fix: identity schema data source empty content with project_id#117
Merged
fix: identity schema data source empty content with project_id#117
Conversation
Adds the optional `base_redirect_uri` attribute to the `ory_social_provider` resource, allowing users to override the base URL Ory uses when constructing OIDC callback URLs (useful when using a custom domain). The attribute maps to the global OIDC config field at `/services/identity/config/selfservice/methods/oidc/config/base_redirect_uri`. Documented its global nature (last applied value wins across providers). Closes #113
- Deduplicate provider_id in examples (corporate-sso-custom-domain) - Validate base_redirect_uri is not an empty string - Apply base_redirect_uri patch in Create's existingIndex branch - Only track base_redirect_uri in Read when state has it configured; fall back to GetProject when cache is empty - Guard Update against unknown plan values; skip patch when unchanged - Add removal test step to verify base_redirect_uri can be unset
… base_redirect_uri
…d is set
When project_id was explicitly set on the identity schema data sources,
the provider exclusively used the console API which reads from project
config. After the Ory API transforms schema URLs from base64:// to
https://, the project config has HTTPS URLs that couldn't be decoded,
resulting in empty schema bodies ("{}").
This commit fixes three issues:
1. Always prefer the Kratos API when available since identity schemas
are workspace-scoped and the Kratos API returns canonical hash-based
IDs with full schema content regardless of project_id.
2. Fetch schema content from HTTPS URLs in extractSchemasFromProjectConfig
so the console API path also returns full schema bodies for transformed
schemas.
3. Include project_id in the "Identity Schema Not Found" error message
to help users verify they're searching the correct project.
Closes #115
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for configuring Ory’s global OIDC base_redirect_uri via the ory_social_provider resource, and improves identity schema data sources/client behavior to avoid empty schema bodies when the API transforms schema URLs.
Changes:
- Add
base_redirect_uriattribute toory_social_provider, including validation, CRUD patching, docs, examples, and acceptance coverage. - Update identity schema (singular/plural) data sources to prefer the Kratos API when available and improve fallback behavior.
- Enhance console-project schema extraction to decode
base64://schemas and fetch JSON content for HTTP(S) schema URLs.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/resources/social_provider.md.tmpl | Document base_redirect_uri behavior and global-setting caveat in the doc template. |
| docs/resources/social_provider.md | Generated docs updated with base_redirect_uri examples/attribute docs. |
| examples/resources/ory_social_provider/resource.tf | Adds an example showing base_redirect_uri usage. |
| internal/resources/socialprovider/resource.go | Implements base_redirect_uri in schema, validation, Create/Read/Update patching. |
| internal/resources/socialprovider/resource_test.go | Adds acceptance test covering create/update/remove/import for base_redirect_uri. |
| internal/resources/socialprovider/validate_config_test.go | Extends ValidateConfig test scaffolding for base_redirect_uri. |
| internal/resources/socialprovider/testdata/with_base_redirect_uri*.tf.tmpl | Acceptance test configs for create/update/remove cases. |
| internal/datasources/identityschemas/datasource.go | Changes API selection logic to prefer Kratos when available. |
| internal/datasources/identityschema/datasource.go | Improves lookup strategy and adds empty-body detection + Kratos fallback. |
| internal/datasources/identityschema/datasource_unit_test.go | Unit tests for isEmptySchemaBody. |
| internal/datasources/identityschema/datasource_test.go | Adds acceptance test asserting console-vs-kratos content matches. |
| internal/datasources/identityschema/testdata/with_project_id_content_check.tf.tmpl | Acceptance test config to validate non-empty schema bodies. |
| internal/client/client.go | Fetch schema JSON for HTTP(S) URLs during console-project extraction + helper function. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Thread caller context into fetchSchemaFromURL and extractSchemasFromProjectConfig instead of using context.Background() - Add SSRF protection: restrict to HTTPS only, block private/loopback IPs, use dedicated HTTP client with redirect validation - Update project_id attribute descriptions in both singular and plural data sources to reflect Kratos API preference - Omit "in project" clause from error message when project_id is empty - Fix set_default with existing workspace schema: ensure schema is added to project config before setting it as default_schema_id
- Update project_id tip to reflect Kratos API preference - Update project_id attribute descriptions in generated docs - Add example showing project bootstrap with workspace schema as default
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes identity schema data source lookups when project_id is set by preferring the Kratos API (canonical IDs + full schema content) and improving console-API fallback behavior, while also adding support for base_redirect_uri on the social provider resource plus docs/tests.
