feat(identity): add pluggable IdP modules for Rancher OIDC federation

Introduces a two-tier module pattern under modules/identity/:

  providers/asgardeo/   — creates asgardeo_application, outputs standardized
                          OIDC interface (client_id, client_secret, issuer_url,
                          auth_endpoint, token_endpoint, jwks_url)

  providers/azure-ad/   — usable stub: computes Azure AD v2.0 OIDC endpoints
                          from tenant_id; accepts manual client credentials
                          until azuread_application resources are implemented

  rancher-oidc/         — IdP-agnostic: consumes the standardized interface
                          and creates rancher2_auth_config_generic_oidc

Swapping identity providers requires changing only the idp module source;
the rancher-oidc module and all downstream config remain unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Hiran Adikari

modules/identity/providers/asgardeo/main.tf

@@ -0,0 +1,41 @@
+locals {
+  base_url             = "https://api.asgardeo.io/t/${var.org_name}"
+  issuer_url           = "${local.base_url}/oauth2/token"
+  auth_endpoint        = "${local.base_url}/oauth2/authorize"
+  token_endpoint       = "${local.base_url}/oauth2/token"
+  jwks_url             = "${local.base_url}/oauth2/jwks"
+  discovery_url        = "${local.base_url}/oauth2/token/.well-known/openid-configuration"
+}
+
+resource "asgardeo_application" "this" {
+  name        = var.app_name
+  description = var.description
+  access_url  = var.access_url
+
+  oidc {
+    grant_types          = ["authorization_code", "refresh_token"]
+    callback_urls        = var.callback_urls
+    allowed_origins      = var.allowed_origins
+    logout_redirect_urls = var.logout_redirect_urls
+
+    pkce {
+      mandatory                         = false
+      support_plain_transform_algorithm = false
+    }
+
+    access_token {
+      type                             = "JWT"
+      user_access_token_expiry_seconds = 3600
+    }
+
+    refresh_token {
+      expiry_seconds      = 86400
+      renew_refresh_token = true
+    }
+  }
+
+  advanced {
+    skip_login_consent  = var.skip_consent
+    skip_logout_consent = var.skip_consent
+  }
+}

modules/identity/providers/asgardeo/outputs.tf

@@ -0,0 +1,44 @@
+# ── Standardized OIDC interface (shared by all provider modules) ──────────────
+
+output "client_id" {
+  value       = asgardeo_application.this.client_id
+  description = "OAuth2 client ID generated by Asgardeo."
+}
+
+output "client_secret" {
+  value       = asgardeo_application.this.client_secret
+  description = "OAuth2 client secret generated by Asgardeo."
+  sensitive   = true
+}
+
+output "issuer_url" {
+  value       = local.issuer_url
+  description = "OIDC issuer URL (token endpoint used as issuer for Rancher compatibility)."
+}
+
+output "auth_endpoint" {
+  value       = local.auth_endpoint
+  description = "OAuth2 authorization endpoint."
+}
+
+output "token_endpoint" {
+  value       = local.token_endpoint
+  description = "OAuth2 token endpoint."
+}
+
+output "jwks_url" {
+  value       = local.jwks_url
+  description = "JSON Web Key Set URL for token signature verification."
+}
+
+# ── Asgardeo-specific outputs ─────────────────────────────────────────────────
+
+output "application_id" {
+  value       = asgardeo_application.this.id
+  description = "Asgardeo internal application ID."
+}
+
+output "discovery_url" {
+  value       = local.discovery_url
+  description = "OIDC well-known discovery URL for manual verification."
+}

modules/identity/providers/asgardeo/variables.tf

@@ -0,0 +1,41 @@
+variable "org_name" {
+  type        = string
+  description = "Asgardeo organisation name (the subdomain of your Asgardeo tenant)."
+}
+
+variable "app_name" {
+  type        = string
+  description = "Display name for the OIDC application in Asgardeo."
+}
+
+variable "description" {
+  type        = string
+  description = "Human-readable description of the application."
+  default     = "Managed by Terraform."
+}
+
+variable "access_url" {
+  type        = string
+  description = "URL users are redirected to after authentication (e.g. https://app.example.com/dashboard)."
+}
+
+variable "callback_urls" {
+  type        = list(string)
+  description = "OAuth2 redirect URIs that Asgardeo will accept after authentication."
+}
+
+variable "allowed_origins" {
+  type        = list(string)
+  description = "Origins permitted to make CORS requests to the Asgardeo token endpoint."
+}
+
+variable "logout_redirect_urls" {
+  type        = list(string)
+  description = "URLs to redirect to after logout."
+}
+
+variable "skip_consent" {
+  type        = bool
+  description = "Skip login and logout consent screens for seamless SSO."
+  default     = true
+}

modules/identity/providers/asgardeo/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    asgardeo = {
+      source  = "asgardeo/asgardeo"
+      # Version constraint is informational while dev_overrides is active.
+      # Remove once the provider is published to the Terraform Registry.
+      version = "~> 0.1"
+    }
+  }
+}

