Merge pull request #68 from ory/fix/oauth2-client-nil-pointer-deref

fix: resolve nil pointer dereference when creating OAuth2 client with unknown provider config

Author: KT-Doan

docs/resources/oauth2_client.md

@@ -141,6 +141,18 @@ resource "ory_oauth2_client" "cli_tool" {
   scope                      = "openid offline_access"
 }
 
+# Same-apply: Create project and OAuth2 client together
+# Use resource-level credentials when the project doesn't exist yet
+resource "ory_oauth2_client" "same_apply" {
+  project_slug    = ory_project.main.slug
+  project_api_key = ory_project_api_key.main.value
+
+  client_name                = "Created with Project"
+  grant_types                = ["client_credentials"]
+  token_endpoint_auth_method = "client_secret_post"
+  scope                      = "api:read api:write"
+}
+
 output "api_service_client_id" {
   value = ory_oauth2_client.api_service.client_id
 }
@@ -262,6 +274,33 @@ The provider supports both OIDC front-channel and back-channel logout:
 - `frontchannel_logout_session_required` — Whether the client requires a session identifier (`sid`) in front-channel logout notifications.
 - `backchannel_logout_session_required` — Whether the client requires a session identifier (`sid`) in back-channel logout notifications.
 
+## Resource-Level Credentials (Same-Apply with Project Creation)
+
+When creating an `ory_oauth2_client` in the same `terraform apply` as the `ory_project` it belongs to, the provider may not have project credentials at configuration time. Use the `project_slug` and `project_api_key` attributes to pass credentials directly to the resource:
+
+```hcl
+resource "ory_project" "main" {
+  name        = "my-project"
+  environment = "prod"
+}
+
+resource "ory_project_api_key" "main" {
+  project_id = ory_project.main.id
+  name       = "terraform-key"
+}
+
+resource "ory_oauth2_client" "api" {
+  project_slug    = ory_project.main.slug
+  project_api_key = ory_project_api_key.main.value
+
+  client_name   = "API Client"
+  grant_types   = ["client_credentials"]
+  scope         = "read write"
+}
+```
+
+These attributes override the provider-level `project_slug` and `project_api_key`. If the provider already has valid project credentials, you do not need to set them on the resource.
+
 ## Import
 
 OAuth2 clients can be imported using their client ID:
@@ -307,6 +346,8 @@ terraform import ory_oauth2_client.api <client-id>
 - `metadata` (String) Custom metadata as JSON string.
 - `policy_uri` (String) URL of the client's privacy policy.
 - `post_logout_redirect_uris` (List of String) List of allowed post-logout redirect URIs for OpenID Connect logout.
+- `project_api_key` (String, Sensitive) Project API key for API access. Use this to pass credentials at the resource level when the provider is configured before the project exists (e.g., creating a project and OAuth2 client in the same apply). Overrides the provider-level project_api_key.
+- `project_slug` (String) Project slug for API access. Use this to pass credentials at the resource level when the provider is configured before the project exists (e.g., creating a project and OAuth2 client in the same apply). Overrides the provider-level project_slug.
 - `redirect_uris` (List of String) List of allowed redirect URIs for authorization code flow.
 - `refresh_token_grant_access_token_lifespan` (String) Access token lifespan for refresh token grant (e.g., '1h', '30m').
 - `refresh_token_grant_id_token_lifespan` (String) ID token lifespan for refresh token grant (e.g., '1h', '30m').

examples/resources/ory_oauth2_client/resource.tf

@@ -121,6 +121,18 @@ resource "ory_oauth2_client" "cli_tool" {
   scope                      = "openid offline_access"
 }
 