Changes:
- Prefer Kratos API for
ory_identity_schema(s)reads when available; improve fallback + error messaging. - Fetch schema JSON from
https://URLs in project config (console API path) instead of returning{}. - Add
base_redirect_urisupport toory_social_providerwith acceptance coverage and documentation updates.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/datasources/identityschema/datasource.go | Prefer Kratos API first; fallback to console; detect/resolve empty schema bodies; improved not-found error |
| internal/datasources/identityschemas/datasource.go | Prefer Kratos API for list when available; clarify API selection logic |
| internal/client/client.go | Enhance project-config schema extraction to fetch HTTPS schema bodies with SSRF mitigations |
| internal/resources/socialprovider/resource.go | Add base_redirect_uri attribute and patching/reading logic |
| internal/resources/**/testdata + *_test.go | Add/update tests and fixtures for schema behavior + base_redirect_uri |
| docs/** + templates/** + examples/** | Document new behaviors and add examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Rewrite isPrivateHost using net/netip with proper CIDR range checks
(fixes false positive on 172.2.x public IPs)
- Add DNS rebinding protection: resolve hostnames and check all A/AAAA
records against private/loopback/link-local ranges
- Fix redirect comment to say "at most one redirect" (not "no redirects")
- Handle json.Marshal error explicitly instead of ignoring it
- Adjust error message: say "workspace" instead of "project" when
project_id is not set
- Fix example to use human-chosen schema_id ("customer") instead of hash
- Add unit tests for fetchSchemaFromURL, isPrivateHost, and isPrivateAddr
covering HTTPS fetch, non-200, invalid JSON, private IP rejection,
and DNS-based host validation
ryderdain
reviewed
Mar 16, 2026
gosec does not flag http.NewRequestWithContext with variable URLs, and the SSRF protection (HTTPS-only, private IP blocking, DNS rebinding checks) makes the suppression unnecessary.
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes identity schema data sources returning empty {} content (and sometimes “not found”) when project_id is set, by preferring the Kratos API when available and fetching schema JSON from HTTPS URLs when falling back to console/project-config reads. Also adds support for a global base_redirect_uri setting on ory_social_provider, including docs and acceptance coverage.
Changes:
- Identity schema data sources now prefer Kratos API and improve error messaging; console path now fetches HTTPS schema bodies.
- Added HTTPS schema fetcher with SSRF mitigations (private-host blocking, HTTPS-only, redirect limits) and tests.
- Added
base_redirect_uriattribute to social provider resource with docs, examples, and acceptance tests.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/resources/social_provider.md.tmpl | Documents base_redirect_uri behavior and caveats in generated docs. |
| templates/data-sources/identity_schema.md.tmpl | Updates tip text to reflect Kratos-first behavior and workspace-key-only console fallback. |
| internal/resources/socialprovider/validate_config_test.go | Extends test config builder to include base_redirect_uri. |
| internal/resources/socialprovider/testdata/with_base_redirect_uri.tf.tmpl | Adds acceptance test template setting base_redirect_uri. |
| internal/resources/socialprovider/testdata/with_base_redirect_uri_updated.tf.tmpl | Adds acceptance test template updating base_redirect_uri. |
| internal/resources/socialprovider/testdata/with_base_redirect_uri_removed.tf.tmpl | Adds acceptance test template omitting base_redirect_uri to validate removal. |
