go, jans/uma_resource.go, provider/resource_ssa_revocation_test.go	SSA revoke scope changed from https://jans.io/oauth/config/ssa.delete → https://jans.io/auth/ssa.admin; UMA scopes normalized to readonly/write/delete; SSA revocation test now accepts HTTP 401.
App configuration (code & docs) docs/resources/app_configuration.md, jans/app_configuration.go, provider/resource_app_configuration.go	Added many new AppConfiguration fields and ConnectionServiceConfiguration type; new schema fields (x-frame options, auth challenge lifetime, connection_service_configuration block, JWT logout fields, include_* toggles); renamed JmsBrokerUriSet → JmsBrokerURISet.
OIDC client (code & docs) docs/resources/oidc_client.md, docs/resources/scope.md, jans/oidc_client.go, provider/resource_oidc_client.go	Added client_name; corrected require_pcke → require_pkce; added PAR/PKCE/tx-token/logout-related script fields (par_*, tx_token_script_dns, logout_status_jwt_*); marked some fields Computed; delete now clears ID without re-reading.
KC SAML configuration (schema & tests) docs/resources/kc_saml_configuration.md, provider/resource_kc_saml_config.go, provider/resource_kc_saml_config_test.go	Fixed typo slected_idp → selected_idp in schema; added unit and acceptance tests for KC SAML configuration.
KC SAML trust relationship (impl, schema & tests) docs/resources/kc_saml_trust_relationship.md, provider/resource_kc_saml_tr.go, provider/resource_kc_saml_tr_test.go	Added sp_meta_data_source_type field; improved metadata file handling (open/close/error), explicit ID clearing on delete, formatting/refactors; added mapping and acceptance tests.
KC SAML IDP tests provider/resource_kc_saml_idp_test.go	New mapping and acceptance tests for KCSamlIDP resource.
Examples & message/asset resources terraform-provider-jans/examples/resources/jans_agama_deployment/resource.tf, terraform-provider-jans/examples/resources/jans_message/resource.tf, templates/resources/agama_deployment.md.tmpl, templates/resources/message.md.tmpl, docs/resources/agama_deployment.md, docs/resources/message.md, provider/testdata/test_asset.txt	Added example Terraform resources and documentation templates for Agama deployment and jans_message; added message docs and test asset file.
jans_asset tests provider/resource_jans_asset_test.go	Added unit and acceptance tests for jans_asset, including mapping and basic acceptance scenario.
Provider resource: OIDC client behavior provider/resource_oidc_client.go	Schema additions (client_name, require_pkce, etc.); token_exchange_scripts set Computed; Delete now clears ID and returns without calling Read.
Docs & minor fixes docs/resources/ldap_database_configuration.md, docs/resources/scope.md	Typographic apostrophe fix; expanded scope docs with new nested client fields and PKCE rename.
General tests added provider/*.go (new test files across provider)	Multiple new unit and acceptance tests added (KCSAML config/TR/IDP, jans_asset, and mapping tests).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: implement token cache #12687 — Overlaps with SSA/UMA token/scope handling changes and touches related token-scope logic.
• fix(terraform-jans-provider): missing grant types in terraform oidc client resource #12999 — Related to OIDC client changes (grant types and client-field handling) that affect provider schema and validation.

Suggested reviewers

• iromli
• olehbozhok

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix: sync tf provider' is vague and generic, lacking specificity about which provider aspects are being synchronized or what the primary changes entail.	Clarify the title with specific changes, e.g., 'fix: add PKCE and app configuration fields to tf provider' or 'fix: sync OIDC client and app config schemas with upstream'

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description includes a test matrix and checklist items but lacks required implementation details explaining the synchronization scope and approach.
Linked Issues check	✅ Passed	The PR addresses the linked issue #13082 by syncing the Terraform provider with upstream changes including script handling and new configuration fields.
Out of Scope Changes check	✅ Passed	All changes align with synchronizing the Terraform provider with upstream modifications (OIDC, app config, scopes, SAML, SSA, UMA resources, and test additions).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 19

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

terraform-provider-jans/docs/resources/scope.md (1)

106-159: This is a generated doc; changes must be made in templates/schema and regenerated.