modules/identity/providers/azure-ad/main.tf

@@ -0,0 +1,36 @@
+# ── Azure AD OIDC endpoints (computed from tenant_id) ────────────────────────
+locals {
+  base_url       = "https://login.microsoftonline.com/${var.tenant_id}/v2.0"
+  issuer_url     = local.base_url
+  auth_endpoint  = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/authorize"
+  token_endpoint = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token"
+  jwks_url       = "https://login.microsoftonline.com/${var.tenant_id}/discovery/v2.0/keys"
+  discovery_url  = "${local.base_url}/.well-known/openid-configuration"
+}
+
+# ── TODO: Automated app registration ─────────────────────────────────────────
+# The resources below are not yet implemented. The module currently operates
+# in "bring your own app" mode: create the app registration in the Azure portal
+# (or via az CLI) and pass client_id / client_secret as variables.
+#
+# When implementing, add:
+#
+# resource "azuread_application" "this" {
+#   display_name = var.app_name
+#   web {
+#     redirect_uris = var.callback_urls
+#     implicit_grant { access_token_issuance_enabled = false }
+#   }
+#   required_resource_access { ... }
+# }
+#
+# resource "azuread_service_principal" "this" {
+#   client_id = azuread_application.this.client_id
+# }
+#
+# resource "azuread_application_password" "this" {
+#   application_id = azuread_application.this.id
+# }
+#
+# Then remove var.client_id / var.client_secret and source them from the
+# resources instead.

modules/identity/providers/azure-ad/outputs.tf

@@ -0,0 +1,39 @@
+# ── Standardized OIDC interface (shared by all provider modules) ──────────────
+
+output "client_id" {
+  value       = var.client_id
+  description = "OAuth2 client ID."
+}
+
+output "client_secret" {
+  value       = var.client_secret
+  description = "OAuth2 client secret."
+  sensitive   = true
+}
+
+output "issuer_url" {
+  value       = local.issuer_url
+  description = "OIDC issuer URL (https://login.microsoftonline.com/{tenant}/v2.0)."
+}
+
+output "auth_endpoint" {
+  value       = local.auth_endpoint
+  description = "OAuth2 authorization endpoint."
+}
+
+output "token_endpoint" {
+  value       = local.token_endpoint
+  description = "OAuth2 token endpoint."
+}
+
+output "jwks_url" {
+  value       = local.jwks_url
+  description = "JSON Web Key Set URL."
+}
+
+# ── Azure AD-specific outputs ─────────────────────────────────────────────────
+
+output "discovery_url" {
+  value       = local.discovery_url
+  description = "OIDC well-known discovery URL."
+}

modules/identity/providers/azure-ad/variables.tf

@@ -0,0 +1,43 @@
+variable "tenant_id" {
+  type        = string
+  description = "Azure AD tenant ID (Directory ID). Used to construct OIDC endpoints."
+}
+
+# ── Manual credentials (until azuread_application is implemented) ─────────────
+
+variable "client_id" {
+  type        = string
+  description = "Client ID of the Azure AD app registration. Create manually in the Azure portal until automated app registration is implemented."
+}
+
+variable "client_secret" {
+  type        = string
+  description = "Client secret of the Azure AD app registration."
+  sensitive   = true
+}
+
+# ── Future: passed to azuread_application once implemented ───────────────────
+
+variable "app_name" {
+  type        = string
+  description = "Display name for the Azure AD application (used when automated registration is implemented)."
+  default     = ""
+}
+
+variable "callback_urls" {
+  type        = list(string)
+  description = "OAuth2 redirect URIs (used when automated registration is implemented)."
+  default     = []
+}
+
+variable "allowed_origins" {
+  type        = list(string)
+  description = "CORS allowed origins (used when automated registration is implemented)."
+  default     = []
+}
+
+variable "logout_redirect_urls" {
+  type        = list(string)
+  description = "Post-logout redirect URIs (used when automated registration is implemented)."
+  default     = []
+}

modules/identity/providers/azure-ad/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    # hashicorp/azuread ~> 2.0 will be required once app registration
+    # resources are implemented. No provider needed for the current
+    # "bring your own app" mode.
+  }
+}

modules/identity/rancher-oidc/main.tf

@@ -0,0 +1,13 @@
+resource "rancher2_auth_config_generic_oidc" "this" {
+  client_id            = var.client_id
+  client_secret        = var.client_secret
+  issuer               = var.issuer_url
+  rancher_url          = var.rancher_callback_url
+  auth_endpoint        = var.auth_endpoint
+  token_endpoint       = var.token_endpoint
+  jwks_url             = var.jwks_url
+  scopes               = var.scopes
+  group_search_enabled = var.group_search_enabled
+  access_mode          = var.access_mode
+  enabled              = var.enabled
+}

modules/identity/rancher-oidc/outputs.tf

@@ -0,0 +1,4 @@
+output "auth_config_id" {
+  value       = rancher2_auth_config_generic_oidc.this.id
+  description = "Rancher auth config resource ID."
+}