fix: identity schema data source empty content with project_id (#117)

* feat: add base_redirect_uri support to ory_social_provider

Adds the optional `base_redirect_uri` attribute to the `ory_social_provider`
resource, allowing users to override the base URL Ory uses when constructing
OIDC callback URLs (useful when using a custom domain).

The attribute maps to the global OIDC config field at
`/services/identity/config/selfservice/methods/oidc/config/base_redirect_uri`.
Documented its global nature (last applied value wins across providers).

Closes #113

* test: add base_redirect_uri to validate_config unit test schema

* fix: address Copilot review comments on base_redirect_uri

- Deduplicate provider_id in examples (corporate-sso-custom-domain)
- Validate base_redirect_uri is not an empty string
- Apply base_redirect_uri patch in Create's existingIndex branch
- Only track base_redirect_uri in Read when state has it configured;
  fall back to GetProject when cache is empty
- Guard Update against unknown plan values; skip patch when unchanged
- Add removal test step to verify base_redirect_uri can be unset

* fix: reuse fetched project in Read to avoid extra GetProject call for base_redirect_uri

* fix: identity schema data source returns empty content when project_id is set

When project_id was explicitly set on the identity schema data sources,
the provider exclusively used the console API which reads from project
config. After the Ory API transforms schema URLs from base64:// to
https://, the project config has HTTPS URLs that couldn't be decoded,
resulting in empty schema bodies ("{}").

This commit fixes three issues:

1. Always prefer the Kratos API when available since identity schemas
   are workspace-scoped and the Kratos API returns canonical hash-based
   IDs with full schema content regardless of project_id.

2. Fetch schema content from HTTPS URLs in extractSchemasFromProjectConfig
   so the console API path also returns full schema bodies for transformed
   schemas.

3. Include project_id in the "Identity Schema Not Found" error message
   to help users verify they're searching the correct project.

Closes #115

* fix: address Copilot review comments on identity schema data sources

- Thread caller context into fetchSchemaFromURL and
  extractSchemasFromProjectConfig instead of using context.Background()
- Add SSRF protection: restrict to HTTPS only, block private/loopback
  IPs, use dedicated HTTP client with redirect validation
- Update project_id attribute descriptions in both singular and plural
  data sources to reflect Kratos API preference
- Omit "in project" clause from error message when project_id is empty
- Fix set_default with existing workspace schema: ensure schema is added
  to project config before setting it as default_schema_id

* docs: update identity schema data source docs and examples

- Update project_id tip to reflect Kratos API preference
- Update project_id attribute descriptions in generated docs
- Add example showing project bootstrap with workspace schema as default

* fix: address second round of Copilot review comments

- Rewrite isPrivateHost using net/netip with proper CIDR range checks
  (fixes false positive on 172.2.x public IPs)
- Add DNS rebinding protection: resolve hostnames and check all A/AAAA
  records against private/loopback/link-local ranges
- Fix redirect comment to say "at most one redirect" (not "no redirects")
- Handle json.Marshal error explicitly instead of ignoring it
- Adjust error message: say "workspace" instead of "project" when
  project_id is not set
- Fix example to use human-chosen schema_id ("customer") instead of hash
- Add unit tests for fetchSchemaFromURL, isPrivateHost, and isPrivateAddr
  covering HTTPS fetch, non-200, invalid JSON, private IP rejection,
  and DNS-based host validation

* fix: remove unnecessary #nosec G107 comment from fetchSchemaFromURL

gosec does not flag http.NewRequestWithContext with variable URLs,
and the SSRF protection (HTTPS-only, private IP blocking, DNS
rebinding checks) makes the suppression unnecessary.

