Merge pull request #42 from ory/docs/improve-examples

docs: fix broken examples and improve documentation coverage

Author: KT-Doan

docs/resources/action.md

@@ -57,6 +57,22 @@ resource "ory_action" "sync_verified" {
   url         = "https://api.example.com/webhooks/user-verified"
   method      = "POST"
 }
+
+# Post-registration enrichment (parse response to modify identity)
+resource "ory_action" "enrich_identity" {
+  flow           = "registration"
+  timing         = "after"
+  auth_method    = "password"
+  url            = "https://api.example.com/webhooks/enrich"
+  method         = "POST"
+  response_parse = true # Parse the webhook response to update identity traits
+  body           = <<-JSONNET
+    function(ctx) {
+      identity_id: ctx.identity.id,
+      email: ctx.identity.traits.email
+    }
+  JSONNET
+}
 ```
 
 ## Authentication Methods

docs/resources/email_template.md

@@ -148,6 +148,31 @@ resource "ory_email_template" "login_code" {
     This code expires in 15 minutes.
   TEXT
 }
+
+# Registration code email
+resource "ory_email_template" "registration_code" {
+  template_type = "registration_code_valid"
+  subject       = "Complete your registration"
+
+  body_html = <<-HTML
+    <!DOCTYPE html>
+    <html>
+    <body>
+      <h1>Welcome!</h1>
+      <p>Your registration code is: <strong>{{ .RegistrationCode }}</strong></p>
+      <p>Enter this code to complete your account setup.</p>
+    </body>
+    </html>
+  HTML
+
+  body_plaintext = <<-TEXT
+    Welcome!
+
+    Your registration code is: {{ .RegistrationCode }}
+
+    Enter this code to complete your account setup.
+  TEXT
+}
 ```
 
 ## Import

docs/resources/identity_schema.md

@@ -64,7 +64,8 @@ Identity schemas use the `ory.sh/kratos` JSON Schema extension to configure auth
 ```terraform
 # Customer identity schema with email and name
 resource "ory_identity_schema" "customer" {
-  name = "customer_v1"
+  schema_id   = "customer_v1"
+  set_default = true
   schema = jsonencode({
     "$id"     = "https://example.com/customer.schema.json"
     "$schema" = "http://json-schema.org/draft-07/schema#"

docs/resources/json_web_key_set.md

@@ -47,20 +47,23 @@ Most configurations only need `use = "sig"`.
 # RSA signing key set
 resource "ory_json_web_key_set" "signing" {
   set_id    = "token-signing-keys"
+  key_id    = "rsa-sig-1"
   algorithm = "RS256"
   use       = "sig"
 }
 
 # ECDSA signing key set (smaller, faster)
 resource "ory_json_web_key_set" "ecdsa_signing" {
   set_id    = "ecdsa-signing-keys"
+  key_id    = "ec-sig-1"
   algorithm = "ES256"
   use       = "sig"
 }
 
 # Encryption key set
 resource "ory_json_web_key_set" "encryption" {
   set_id    = "encryption-keys"
+  key_id    = "rsa-enc-1"
   algorithm = "RS256"
   use       = "enc"
 }

docs/resources/oauth2_client.md

@@ -22,6 +22,12 @@ resource "ory_oauth2_client" "api_service" {
   grant_types                = ["client_credentials"]
   token_endpoint_auth_method = "client_secret_post"
   scope                      = "read write admin"
+  audience                   = ["https://api.example.com"]
+  access_token_strategy      = "jwt"
+  contacts                   = ["api-team@example.com"]
+
+  # Custom token lifespans for this client
+  client_credentials_grant_access_token_lifespan = "30m"
 }
 
 # Web application (Authorization Code flow) with OIDC logout and metadata
@@ -37,21 +43,43 @@ resource "ory_oauth2_client" "web_app" {
   token_endpoint_auth_method = "client_secret_basic"
   scope                      = "openid profile email offline_access"
 
+  # First-party app: skip consent and logout consent screens
+  skip_consent        = true
+  skip_logout_consent = true
+  subject_type        = "pairwise"
+  contacts            = ["web-team@example.com"]
+
   # Client metadata URIs
   client_uri = "https://app.example.com"
   logo_uri   = "https://app.example.com/logo.png"
   policy_uri = "https://app.example.com/privacy"
   tos_uri    = "https://app.example.com/terms"
 
-  # OIDC logout
-  frontchannel_logout_uri = "https://app.example.com/logout/frontchannel"
-  backchannel_logout_uri  = "https://app.example.com/logout/backchannel"
+  # OIDC logout with session notifications
+  frontchannel_logout_uri              = "https://app.example.com/logout/frontchannel"
+  frontchannel_logout_session_required = true
+  backchannel_logout_uri               = "https://app.example.com/logout/backchannel"
+  backchannel_logout_session_required  = true
 
   # Per-client CORS
   allowed_cors_origins = [
     "https://app.example.com",
     "https://admin.example.com"
   ]
+
+  # Per-grant token lifespans
+  authorization_code_grant_access_token_lifespan  = "1h"
+  authorization_code_grant_id_token_lifespan      = "1h"
+  authorization_code_grant_refresh_token_lifespan = "720h"
+  refresh_token_grant_access_token_lifespan       = "1h"
+  refresh_token_grant_id_token_lifespan           = "1h"
+  refresh_token_grant_refresh_token_lifespan      = "720h"
+
+  # Custom metadata
+  metadata = jsonencode({
+    department = "engineering"
+    tier       = "internal"
+  })
 }
 
 # Client with custom token lifespans
@@ -81,6 +109,15 @@ resource "ory_oauth2_client" "spa" {
   scope                      = "openid profile email"
 }
 
+# Device Authorization flow (CLI tools, IoT devices)
+resource "ory_oauth2_client" "cli_tool" {
+  client_name                = "CLI Tool"
+  grant_types                = ["urn:ietf:params:oauth:grant-type:device_code", "refresh_token"]
+  response_types             = ["code"]
+  token_endpoint_auth_method = "none"
+  scope                      = "openid offline_access"
+}
+
 output "api_service_client_id" {
   value = ory_oauth2_client.api_service.client_id
 }

docs/resources/organization.md

@@ -18,12 +18,33 @@ Organizations represent tenants in a multi-tenant application. They can have ass
 ## Example Usage
 