+# Same-apply: Create project and OAuth2 client together
+# Use resource-level credentials when the project doesn't exist yet
+resource "ory_oauth2_client" "same_apply" {
+  project_slug    = ory_project.main.slug
+  project_api_key = ory_project_api_key.main.value
+
+  client_name                = "Created with Project"
+  grant_types                = ["client_credentials"]
+  token_endpoint_auth_method = "client_secret_post"
+  scope                      = "api:read api:write"
+}
+
 output "api_service_client_id" {
   value = ory_oauth2_client.api_service.client_id
 }

internal/client/client.go

@@ -314,6 +314,191 @@ func TestIsRateLimitError(t *testing.T) {
 	}
 }
 
+func TestOryClient_EnsureProjectClient_NilWithoutCredentials(t *testing.T) {
+	cfg := OryClientConfig{
+		WorkspaceAPIKey: testutil.TestWorkspaceAPIKey,
+		ConsoleAPIURL:   DefaultConsoleAPIURL,
+		// No ProjectAPIKey or ProjectSlug
+	}
+
+	client, err := NewOryClient(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if client.projectClient != nil {
+		t.Error("project client should be nil without credentials")
+	}
+
+	err = client.ensureProjectClient()
+	if err == nil {
+		t.Fatal("expected error from ensureProjectClient without credentials")
+	}
+	if !contains(err.Error(), "project_slug and project_api_key are required") {
+		t.Errorf("unexpected error message: %s", err.Error())
+	}
+}
+
+func TestOryClient_EnsureProjectClient_LazyInit(t *testing.T) {
+	cfg := OryClientConfig{
+		ProjectAPIKey: testutil.TestProjectAPIKey,
+		ProjectSlug:   testutil.TestProjectSlug,
+	}
+
+	client, err := NewOryClient(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Project client should already be initialized since credentials were provided at creation
+	if client.projectClient == nil {
+		t.Error("project client should be initialized when credentials provided at creation")
+	}
+
+	// ensureProjectClient should succeed (client already initialized)
+	if err := client.ensureProjectClient(); err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+}
+
+func TestOryClient_WithProjectCredentials(t *testing.T) {
+	cfg := OryClientConfig{
+		WorkspaceAPIKey: testutil.TestWorkspaceAPIKey,
+		ConsoleAPIURL:   DefaultConsoleAPIURL,
+		// No project credentials initially
+	}
+
+	parent, err := NewOryClient(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Create a child client with project credentials
+	child := parent.WithProjectCredentials(testutil.TestProjectSlug, testutil.TestProjectAPIKey)
+
+	// Parent should still have no project credentials
+	if parent.config.ProjectSlug != "" {
+		t.Error("parent config should not be modified")
+	}
+
+	// Child should have the new credentials
+	if child.config.ProjectSlug != testutil.TestProjectSlug {
+		t.Errorf("expected slug '%s', got '%s'", testutil.TestProjectSlug, child.config.ProjectSlug)
+	}
+	if child.config.ProjectAPIKey != testutil.TestProjectAPIKey {
+		t.Errorf("expected API key '%s', got '%s'", testutil.TestProjectAPIKey, child.config.ProjectAPIKey)
+	}
+
+	// Child should share the parent's console client
+	if child.consoleClient != parent.consoleClient {
+		t.Error("child should share the parent's console client")
+	}
+
+	// Child's project client should be lazily initialized
+	if child.projectClient != nil {
+		t.Error("child project client should be nil before first use")
+	}
+
+	// ensureProjectClient should initialize the child's project client
+	if err := child.ensureProjectClient(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if child.projectClient == nil {
+		t.Error("child project client should be initialized after ensureProjectClient")
+	}
+
+	// Verify the child's project client URL
+	servers := child.projectClient.GetConfig().Servers
+	expectedURL := fmt.Sprintf(DefaultProjectAPIURL, testutil.TestProjectSlug)
+	if servers[0].URL != expectedURL {
+		t.Errorf("expected project URL '%s', got '%s'", expectedURL, servers[0].URL)
+	}
+}
+
+func TestOryClient_WithProjectCredentials_Isolation(t *testing.T) {
+	cfg := OryClientConfig{
+		ProjectAPIKey: testutil.TestProjectAPIKey,
+		ProjectSlug:   testutil.TestProjectSlug,
+	}
+
+	parent, err := NewOryClient(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Create two children with different credentials
+	child1 := parent.WithProjectCredentials("slug-one", "key-one")
+	child2 := parent.WithProjectCredentials("slug-two", "key-two")
+
+	// Initialize both
+	if err := child1.ensureProjectClient(); err != nil {
+		t.Fatalf("unexpected error for child1: %v", err)
+	}
+	if err := child2.ensureProjectClient(); err != nil {
+		t.Fatalf("unexpected error for child2: %v", err)
+	}
+
+	// Verify each child has its own project client with correct URL
+	servers1 := child1.projectClient.GetConfig().Servers
+	expectedURL1 := fmt.Sprintf(DefaultProjectAPIURL, "slug-one")
+	if servers1[0].URL != expectedURL1 {
+		t.Errorf("child1: expected project URL '%s', got '%s'", expectedURL1, servers1[0].URL)
+	}
+
+	servers2 := child2.projectClient.GetConfig().Servers
+	expectedURL2 := fmt.Sprintf(DefaultProjectAPIURL, "slug-two")
+	if servers2[0].URL != expectedURL2 {
+		t.Errorf("child2: expected project URL '%s', got '%s'", expectedURL2, servers2[0].URL)
+	}
+
+	// Parent should still have its original project client
+	parentServers := parent.projectClient.GetConfig().Servers
+	expectedParent := fmt.Sprintf(DefaultProjectAPIURL, testutil.TestProjectSlug)
+	if parentServers[0].URL != expectedParent {
+		t.Errorf("parent: expected project URL '%s', got '%s'", expectedParent, parentServers[0].URL)
+	}
+}
+
+func TestOryClient_EnsureProjectClient_MissingSlugOnly(t *testing.T) {
+	cfg := OryClientConfig{
+		ProjectAPIKey: testutil.TestProjectAPIKey,
+		// ProjectSlug is empty
+	}
+
+	client, err := NewOryClient(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	err = client.ensureProjectClient()
+	if err == nil {
+		t.Fatal("expected error when slug is missing")
+	}
+	if !contains(err.Error(), "project_slug and project_api_key are required") {
+		t.Errorf("unexpected error message: %s", err.Error())
+	}
+}
+
+func TestOryClient_EnsureProjectClient_MissingKeyOnly(t *testing.T) {
+	cfg := OryClientConfig{
+		ProjectSlug: testutil.TestProjectSlug,
+		// ProjectAPIKey is empty
+	}
+
+	client, err := NewOryClient(cfg)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	err = client.ensureProjectClient()
+	if err == nil {
+		t.Fatal("expected error when API key is missing")
+	}
+	if !contains(err.Error(), "project_slug and project_api_key are required") {
+		t.Errorf("unexpected error message: %s", err.Error())
+	}
+}
+
 func TestIsRetryableError(t *testing.T) {
 	tests := []struct {
 		name     string