| internal/resources/socialprovider/resource_test.go | Adds acceptance test covering create/update/remove/import of base_redirect_uri. |
| internal/resources/socialprovider/resource.go | Implements base_redirect_uri schema, validation, read tracking, and patch behavior. |
| internal/resources/identityschema/resource.go | Ensures schema is added to project config before setting it as default. |
| internal/datasources/identityschemas/datasource.go | Prefers Kratos API for listing; falls back to console API when needed. |
| internal/datasources/identityschema/testdata/with_project_id_content_check.tf.tmpl | Adds acceptance test template to compare schema content across API paths. |
| internal/datasources/identityschema/datasource_unit_test.go | Adds unit tests for isEmptySchemaBody. |
| internal/datasources/identityschema/datasource_test.go | Adds acceptance test verifying console vs Kratos schema content match. |
| internal/datasources/identityschema/datasource.go | Implements Kratos-first lookup, console fallback, empty-body detection, and improved errors. |
| internal/client/fetch_schema_test.go | Adds unit tests for HTTPS schema fetching and private-host blocking. |
| internal/client/extract_schemas_test.go | Updates tests for new extractSchemasFromProjectConfig(ctx, ...) signature. |
| internal/client/client.go | Fetches schema bodies from HTTPS URLs; adds SSRF protections and helpers. |
| examples/resources/ory_social_provider/resource.tf | Adds example showing base_redirect_uri usage. |
| examples/data-sources/ory_identity_schema/data-source.tf | Adds example workflow: reuse workspace schema as default in new project. |
| docs/resources/social_provider.md | Documents and exemplifies base_redirect_uri. |
| docs/data-sources/identity_schemas.md | Updates project_id description to match Kratos-first behavior. |
| docs/data-sources/identity_schema.md | Updates tip + adds example workflow; updates project_id description. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
KT-Doan
added a commit
that referenced
this pull request
Mar 17, 2026
- Validate redirect targets against private/loopback hosts in
CheckRedirect to prevent SSRF bypass via redirects
- Thread caller context through isPrivateHost for DNS resolution so
lookups respect cancellation/timeout
- Surface HTTPS schema fetch errors instead of silently returning {}
- Add redirect test coverage (redirect to private host, redirect to HTTP)
- Fix misleading error hints to reflect workspace-scoped schema semantics
- Fix "when the project matches" comment to match actual behavior
- Clarify docs example that schema_id is human-chosen, not a hash
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Validate redirect targets against private/loopback hosts in
CheckRedirect to prevent SSRF bypass via redirects
- Thread caller context through isPrivateHost for DNS resolution so
lookups respect cancellation/timeout
- Surface HTTPS schema fetch errors instead of silently returning {}
- Add redirect test coverage (redirect to private host, redirect to HTTP)
- Fix misleading error hints to reflect workspace-scoped schema semantics
- Fix "when the project matches" comment to match actual behavior
- Clarify docs example that schema_id is human-chosen, not a hash
KT-Doan
force-pushed
the
fix/identity-schema-datasource-project-id-lookup
branch
from
3524d82 to
c410e10
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes identity schema data sources returning empty schema bodies and “not found” errors when project_id is set, by preferring the Kratos API when available and fetching schema JSON from HTTPS URLs when falling back to console/project-config reads.
Changes:
- Prefer Kratos API for identity schema lookups/listing when project credentials exist; otherwise fall back to console API using project config.