* fix: address remaining Copilot review comments on PR #117

- Validate redirect targets against private/loopback hosts in
  CheckRedirect to prevent SSRF bypass via redirects
- Thread caller context through isPrivateHost for DNS resolution so
  lookups respect cancellation/timeout
- Surface HTTPS schema fetch errors instead of silently returning {}
- Add redirect test coverage (redirect to private host, redirect to HTTP)
- Fix misleading error hints to reflect workspace-scoped schema semantics
- Fix "when the project matches" comment to match actual behavior
- Clarify docs example that schema_id is human-chosen, not a hash

* fix: address new Copilot review comments on PR #117

- Add Kratos→Console fallback in plural identity schemas data source
  to mirror singular data source behavior
- Handle missing schemas array in JSON Patch by creating the array
  when it doesn't exist (brand-new project config)
- Add safeDialContext to validate resolved IPs at connection time,
  preventing DNS rebinding (TOCTOU) attacks
- Add TrimSpace to isEmptySchemaBody for robustness
- Remove DNS-dependent test case (storage.googleapis.com) to keep
  tests hermetic in restricted CI environments
- Update isPrivateHost comment to clarify it's a pre-flight check

* fix: improve DNS error reporting and add HTTPS extraction test

- Change isPrivateHost to return (bool, error) so DNS failures produce
  actionable "resolving host" errors instead of misleading
  "private/loopback host" messages
- Add unit test for HTTPS URL path in extractSchemasFromProjectConfig
  using httptest server
- Add test case for unresolvable DNS name returning error

* fix: reuse shared HTTP client and parallelize HTTPS schema fetching

- Replace per-call newSchemaFetchClient with a shared schemaFetchClient
  singleton to reuse connections and avoid resource leaks
- Use req.Context() in CheckRedirect instead of capturing outer ctx,
  enabling a single shared client that still respects per-request
  cancellation
- Parallelize HTTPS schema fetching in extractSchemasFromProjectConfig
  with bounded concurrency (max 5) to reduce latency for projects with
  multiple schemas

* fix: correct comment typo: HTTPS URLs are fetched over HTTPS, not HTTP

Author: KT-Doan

docs/data-sources/identity_schema.md

@@ -15,7 +15,7 @@ This data source retrieves a specific identity schema from the project, allowing
 
 ~> **Note:** Ory may assign hash-based IDs to schemas. Use the `ory_identity_schemas` (plural) data source to discover available schema IDs, or use the `id` output from an `ory_identity_schema` resource.
 
-~> **Tip:** Set `project_id` to look up schemas via the console API (workspace key only). This is useful during project bootstrap when `project_slug` and `project_api_key` are not yet available.
+~> **Tip:** Set `project_id` when only a workspace API key is available (e.g., during project bootstrap before `project_slug` and `project_api_key` exist). When project credentials are configured, the Kratos API is preferred automatically as it returns canonical hash-based IDs with full schema content.
 
 ## Example Usage
 
@@ -66,6 +66,25 @@ data "ory_identity_schema" "bootstrap" {
   id         = "preset://username"
   project_id = "your-project-uuid"
 }
+
+# Create a new project and reuse an existing workspace schema as default.
+# Use a human-chosen schema_id (not the hash-based ID from the data source)
+# and copy the schema content from the existing schema.
+resource "ory_project" "new" {
+  name = "my-new-project"
+}
+
+data "ory_identity_schema" "existing" {
+  id         = "670f71...full-hash-id"
+  project_id = ory_project.new.id
+}
+
+resource "ory_identity_schema" "default" {
+  schema_id   = "customer"
+  project_id  = ory_project.new.id
+  schema      = data.ory_identity_schema.existing.schema
+  set_default = true
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -77,7 +96,7 @@ data "ory_identity_schema" "bootstrap" {
 
 ### Optional
 
-- `project_id` (String) The ID of the project to look up schemas from. If not set, uses the provider's project_id. When set, schemas are read from the project config via the console API (workspace key), which does not require project_slug or project_api_key.
+- `project_id` (String) The ID of the project. If not set, uses the provider's project_id. The Kratos API is preferred when project_slug and project_api_key are configured (returns canonical hash IDs with full schema content). When only a workspace key is available, schemas are read from the project config via the console API.
 