Direct edits under terraform-provider-jans/docs will be overwritten by terraform-plugin-docs. Please move these updates to the schema descriptions or templates (*.md.tmpl) and regenerate. Based on learnings, generated docs should not be edited directly.

Also applies to: 218-243

🤖 Fix all issues with AI agents

In `@terraform-provider-jans/docs/resources/app_configuration.md`:
- Around line 467-474: The generated docs are missing a blank line before the
"Nested Schema for `connection_service_configuration`" heading which triggers
markdownlint MD022; update the documentation template or generator that emits
the nested block for connection_service_configuration (the template section that
outputs the <a id="nestedblock--connection_service_configuration"></a> heading
and its list) to insert a blank line before the heading, then re-run the
generator to regenerate the docs so the blank line appears before the
connection_service_configuration heading.

In `@terraform-provider-jans/docs/resources/ldap_database_configuration.md`:
- Line 42: The docs change edits an auto-generated file — revert manual edits to
terraform-provider-jans/docs and instead update the schema Description for the
LDAP resource field: find the resource schema (e.g., the
ResourceLDAPDatabaseConfiguration or similar in
jans/resource_ldap_database_configuration.go), locate the schema entry for
"local_primary_key" and correct its Description string (or update the template
used by terraform-plugin-docs) so the generated markdown contains the fixed
text; then regenerate docs rather than editing the markdown directly.

In `@terraform-provider-jans/docs/resources/oidc_client.md`:
- Line 120: The docs change is in a generated file
(terraform-provider-jans/docs/resources/oidc_client.md) and must be made at the
source: update the OIDC client schema description for the client_name field (and
any other fields referenced around lines 172 and 233-257) in the provider schema
or the corresponding md.tmpl template instead of editing the generated markdown;
after updating the description in the resource schema (e.g., the OIDC client
resource definition where client_name is defined) or the template file
(*.md.tmpl), re-run the tfplugindocs generation to produce updated docs.

In `@terraform-provider-jans/jans/app_configuration.go`:
- Around line 426-436: AppConfiguration contains two duplicate fields
JmsBrokerUriSet and JmsBrokerURISet both mapped to schema "jms_broker_uri_set";
remove the incorrect/duplicate field named JmsBrokerUriSet (the one with
json:"jmsBrokerUriSet") so only JmsBrokerURISet (json:"jmsBrokerURISet")
remains, eliminating the schema collision and ensuring the struct matches the
upstream property name.

In `@terraform-provider-jans/OAUTH_SCOPES.md`:
- Around line 32-34: Remove the duplicate "https://jans.io/auth/ssa.admin" entry
from the full configuration list for resource jans_ssa_revocation in
OAUTH_SCOPES.md; search for other repeated occurrences noted (around the blocks
referenced: 155-157, 215-216, 238-239, 272-276) and deduplicate those lists so
each scope appears only once, keeping the original intent/order otherwise and
ensuring the Resource heading `jans_ssa_revocation` and its Scope line show a
single `https://jans.io/auth/ssa.admin` entry.

In `@terraform-provider-jans/provider/resource_app_configuration.go`:
- Around line 2416-2420: The schema defines two nearly identical fields
authorize_challenge_session_lifetime_in_seconds and
authorization_challenge_session_lifetime_in_seconds which map to struct fields
AuthorizeChallengeSessionLifetimeInSeconds (json:
authorizeChallengeSessionLifetimeInSeconds) and
AuthorizationChallengeSessionLifetimeInSeconds (json:
authorizationChallengeSessionLifetimeInSeconds); inspect the upstream API to
confirm which JSON property is correct and then remove or deprecate the
incorrect schema entry (or consolidate both to one canonical field) and update
the corresponding struct field, JSON tags, and any expand/flatten functions that
read/write these fields so only the supported property is used (or the
deprecated field emits a clear deprecation message and translates to the
canonical field); also update docs and tests referencing those schema keys.
- Around line 2456-2463: The "logout_status_jwt_signing_alg_values_supported"
list is missing enum validation like other signing algorithm fields; update the
field's Elem schema to include the same ValidateFunc used elsewhere (e.g.,
validation.StringInSlice(signingAlgs, true) or the project's signing alg
validator) so each element is constrained to values in signingAlgs, preserving
Type: schema.TypeString and Optional: true; locate the
"logout_status_jwt_signing_alg_values_supported" declaration and add the
ValidateFunc on its Elem schema to prevent invalid algs from being sent to the
API.