internal/client/client_test.go

@@ -43,6 +43,8 @@ type OAuth2ClientResourceModel struct {
 	ClientID                types.String `tfsdk:"client_id"`
 	ClientSecret            types.String `tfsdk:"client_secret"`
 	ClientName              types.String `tfsdk:"client_name"`
+	ProjectSlug             types.String `tfsdk:"project_slug"`
+	ProjectAPIKey           types.String `tfsdk:"project_api_key"`
 	GrantTypes              types.List   `tfsdk:"grant_types"`
 	ResponseTypes           types.List   `tfsdk:"response_types"`
 	Scope                   types.String `tfsdk:"scope"`
@@ -161,6 +163,15 @@ func (r *OAuth2ClientResource) Schema(ctx context.Context, req resource.SchemaRe
 					stringplanmodifier.UseStateForUnknown(),
 				},
 			},
+			"project_slug": schema.StringAttribute{
+				Description: "Project slug for API access. Use this to pass credentials at the resource level when the provider is configured before the project exists (e.g., creating a project and OAuth2 client in the same apply). Overrides the provider-level project_slug.",
+				Optional:    true,
+			},
+			"project_api_key": schema.StringAttribute{
+				Description: "Project API key for API access. Use this to pass credentials at the resource level when the provider is configured before the project exists (e.g., creating a project and OAuth2 client in the same apply). Overrides the provider-level project_api_key.",
+				Optional:    true,
+				Sensitive:   true,
+			},
 			"client_name": schema.StringAttribute{
 				Description: "Human-readable name for the client.",
 				Required:    true,
@@ -356,6 +367,16 @@ func (r *OAuth2ClientResource) Schema(ctx context.Context, req resource.SchemaRe
 	}
 }
 
