Skip to content

Reapply "feat: Fetch service account OIDC data (#402)"#405

Open
bec-callow-oct wants to merge 1 commit intomainfrom
fnm/add-external-id-again
Open

Reapply "feat: Fetch service account OIDC data (#402)"#405
bec-callow-oct wants to merge 1 commit intomainfrom
fnm/add-external-id-again

Conversation

@bec-callow-oct
Copy link
Contributor

@bec-callow-oct bec-callow-oct commented Feb 26, 2026

The changes in #402 were reverted to allow time for a code owners review. This PR restores those changes.

Possible breaking change

The changes to the OIDCIdentityQuery could break custom code if any users have made use of this query. Within this client, the query was only used for the NewOIDCIdentity, which does not work.

Background

Copied from the original PR description:

[SC-136951]
For the terraform changes in this PR OctopusDeploy/terraform-provider-octopusdeploy#176, the client needs to return the service account external ID so that it can be used as an output by terraform. The Octopus API returns this information via the /api/serviceaccounts/Users-83/oidcidentities/v1?skip=0&take=1 endpoint which the GetOIDCIdentities function was attempting to call but there were a few problems:

  1. the function only attempted to return the OIDC Identities as a list of resources and did not include fields such as External ID from the body of the json.
  2. the route template (api/serviceaccounts/{serviceAccountId}/oidcidentities/v1{?skip,take}) requires serviceAccountId but that was not being provided either as a method parameter or part of the query object.
  3. The OIDC Identities array does not match the required format for mapping to the Resources type since we expect the array to be named "Items", along with a few other issues.

I've added the serviceAccountID to the query object so the original function can hit the correct endpoint now, however the response mapping is still broken.

Testing

Go snippet for testing:

	query := serviceaccounts.OIDCIdentityQuery{
		ServiceAccountId: serviceAccountID,
		Skip:             0,
		Take:             10,
	}

	// Test the original GetOIDCIdentities function which does not work
	fmt.Println("\n=== GetOIDCIdentities function ===")
	identities, err := serviceaccounts.GetOIDCIdentities(octopusClient, query)
	if err != nil {
		fmt.Printf("Error: %v\n", err)
	} else {
		fmt.Printf("   Items: %d, Total: %d\n", len(identities.Items), identities.TotalResults)
	}

	// Test the new GetServiceAccountOIDCData function
	fmt.Println("\n=== GetServiceAccountOIDCData function ===")
	oidcData, err := serviceaccounts.GetServiceAccountOIDCData(octopusClient, query)
	if err != nil {
		fmt.Printf("FAILED: %v\n", err)
	} else {
		fmt.Printf("   ExternalId: %s\n", oidcData.ExternalId)
		fmt.Printf("   OIDC Identities: %d\n", len(oidcData.OidcIdentities))
	}

Results

The GetOIDCIdentities fails to map the response correctly so returns no data. The ExternalId and OIDC Identities are successfully returned by the new function.

=== GetOIDCIdentities function ===
   Items: 0, Total: 0

=== GetServiceAccountOIDCData function ===
   ExternalId: 6b453c3a-0e28-4a69-8bf6-91f58c9ea0a3
   OIDC Identities: 1

Rose-Northey
Rose-Northey approved these changes Feb 26, 2026
View reviewed changes
Copy link
Contributor

@Rose-Northey Rose-Northey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verified that these changes are the same as the original PR fix.

@bec-callow-oct bec-callow-oct requested a review from a team February 27, 2026 02:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rose-Northey Rose-Northey Rose-Northey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bec-callow-oct @Rose-Northey