In `@terraform-provider-jans/provider/resource_jans_asset_test.go`:
- Around line 72-83: The test references a missing fixture used by
testAccResourceJansAssetConfig_basic (resource "jans_asset" "test" with asset =
"${path.module}/testdata/test_asset.txt"); create the missing test asset file
named test_asset.txt inside the module's testdata directory and populate it with
simple sample content (e.g., a short ASCII string) so the acceptance test can
read and upload the file during execution.
- Around line 105-122: The destroy check in testAccResourceCheckJansAssetDestroy
treats any error from GetJansAsset as success; update the logic to detect a
specific "not found" condition instead: call c.GetJansAsset(ctx, inum) and if it
returns nil then fail, if it returns an error inspect it for the provider's
not-found marker (e.g. compare with a sentinel like jans.ErrNotFound, use
errors.Is(err, jans.ErrNotFound), or unwrap an HTTP 404 status from the
error/response) and only treat that case as success; for any other error return
it so transient/network/auth errors fail the test. Ensure you reference
testAccResourceCheckJansAssetDestroy and GetJansAsset when making the change.

In `@terraform-provider-jans/provider/resource_kc_saml_config_test.go`:
- Around line 86-99: The import-state check in
testAccResourceCheckKCSamlConfigurationImport always returns nil; change it to
return an error when the resource isn't found by inspecting
state.Attributes["application_name"] — if no instance has a non-empty
application_name, return a descriptive error (e.g., "KCSamlConfiguration
resource not found in import state"); otherwise return nil when found. Locate
and modify the testAccResourceCheckKCSamlConfigurationImport function to
implement this conditional error return using the existing found boolean and
include the error message referencing application_name.
- Around line 102-117: The destroy check in
testAccResourceCheckKCSamlConfigurationDestroy never fails because it returns
nil on any error and never asserts the config was removed; update the loop that
handles resources of type "jans_kc_saml_config" to call
c.GetKCSAMLConfiguration(ctx) and: if err == nil then return an error (e.g.,
fmt.Errorf("KCSAML configuration still exists")) to fail the test, if the client
error clearly indicates "not found" continue to the next resource, and for any
other unexpected error return that error; keep using the existing ctx and
testAccProvider.Meta().(*jans.Client) and the rs.Type check to locate the
relevant resource.

In `@terraform-provider-jans/provider/resource_kc_saml_idp_test.go`:
- Around line 20-38: The test's IdentityProvider instance (idp :=
jans.IdentityProvider{...}) only sets ~17 of ~35 fields, so add the missing
boolean flags and slice/string/number fields used by your mapping logic (e.g.,
TrustEmail, StoreToken, AddReadTokenRoleOnCreate, AuthenticateByDefault,
LinkOnly, FirstBrokerLoginFlowAlias, PostBrokerLoginFlowAlias, SpMetaDataURL,
IdpMetaDataURL, Status, ValidationStatus, ValidationLog (slice), BaseDn,
ValidUntil, CacheDuration, etc.) to the idp literal and update the assertions to
verify these fields survive the mapping round-trip in the Test for
resource_kc_saml_idp; this ensures boolean defaults and slices are exercised and
mapping/regression gaps are detected.
- Around line 110-127: The destroy check in testAccResourceCheckKCSamlIDPDestroy
currently treats any error from c.GetIDP(ctx, inum) as success; instead, update
the logic to only treat a specific "not found" response as success by inspecting
the error returned by jans.Client.GetIDP (use errors.Is(err, jans.ErrNotFound)
or a type assertion to the client's error type / inspect HTTP 404 status), and
for any other error return that error (include context like inum and the
original err); keep the loop and only continue when the not-found condition is
confirmed.