+// setResourceCredentials creates an isolated client with resource-level project credentials.
+// This enables creating OAuth2 clients in the same apply as the project they belong to.
+// The new client shares the console API client but has its own project API client,
+// avoiding race conditions when multiple resources use different credentials.
+func (r *OAuth2ClientResource) setResourceCredentials(slug, apiKey types.String) {
+	if !slug.IsNull() && !slug.IsUnknown() && !apiKey.IsNull() && !apiKey.IsUnknown() {
+		r.client = r.client.WithProjectCredentials(slug.ValueString(), apiKey.ValueString())
+	}
+}
+
 func (r *OAuth2ClientResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
 	if req.ProviderData == nil {
 		return
@@ -536,6 +557,9 @@ func (r *OAuth2ClientResource) Create(ctx context.Context, req resource.CreateRe
 		oauthClient.BackchannelLogoutSessionRequired = ory.PtrBool(plan.BackchannelLogoutSessionRequired.ValueBool())
 	}
 
+	// Set resource-level credentials if provided (enables same-apply with project creation)
+	r.setResourceCredentials(plan.ProjectSlug, plan.ProjectAPIKey)
+
 	created, err := r.client.CreateOAuth2Client(ctx, oauthClient)
 	if err != nil {
 		resp.Diagnostics.AddError(
@@ -627,6 +651,9 @@ func (r *OAuth2ClientResource) Read(ctx context.Context, req resource.ReadReques
 		return
 	}
 
+	// Set resource-level credentials if provided
+	r.setResourceCredentials(state.ProjectSlug, state.ProjectAPIKey)
+
 	oauthClient, err := r.client.GetOAuth2Client(ctx, state.ClientID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError(
@@ -978,6 +1005,9 @@ func (r *OAuth2ClientResource) Update(ctx context.Context, req resource.UpdateRe
 		oauthClient.BackchannelLogoutSessionRequired = ory.PtrBool(plan.BackchannelLogoutSessionRequired.ValueBool())
 	}
 
+	// Set resource-level credentials if provided
+	r.setResourceCredentials(plan.ProjectSlug, plan.ProjectAPIKey)
+
 	updated, err := r.client.UpdateOAuth2Client(ctx, state.ClientID.ValueString(), oauthClient)
 	if err != nil {
 		resp.Diagnostics.AddError(
@@ -1063,6 +1093,9 @@ func (r *OAuth2ClientResource) Delete(ctx context.Context, req resource.DeleteRe
 		return
 	}
 
+	// Set resource-level credentials if provided
+	r.setResourceCredentials(state.ProjectSlug, state.ProjectAPIKey)
+
 	err := r.client.DeleteOAuth2Client(ctx, state.ClientID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError(

internal/resources/oauth2client/resource.go

@@ -195,6 +195,38 @@ func TestAccOAuth2ClientResource_withJWKS(t *testing.T) {
 	})
 }
 
+func TestAccOAuth2ClientResource_withResourceCredentials(t *testing.T) {
+	project := acctest.GetTestProject(t)
+
+	acctest.RunTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories(),
+		Steps: []resource.TestStep{
+			// Create with resource-level project credentials
+			{
+				Config: acctest.LoadTestConfig(t, "testdata/with_resource_credentials.tf.tmpl", map[string]string{
+					"Name":          "Test Client Resource Creds",
+					"ProjectSlug":   project.Slug,
+					"ProjectAPIKey": project.APIKey,
+				}),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet("ory_oauth2_client.test", "id"),
+					resource.TestCheckResourceAttr("ory_oauth2_client.test", "client_name", "Test Client Resource Creds"),
+					resource.TestCheckResourceAttr("ory_oauth2_client.test", "project_slug", project.Slug),
+					resource.TestCheckResourceAttrSet("ory_oauth2_client.test", "client_secret"),
+				),
+			},
+			// ImportState — ignore resource-level credentials (not in API response)
+			{
+				ResourceName:            "ory_oauth2_client.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"client_secret", "project_slug", "project_api_key"},
+			},
+		},
+	})
+}
+
 func TestAccOAuth2ClientResource_withTokenLifespans(t *testing.T) {
 	acctest.RunTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccPreCheck(t) },