 ```terraform
-# Create an organization for multi-tenancy
+# Create an organization for multi-tenancy (B2B SaaS)
 resource "ory_organization" "acme" {
   label   = "Acme Corporation"
   domains = ["acme.com", "acme.io"]
 }
 
+# Multiple tenant organizations
+resource "ory_organization" "globex" {
+  label   = "Globex Corporation"
+  domains = ["globex.com"]
+}
+
+# Dynamic organizations from a variable map
+variable "tenant_orgs" {
+  type = map(object({
+    label   = string
+    domains = list(string)
+  }))
+  default = {}
+}
+
+resource "ory_organization" "tenants" {
+  for_each = var.tenant_orgs
+  label    = each.value.label
+  domains  = each.value.domains
+}
+
 output "organization_id" {
   value = ory_organization.acme.id
 }

docs/resources/project.md

@@ -17,16 +17,18 @@ identity service, OAuth2 server, and configuration.
 ## Example Usage
 
 ```terraform
-# Create a production project
+# Create a production project in a specific region
 resource "ory_project" "production" {
   name        = "My Application - Production"
   environment = "prod"
+  home_region = "eu-central"
 }
 
 # Create a staging project
 resource "ory_project" "staging" {
   name        = "My Application - Staging"
   environment = "stage"
+  home_region = "us-west"
 }
 
 # Create a development project (note: no B2B Organizations support)

docs/resources/project_api_key.md

@@ -24,7 +24,7 @@ resource "ory_project_api_key" "backend" {
 # API key with expiration
 resource "ory_project_api_key" "temporary" {
   name       = "Temporary Access"
-  expires_at = "2024-12-31T23:59:59Z"
+  expires_at = "2026-12-31T23:59:59Z"
 }
 
 # Multiple keys for different environments

docs/resources/project_config.md

@@ -53,6 +53,11 @@ resource "ory_project_config" "secure" {
   enable_code     = true
   enable_passkey  = true
 
+  # Flow Controls
+  enable_registration = true
+  enable_recovery     = true
+  enable_verification = true
+
   # MFA
   enable_totp              = true
   totp_issuer              = "MyApp"
@@ -61,15 +66,62 @@ resource "ory_project_config" "secure" {
   webauthn_rp_id           = "app.example.com"
   webauthn_rp_origins      = ["https://app.example.com"]
   webauthn_passwordless    = true
+  enable_lookup_secret     = true
+  mfa_enforcement          = "optional"
+  required_aal             = "aal1"
+
+  # URLs
+  default_return_url = "https://app.example.com/dashboard"
+  allowed_return_urls = [
+    "https://app.example.com/dashboard",
+    "https://app.example.com/settings"
+  ]
 
   # Account Experience Branding
   account_experience_name           = "MyApp"
   account_experience_logo_url       = "https://cdn.example.com/logo.png"
+  account_experience_favicon_url    = "https://cdn.example.com/favicon.ico"
   account_experience_default_locale = "en"
 
   # OAuth2 Token Lifespans
   oauth2_access_token_lifespan  = "1h"
   oauth2_refresh_token_lifespan = "720h"
+
+  # Keto Namespaces (for fine-grained authorization)
+  keto_namespaces = ["documents", "folders", "groups"]
+}
+
+# Self-hosted UI configuration (custom login/registration pages)
+resource "ory_project_config" "self_hosted_ui" {
+  login_ui_url        = "https://auth.example.com/login"
+  registration_ui_url = "https://auth.example.com/registration"
+  recovery_ui_url     = "https://auth.example.com/recovery"
+  verification_ui_url = "https://auth.example.com/verification"
+  settings_ui_url     = "https://auth.example.com/settings"
+  error_ui_url        = "https://auth.example.com/error"
+
+  enable_password     = true
+  enable_registration = true
+  enable_recovery     = true
+  enable_verification = true
+}
+
+# SMTP configuration for custom email delivery
+resource "ory_project_config" "with_smtp" {
+  smtp_connection_uri = var.smtp_connection_uri
+  smtp_from_address   = "noreply@example.com"
+  smtp_from_name      = "MyApp"
+  smtp_headers = {
+    "X-SES-CONFIGURATION-SET" = "my-config-set"
+  }
+
+  enable_password = true
+}
+
+variable "smtp_connection_uri" {
+  type        = string
+  sensitive   = true
+  description = "SMTP connection URI (e.g., smtps://user:pass@smtp.example.com:465)"
 }
 ```