In `@terraform-provider-jans/provider/resource_kc_saml_tr_test.go`:
- Around line 104-118: In testAccResourceCheckKCSamlTRDestroy, don't treat any
non-nil error from c.GetTR(ctx, inum) as success; instead, after verifying err
!= nil, check if errors.Is(err, jans.ErrorNotFound) and treat only that as
successful destruction, returning any other error (i.e., return err) so
network/auth/permission errors propagate; update the logic around the call to
c.GetTR (using rs.Primary.ID/inum) to implement this specific ErrorNotFound
check.
- Around line 3-10: Remove the blanket skip and instead ignore only the known
mismatched field by importing "github.com/google/go-cmp/cmp/cmpopts" and using
cmpopts.IgnoreFields in your comparison: add the cmpopts import to the import
block and replace the t.Skip call with a comparison that calls
cmp.Diff(expected, actual, cmpopts.IgnoreFields(<StructType>{},
"ProfileConfigurations")) so only ProfileConfigurations is excluded while all
other fields are validated; keep references to cmp.Diff and the
"ProfileConfigurations" field name to locate the change.

In `@terraform-provider-jans/provider/resource_kc_saml_tr.go`:
- Around line 264-275: In resourceKCSamlTRDelete, after successful
c.DeleteTR(ctx, inum) do not call resourceKCSamlTRRead; instead clear the
Terraform resource ID (call d.SetId("") on the schema.ResourceData) and return
nil (or an empty diag.Diagnostics) to indicate success. Update
resourceKCSamlTRDelete to remove the resourceKCSamlTRRead call and set the ID to
empty after DeleteTR succeeds.
- Around line 230-245: After creating the TR in resourceKCSamlTRCreate, set the
Terraform resource ID and persist the returned TR into state before calling
resourceKCSamlTRRead: extract the created inum from the returned tr (tr.Inum or
the appropriate field on jans.TrustRelationship), call d.SetId(tr.Inum) and then
call toSchemaResource(d, tr) to populate computed fields (including "inum");
only after these two calls invoke resourceKCSamlTRRead(ctx, d, m).
- Around line 295-301: handleMetadataFile opens and returns an *os.File that is
never closed, leaking file descriptors; after calling handleMetadataFile in
resourceKCSamlTRCreate and resourceKCSamlTRUpdate, immediately defer closing the
returned file (e.g., defer f.Close()) so the file is closed after
CreateTR/UpdateTR completes, or alternatively ensure CreateTR/UpdateTR or
createTRFormData takes ownership and closes the file—update
resourceKCSamlTRCreate/resourceKCSamlTRUpdate to call defer f.Close() right
after receiving f from handleMetadataFile.

In `@terraform-provider-jans/provider/resource_oidc_client.go`:
- Around line 681-685: Rename the misspelled field RequirePcke on the
OidcClientAttribute struct to RequirePkce and change its struct tag from
`require_pcke` to `require_pkce` so it matches the top-level
OidcClient.RequirePkce and PKCE terminology; update any references/usages
(marshal/unmarshal, expand/flatten helpers, schema mapping) that reference
OidcClientAttribute.RequirePcke to use OidcClientAttribute.RequirePkce and
ensure the nested attribute schema key is "require_pkce".

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@terraform-provider-jans/provider/resource_oidc_client.go`:
- Around line 571-579: The schema field definitions (e.g.,
"token_exchange_scripts" in resource_oidc_client.go) have inconsistent
indentation for the Computed property (placed on its own indented line); fix
each occurrence (including the ones noted around lines 574, 756, 764, 773, 779,
787-788) to follow the same formatting style used elsewhere by placing Computed
on the same indentation/line pattern as Type/Optional (i.e., align the Computed
field with the other properties in the schema block for token_exchange_scripts
and the other listed schema entries).
- Around line 945-957: The Delete handler resourceOidcClientDelete currently
calls resourceOidcClientRead after successfully calling c.DeleteOidcClient,
which will attempt to read a now-deleted resource and surface a 404; instead,
after c.DeleteOidcClient(ctx, inum) succeeds log the deletion (tflog.Debug) and
clear the TF state by calling d.SetId("") (or d.SetId("") via
schema.ResourceData) and return nil diagnostics (i.e., return
diag.Diagnostics{}), removing the call to resourceOidcClientRead to ensure the
delete completes cleanly.
- Around line 752-793: The schema field definitions have inconsistent
indentation where Computed: is placed on its own misindented line for fields
like "authorization_details_types", "logout_status_jwt_script_dns",
"logout_status_jwt_signed_response_alg", "par_script_dns", and
"tx_token_script_dns"; fix each by moving the Computed: bool to the same aligned
block as the other field attributes (e.g., alongside Type, Optional,
Description) so the struct literal formatting is consistent for those fields
within the resource schema in resource_oidc_client.go.