 ### Read-Only
 

docs/data-sources/identity_schemas.md

@@ -31,7 +31,7 @@ output "schemas" {
 
 ### Optional
 
-- `project_id` (String) The ID of the project to list schemas from. If not set, uses the provider's project_id. When set, schemas are read from the project config via the console API (workspace key), which does not require project_slug or project_api_key.
+- `project_id` (String) The ID of the project to list schemas from. If not set, uses the provider's project_id. The Kratos API is preferred when project_slug and project_api_key are configured (returns canonical hash IDs with full schema content). When only a workspace key is available, schemas are read from the project config via the console API.
 
 ### Read-Only
 

examples/data-sources/ory_identity_schema/data-source.tf

@@ -44,3 +44,22 @@ data "ory_identity_schema" "bootstrap" {
   id         = "preset://username"
   project_id = "your-project-uuid"
 }
+
+# Create a new project and reuse an existing workspace schema as default.
+# Use a human-chosen schema_id (not the hash-based ID from the data source)
+# and copy the schema content from the existing schema.
+resource "ory_project" "new" {
+  name = "my-new-project"
+}
+
+data "ory_identity_schema" "existing" {
+  id         = "670f71...full-hash-id"
+  project_id = ory_project.new.id
+}
+
+resource "ory_identity_schema" "default" {
+  schema_id   = "customer"
+  project_id  = ory_project.new.id
+  schema      = data.ory_identity_schema.existing.schema
+  set_default = true
+}

internal/client/client.go

@@ -8,7 +8,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
 	"strings"
 	"sync"
@@ -1427,14 +1429,15 @@ func (c *OryClient) ListIdentitySchemasViaProject(ctx context.Context, projectID
 	if err != nil {
 		return nil, fmt.Errorf("getting project for schema lookup: %w", err)
 	}
-	return extractSchemasFromProjectConfig(project)
+	return extractSchemasFromProjectConfig(ctx, project)
 }
 
 // extractSchemasFromProjectConfig reads the identity schemas array from the
 // project's kratos config and converts each entry into an
 // IdentitySchemaContainer. For base64-encoded schemas the content is decoded
-// inline; preset schemas are returned with an empty schema body.
-func extractSchemasFromProjectConfig(project *ory.Project) ([]ory.IdentitySchemaContainer, error) {
+// inline; for HTTPS URLs the content is fetched over HTTPS; preset schemas
+// are returned with an empty schema body.
+func extractSchemasFromProjectConfig(ctx context.Context, project *ory.Project) ([]ory.IdentitySchemaContainer, error) {
 	if project.Services.Identity == nil {
 		return nil, nil
 	}
@@ -1445,7 +1448,16 @@ func extractSchemasFromProjectConfig(project *ory.Project) ([]ory.IdentitySchema
 	identity, _ := configMap["identity"].(map[string]interface{})
 	rawSchemas, _ := identity["schemas"].([]interface{})
 
-	var result []ory.IdentitySchemaContainer
+	// First pass: decode base64/preset schemas synchronously and collect
+	// HTTPS schemas that need network fetching.
+	type httpsEntry struct {
+		index int
+		id    string
+		url   string
+	}
+	result := make([]ory.IdentitySchemaContainer, 0, len(rawSchemas))
+	var httpsFetches []httpsEntry
+
 	for _, raw := range rawSchemas {
 		s, ok := raw.(map[string]interface{})
 		if !ok {
@@ -1456,7 +1468,8 @@ func extractSchemasFromProjectConfig(project *ory.Project) ([]ory.IdentitySchema
 
 		container := ory.IdentitySchemaContainer{Id: id}
 
-		if strings.HasPrefix(rawURL, "base64://") {
+		switch {
+		case strings.HasPrefix(rawURL, "base64://"):
 			decoded, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(rawURL, "base64://"))
 			if err != nil {
 				return nil, fmt.Errorf("decoding base64 schema %q: %w", id, err)
@@ -1466,17 +1479,215 @@ func extractSchemasFromProjectConfig(project *ory.Project) ([]ory.IdentitySchema
 				return nil, fmt.Errorf("parsing JSON for schema %q: %w", id, err)
 			}
 			container.Schema = schemaObj
-		} else {
-			// Preset or URL-based schemas: return an empty object so
+
+		case strings.HasPrefix(rawURL, schemeHTTPS+"://"):
+			// Mark for parallel fetching below.
+			httpsFetches = append(httpsFetches, httpsEntry{index: len(result), id: id, url: rawURL})
+
+		default:
+			// Preset or unrecognized URL schemes: return an empty object so
 			// json.Marshal produces "{}" instead of "null".
 			container.Schema = map[string]interface{}{}
 		}
 