- Fetch and parse schema content from HTTPS URLs returned in project config (instead of returning
{}). - Improve diagnostics/errors and add unit + acceptance coverage for the regression.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/data-sources/identity_schema.md.tmpl | Updates tip text to reflect new API preference/fallback behavior. |
| internal/resources/identityschema/resource.go | Ensures schema is added to project config before setting it as default. |
| internal/datasources/identityschemas/datasource.go | Adjusts plural data source API selection to prefer Kratos. |
| internal/datasources/identityschema/datasource.go | Adds Kratos-first lookup with fallback, improves “not found” messaging, and adds isEmptySchemaBody. |
| internal/client/client.go | Extends project-config schema extraction to fetch HTTPS schema bodies with SSRF protections. |
| internal/client/extract_schemas_test.go | Updates tests for new extractSchemasFromProjectConfig(ctx, ...) signature. |
| internal/client/fetch_schema_test.go | Adds tests for HTTPS fetch + SSRF/redirect protections. |
| internal/datasources/identityschema/datasource_unit_test.go | Adds unit tests for isEmptySchemaBody. |
| internal/datasources/identityschema/datasource_test.go | Adds acceptance test verifying schema content matches across API paths. |
| internal/datasources/identityschema/testdata/with_project_id_content_check.tf.tmpl | Adds acceptance test fixture config for content match check. |
| examples/data-sources/ory_identity_schema/data-source.tf | Documents “reuse existing workspace schema as default” workflow. |
| docs/data-sources/identity_schema.md | Updates tip + adds example for new project workflow and revised project_id semantics. |
| docs/data-sources/identity_schemas.md | Updates project_id docs to reflect Kratos-preferred behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Add Kratos→Console fallback in plural identity schemas data source to mirror singular data source behavior - Handle missing schemas array in JSON Patch by creating the array when it doesn't exist (brand-new project config) - Add safeDialContext to validate resolved IPs at connection time, preventing DNS rebinding (TOCTOU) attacks - Add TrimSpace to isEmptySchemaBody for robustness - Remove DNS-dependent test case (storage.googleapis.com) to keep tests hermetic in restricted CI environments - Update isPrivateHost comment to clarify it's a pre-flight check
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes identity schema data sources returning empty content / failing lookups when project_id is set by preferring the Kratos API when available and fetching HTTPS schema URLs when falling back to console/project-config reads.
Changes:
- Prefer Kratos API for identity schema lookups/listing, with console API fallback when needed.
- Fetch schema JSON from HTTPS URLs found in project config (instead of returning empty bodies).
- Add tests + docs/examples for the bootstrap/project-creation workflow and improve “not found” diagnostics.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/data-sources/identity_schema.md.tmpl | Updates tip text to reflect new API preference/fallback behavior. |
| internal/resources/identityschema/resource.go | Ensures schema is present in project config before setting as default; handles missing schemas array. |
| internal/datasources/identityschemas/datasource.go | Prefer Kratos list API; fallback to console list API when Kratos fails/unavailable. |
| internal/datasources/identityschema/testdata/with_project_id_content_check.tf.tmpl | Adds acceptance test config to compare schema content across API paths. |
| internal/datasources/identityschema/datasource_unit_test.go | Adds unit tests for isEmptySchemaBody. |
| internal/datasources/identityschema/datasource_test.go | Adds acceptance test ensuring schema content matches via project_id vs Kratos path. |
| internal/datasources/identityschema/datasource.go | Reworks lookup strategy (Kratos first), retries/fallbacks, improves diagnostics, adds empty-body detection. |
| internal/client/fetch_schema_test.go | Adds tests for HTTPS schema fetching + SSRF/redirect protections. |
| internal/client/extract_schemas_test.go | Updates tests for new extractSchemasFromProjectConfig(ctx, ...) signature. |
| internal/client/client.go | Implements HTTPS schema fetching with SSRF/DNS-rebinding mitigations; threads ctx into schema extraction. |
| examples/data-sources/ory_identity_schema/data-source.tf | Adds example showing new project + reuse existing schema as default. |
| docs/data-sources/identity_schemas.md | Updates project_id docs to reflect Kratos preference and console fallback. |
| docs/data-sources/identity_schema.md | Updates docs + adds workflow example; updates project_id explanation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Change isPrivateHost to return (bool, error) so DNS failures produce actionable "resolving host" errors instead of misleading "private/loopback host" messages - Add unit test for HTTPS URL path in extractSchemasFromProjectConfig using httptest server - Add test case for unresolvable DNS name returning error
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes identity schema data sources returning empty schema bodies or “not found” when project_id is set by preferring the Kratos API when available and correctly fetching HTTPS-transformed schema URLs from project config.
Changes:
- Prefer Kratos API for identity schema lookups/listing, with console API fallback when needed.