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In `@terraform-provider-jans/docs/resources/agama_deployment.md`:
- Around line 13-23: The Terraform example uses the wrong attribute and file
extension; update the example for resource jans_agama_deployment to use
deployment_file (the required schema attribute defined in
resource_agama_deployment.go) instead of source and change the example path
extension to .zip (e.g., deployment_file = "path/to/agama-project.zip"); after
updating the example resource file, re-run terraform-plugin-docs to regenerate
the docs so the README (docs/resources/agama_deployment.md) reflects the
corrected field name and description.

In `@terraform-provider-jans/docs/resources/message.md`:
- Around line 13-23: The example in docs/messages.md uses non-existent fields
(provider_type, redis_configuration) and omits required fields (key, value);
update the example source in the resource schema generation so the generated
example matches the actual schema: ensure the Go resource definition in
terraform-provider-jans/provider/resource_message.go (and any helper
resourceMessageConfiguration()) does not inject provider-specific fields into
the example and instead includes key, value, language, and application;
regenerate the docs so the example becomes the correct Terraform snippet using
key and value and optional language/application.

In `@terraform-provider-jans/docs/resources/oidc_client.md`:
- Around line 238-245: Update the schema descriptions for the listed OIDC client
fields to use consistent American English "authorization" (not "authorisation"),
hyphenate "post-authentication" and "post-authn" where applicable, remove any
trailing spaces, and fix minor wording: e.g., change `par_lifetime` to "lifetime
of Pushed Authorization Request (PAR)", `par_script_dns` to "List of PAR (Pushed
Authorization Request) script DNs.", `post_authn_scripts` to "List of
post-authentication scripts.", `redirect_uris_regex` to "If set, redirect URIs
must match this regexp", `requested_lifetime` to "requested lifetime",
`require_par` to "boolean value indicating whether Pushed Authorization Request
(PAR) is required", `require_pkce` to "Specifies whether to require PKCE (Proof
Key for Code Exchange) for the authorization code flow", and `ropc_scripts` to
"List of Resource Owner Password Credentials (ROPC) scripts."; ensure these
exact field names (`par_lifetime`, `par_script_dns`, `post_authn_scripts`,
`redirect_uris_regex`, `requested_lifetime`, `require_par`, `require_pkce`,
`ropc_scripts`) are updated in the source templates so regenerated docs pass
lint.

In `@terraform-provider-jans/docs/resources/scope.md`:
- Around line 81-82: The docs change was made directly in the generated content
(the sentence containing "match the redirect_uri parameter value used in each
Authorization Request Example: [https://client.example.org/cb]" and similar
instances), but generated files must be updated from the source schema/template;
locate the corresponding resource schema description or the md.tmpl template
that produces the "Authorization Request Example" wording (search for that
phrase or the scope resource description key), make the wording change there so
it becomes part of the generator input, then re-run the docs generator to
regenerate the .md output; repeat for the other occurrences noted in the review
(the other example blocks).
- Around line 223-229: The doc strings for the scope resource have wording/lint
issues; update the underlying schema/template descriptions for the fields
par_lifetime, par_script_dns, post_authn_scripts, redirect_uris_regex,
requested_lifetime, require_par, and require_pkce to use consistent American
spelling "authorization" (not "authorisation"), hyphenate "post-authentication"
where applicable, remove trailing spaces, and clarify/normalize phrasing (e.g.,
"par_lifetime" -> "Lifetime of Pushed Authorization Request (PAR)",
"par_script_dns" -> "List of PAR (Pushed Authorization Request) script DNs",
"post_authn_scripts" -> "List of post-authentication scripts",
"redirect_uris_regex" -> "Redirect URI must match this regexp" or similar,
"requested_lifetime" -> "Requested lifetime", "require_par" -> "Whether Pushed
Authorization Request (PAR) is required", and "require_pkce" -> "Whether PKCE is
required for the authorization code flow"); regenerate docs so the lint
(MD009/trailing spaces) and spelling/hyphenation issues are resolved.