 		result = append(result, container)
 	}
+
+	// Second pass: fetch HTTPS schemas in parallel (bounded to avoid
+	// excessive concurrency). Projects typically have 1-3 schemas.
+	if len(httpsFetches) > 0 {
+		type fetchResult struct {
+			schema map[string]interface{}
+			err    error
+		}
+		results := make([]fetchResult, len(httpsFetches))
+		var wg sync.WaitGroup
+		// Limit concurrency to 5 to avoid excessive socket usage.
+		sem := make(chan struct{}, 5)
+
+		for i, entry := range httpsFetches {
+			wg.Add(1)
+			go func(i int, entry httpsEntry) {
+				defer wg.Done()
+				sem <- struct{}{}
+				defer func() { <-sem }()
+				schemaObj, err := fetchSchemaFromURL(ctx, entry.url)
+				results[i] = fetchResult{schema: schemaObj, err: err}
+			}(i, entry)
+		}
+		wg.Wait()
+
+		for i, entry := range httpsFetches {
+			if results[i].err != nil {
+				return nil, fmt.Errorf("fetching schema %q from URL: %w", entry.id, results[i].err)
+			}
+			result[entry.index].Schema = results[i].schema
+		}
+	}
+
 	return result, nil
 }
 
+// hostChecker is the function used to check whether a host is private.
+// It accepts a context for DNS resolution and is a variable so tests can
+// override it. Returns (isPrivate, error) — error indicates DNS failure.
+var hostChecker = isPrivateHost
+
+// schemaFetchClient is a shared HTTP client for fetching schema content from
+// trusted URLs returned by the Ory API. It is thread-safe and reuses
+// connections. It uses req.Context() in CheckRedirect so per-request
+// cancellation is respected without creating a new client per call.
+// It is a variable so tests can override it.
+var schemaFetchClient = &http.Client{
+	Timeout: 10 * time.Second,
+	Transport: &http.Transport{
+		// Validate the actual resolved IP at connection time to prevent
+		// DNS rebinding: a hostname may resolve to a public IP during the
+		// pre-flight check but to a private IP when the connection is made.
+		DialContext: safeDialContext,
+	},
+	CheckRedirect: func(req *http.Request, via []*http.Request) error {
+		if len(via) >= 2 {
+			return fmt.Errorf("too many redirects fetching schema")
+		}
+		if req.URL.Scheme != "https" {
+			return fmt.Errorf("refusing non-HTTPS redirect for schema URL")
+		}
+		// Validate the redirect target to prevent SSRF bypass via a
+		// public HTTPS URL that redirects to a private/loopback host.
+		// Use req.Context() so the check respects per-request cancellation.
+		redirectIsPrivate, checkErr := hostChecker(req.Context(), req.URL.Hostname())
+		if checkErr != nil {
+			return checkErr
+		}
+		if redirectIsPrivate {
+			return fmt.Errorf("refusing redirect to private/loopback host %q", req.URL.Hostname())
+		}
+		return nil
+	},
+}
+
+// safeDialContext wraps the default dialer and validates that the resolved IP
+// address is not private/loopback/link-local before establishing the connection.
+// This prevents DNS rebinding attacks where a hostname resolves to a public IP
+// during pre-flight checks but to a private IP at connection time.
+func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error) {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid address %q: %w", addr, err)
+	}
+
+	// Resolve the hostname to IP addresses.
+	resolver := &net.Resolver{}
+	ips, err := resolver.LookupHost(ctx, host)
+	if err != nil {
+		return nil, fmt.Errorf("resolving host %q: %w", host, err)
+	}
+
+	// Filter out private/loopback IPs — only connect to public addresses.
+	var dialer net.Dialer
+	for _, ip := range ips {
+		parsed, parseErr := netip.ParseAddr(ip)