- Fetch schema JSON from HTTPS URLs in project config (instead of returning
{}). - Add/adjust tests and docs to cover the corrected behaviors and clarify
project_idsemantics.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/data-sources/identity_schema.md.tmpl | Updates generated docs tip to match new API-selection behavior. |
| internal/resources/identityschema/resource.go | Ensures schemas array exists before JSON Patch add/append; supports new-project bootstrap. |
| internal/datasources/identityschemas/datasource.go | Prefers Kratos listing with console fallback; improves project_id/API availability logic. |
| internal/datasources/identityschema/testdata/with_project_id_content_check.tf.tmpl | Adds acceptance test config to compare schema content across API paths. |
| internal/datasources/identityschema/datasource_unit_test.go | Adds unit tests for the empty-schema-body detector. |
| internal/datasources/identityschema/datasource_test.go | Adds acceptance test intended to validate non-empty schema content via project_id. |
| internal/datasources/identityschema/datasource.go | Implements Kratos-first lookup, console fallback, and “empty body” recovery; improves not-found error messaging. |
| internal/client/fetch_schema_test.go | Adds tests for HTTPS fetching and SSRF/redirect protections. |
| internal/client/extract_schemas_test.go | Updates tests for new ctx signature; adds HTTPS URL fetch test. |
| internal/client/client.go | Implements HTTPS schema fetch with SSRF protections; adds host/IP safety helpers; updates project-config extraction signature. |
| examples/data-sources/ory_identity_schema/data-source.tf | Adds example workflow for bootstrapping a new project and setting an existing workspace schema as default. |
| docs/data-sources/identity_schemas.md | Updates project_id documentation to reflect Kratos-first behavior. |
| docs/data-sources/identity_schema.md | Updates tip and adds example workflow; updates project_id documentation wording. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
- Replace per-call newSchemaFetchClient with a shared schemaFetchClient singleton to reuse connections and avoid resource leaks - Use req.Context() in CheckRedirect instead of capturing outer ctx, enabling a single shared client that still respects per-request cancellation - Parallelize HTTPS schema fetching in extractSchemasFromProjectConfig with bounded concurrency (max 5) to reduce latency for projects with multiple schemas
lovelinuxalot
approved these changes
Mar 17, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes identity schema data sources returning empty schema bodies or failing lookups when project_id is set, by preferring the Kratos API when available and correctly fetching schema content from HTTPS URLs in the console API path.
Changes:
- Prefer the Kratos API for identity schema lookups/listing, with a console API fallback when needed.
- Fetch and populate schema JSON from HTTPS URLs when extracting schemas from project config (console API path).
- Improve “Identity Schema Not Found” error details and add unit/acceptance tests covering empty-content regressions.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/data-sources/identity_schema.md.tmpl | Updates guidance around project_id and API selection behavior. |
| internal/resources/identityschema/resource.go | Ensures schema list exists in project config before appending/setting default. |
| internal/datasources/identityschemas/datasource.go | Prefer Kratos list API; fall back to console list API. |
| internal/datasources/identityschema/testdata/with_project_id_content_check.tf.tmpl | Adds acceptance test config to compare schema content across API paths. |
| internal/datasources/identityschema/datasource_unit_test.go | Adds unit tests for empty-schema detection helper. |
| internal/datasources/identityschema/datasource_test.go | Adds acceptance test verifying schema content matches across API paths. |
| internal/datasources/identityschema/datasource.go | Reworks read logic to try Kratos first, fall back to console, and enrich errors. |
| internal/client/fetch_schema_test.go | Adds tests for HTTPS fetching and SSRF/redirect protections. |
| internal/client/extract_schemas_test.go | Updates tests for new ctx signature and adds HTTPS extraction test. |
| internal/client/client.go | Adds HTTPS schema fetching with SSRF protections and parallel fetch in extraction. |
| examples/data-sources/ory_identity_schema/data-source.tf | Adds an example workflow for reusing workspace schema as project default. |
| docs/data-sources/identity_schemas.md | Updates project_id description to reflect API preference and fallback. |
| docs/data-sources/identity_schema.md | Updates tip text and adds example workflow for default schema reuse. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+1643
to
+1647
| // isPrivateAddr checks whether an IP address is loopback, private, link-local, | ||
| // or unspecified using proper CIDR range checks. | ||
| func isPrivateAddr(addr netip.Addr) bool { | ||
| return addr.IsLoopback() || addr.IsPrivate() || addr.IsLinkLocalUnicast() || | ||
| addr.IsLinkLocalMulticast() || addr.IsUnspecified() |
Comment on lines
+1455
to
+1485
| // Second pass: fetch HTTPS schemas in parallel (bounded to avoid | ||
| // excessive concurrency). Projects typically have 1-3 schemas. | ||
| if len(httpsFetches) > 0 { | ||
| type fetchResult struct { | ||
| schema map[string]interface{} | ||
| err error | ||
| } | ||
| results := make([]fetchResult, len(httpsFetches)) | ||
| var wg sync.WaitGroup | ||
| // Limit concurrency to 5 to avoid excessive socket usage. | ||
| sem := make(chan struct{}, 5) | ||
|
|
||
| for i, entry := range httpsFetches { | ||
| wg.Add(1) | ||
| go func(i int, entry httpsEntry) { | ||
| defer wg.Done() | ||
| sem <- struct{}{} | ||
| defer func() { <-sem }() | ||
| schemaObj, err := fetchSchemaFromURL(ctx, entry.url) | ||
| results[i] = fetchResult{schema: schemaObj, err: err} | ||
| }(i, entry) | ||
| } | ||
| wg.Wait() | ||
|
|
||
| for i, entry := range httpsFetches { | ||
| if results[i].err != nil { | ||
| return nil, fmt.Errorf("fetching schema %q from URL: %w", entry.id, results[i].err) | ||
| } | ||
| result[entry.index].Schema = results[i].schema | ||
| } | ||
| } |
Comment on lines
+104
to
+112
| // Both return the same schema content | ||
| resource.TestCheckResourceAttrPair( | ||
| "data.ory_identity_schema.via_project_id", "schema", | ||
| "data.ory_identity_schema.via_kratos_api", "schema", | ||
| ), | ||
| // Schema content is not empty | ||
| resource.TestCheckResourceAttrSet("data.ory_identity_schema.via_project_id", "schema"), | ||
| resource.TestCheckResourceAttrSet("data.ory_identity_schema.via_kratos_api", "schema"), | ||
| ), |
Comment on lines
+1510
to
+1513
| return fmt.Errorf("too many redirects fetching schema") | ||
| } | ||
| if req.URL.Scheme != "https" { | ||
| return fmt.Errorf("refusing non-HTTPS redirect for schema URL") |
KT-Doan
added a commit
that referenced
this pull request
Mar 18, 2026
When creating a brand-new project and immediately looking up workspace-scoped identity schemas by hash ID, the data sources failed because the console API's GetProject endpoint only returns schemas explicitly added to the project config. New projects only have preset://username, not custom workspace schemas. This adds a bootstrap path that creates a temporary project API key via the console API (which accepts workspace keys), uses it to call the Kratos API (which returns all workspace-scoped schemas), and then cleans up the temp key. This fixes the gap in #117 where the project_id support only worked when project credentials were already configured at the provider level. Fixes #138
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #115
When
project_idis explicitly set on theory_identity_schemaorory_identity_schemasdata sources, the provider exclusively used the console API which reads from the project config. This caused two problems:base64://tohttps://, the provider couldn't decode them, returning{}instead of the actual schema JSON.Changes
Prefer Kratos API when available (
datasource.go,datasource.goin identityschemas): Since identity schemas are workspace-scoped, the Kratos API returns canonical hash-based IDs with full schema content regardless of whichproject_idis specified. The data sources now always try the Kratos API first, falling back to the console API.Fetch HTTPS schema URLs (
client.go):extractSchemasFromProjectConfignow fetches actual schema content from HTTPS URLs (post-transformation) instead of returning empty bodies. This fixes the workspace-key-only path where the Kratos API is unavailable.Better error messages (
datasource.go): The "Identity Schema Not Found" error now includes theproject_idbeing searched, helping users verify they're looking at the correct project.This enables the workflow of creating a new project and setting an existing workspace schema as default:
Checklist
make test)make format)Type of change
Test plan
isEmptySchemaBodyhelperTestAccIdentitySchemaDataSource_viaProjectIDContentMatchverifying schema content matches between Kratos API and console API paths