+		if parseErr != nil {
+			continue
+		}
+		if isPrivateAddr(parsed) {
+			continue
+		}
+		// Try connecting to this public IP.
+		conn, dialErr := dialer.DialContext(ctx, network, net.JoinHostPort(ip, port))
+		if dialErr == nil {
+			return conn, nil
+		}
+	}
+	return nil, fmt.Errorf("all resolved addresses for %q are private or unreachable", host)
+}
+
+// fetchSchemaFromURL retrieves a JSON schema from an HTTPS URL. The URL must
+// use the https scheme (enforced by the caller's switch statement) and must not
+// resolve to a private/loopback address.
+func fetchSchemaFromURL(ctx context.Context, schemaURL string) (map[string]interface{}, error) {
+	parsed, err := url.Parse(schemaURL)
+	if err != nil {
+		return nil, fmt.Errorf("parsing schema URL %q: %w", schemaURL, err)
+	}
+	if parsed.Scheme != "https" {
+		return nil, fmt.Errorf("refusing non-HTTPS schema URL %q", schemaURL)
+	}
+	host := parsed.Hostname()
+	isPrivate, err := hostChecker(ctx, host)
+	if err != nil {
+		return nil, err
+	}
+	if isPrivate {
+		return nil, fmt.Errorf("refusing schema URL with private/loopback host %q", host)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, schemaURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("creating request for schema %q: %w", schemaURL, err)
+	}
+
+	resp, err := schemaFetchClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("fetching schema from %q: %w", schemaURL, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("fetching schema from %q: HTTP %d", schemaURL, resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) // 1MB limit
+	if err != nil {
+		return nil, fmt.Errorf("reading schema from %q: %w", schemaURL, err)
+	}
+
+	var schemaObj map[string]interface{}
+	if err := json.Unmarshal(body, &schemaObj); err != nil {
+		return nil, fmt.Errorf("parsing schema JSON from %q: %w", schemaURL, err)
+	}
+	return schemaObj, nil
+}
+
+// isPrivateHost checks whether a host is a loopback, private, or link-local
+// address. For DNS names it resolves the host and checks all resulting IPs.
+// Returns (true, nil) for private hosts, (false, nil) for public hosts, and
+// (false, error) when DNS resolution fails — callers can then surface an
+// actionable "DNS resolution failed" error instead of a misleading
+// "private/loopback host" message. The actual DNS rebinding protection is
+// enforced by safeDialContext which validates the resolved IP at connection time.
+func isPrivateHost(ctx context.Context, host string) (bool, error) {
+	if host == "localhost" {
+		return true, nil
+	}
+
+	// Try parsing as an IP literal first.
+	if addr, err := netip.ParseAddr(host); err == nil {
+		return isPrivateAddr(addr), nil
+	}
+
+	// It's a DNS name — resolve and check all A/AAAA records.
+	resolver := &net.Resolver{}
+	addrs, err := resolver.LookupHost(ctx, host)
+	if err != nil {
+		return false, fmt.Errorf("resolving host %q: %w", host, err)
+	}
+	for _, a := range addrs {
+		if addr, err := netip.ParseAddr(a); err == nil && isPrivateAddr(addr) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// isPrivateAddr checks whether an IP address is loopback, private, link-local,
+// or unspecified using proper CIDR range checks.
+func isPrivateAddr(addr netip.Addr) bool {
+	return addr.IsLoopback() || addr.IsPrivate() || addr.IsLinkLocalUnicast() ||
+		addr.IsLinkLocalMulticast() || addr.IsUnspecified()
+}
+
 // Custom Domain (CNAME) operations
 // The Ory SDK does not generate API methods for custom domains,
 // so we use raw HTTP calls against the console API.