Unable to set Session-transfer `enforce_online_refresh_tokens` to `false`

[bendiknesbo]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Setting enforce_online_refresh_tokens = false for an auth0_client is not reflected in the Management API.

Expectation

GIven the following config:

resource "auth0_client" "my_client" {
  name      = "My native client"
  app_type  = "native"
  session_transfer {
    allowed_authentication_methods    = ["query"]
    enforce_device_binding            = "none"
    allow_refresh_token               = true
	enforce_online_refresh_tokens     = false
  }
}

When I call "Get client by id" in the Management API, I get the following response:

{
  "session_transfer": {
    "allowed_authentication_methods": ["query"],
    "enforce_device_binding": "none",
    "allow_refresh_token": true
  }
}

Note that "enforce_online_refresh_tokens" is missing from the output.
If I call "Update a client" to set "enforce_online_refresh_tokens" to be explicitly false, then the "Get client by id" returns the same response, indicating that this is a bug in the Terraform provider, not in the API.

Reproduction

See above

Auth0 Terraform Provider version

1.36.0

Terraform version

1.5.7

[duedares-rvj]

Hello @bendiknesbo 👋
I tried to reproduce this with the payload you have provided, but it seems to be working as expected.

Terraform payload:

resource "auth0_client" "my_client" {
  name      = "My native client"
  app_type  = "native"
  session_transfer {
    allowed_authentication_methods    = ["query"]
    enforce_device_binding            = "none"
    allow_refresh_token               = true
	enforce_online_refresh_tokens     = false
  }
}

Response from Get Call:

Could you retry once and ensure the terraform version is above v1.30.0?

Let us know how it goes.
Regards.

[bendiknesbo]

Hello, this seems to be a bit more complicated to replicate than expected, but I can reproduce the actual bug like this:

terraform {
  required_providers {
    auth0 = {
      source  = "auth0/auth0"
      version = "1.36.0"
    }
  }
  required_version = "1.5.7"
}

variable "tenant_client_id" {
  type = string
}

variable "tenant_client_secret" {
  type      = string
  sensitive = true
}

variable "tenant_domain" {
  type = string
}

variable "native_to_web_sso_initiator_enabled" {
  type    = bool
  default = false
}

variable "native_to_web_sso_receiver_enabled" {
  type    = bool
  default = true
}

provider "auth0" {
  client_id     = var.tenant_client_id
  client_secret = var.tenant_client_secret
  domain        = var.tenant_domain
}


resource "auth0_client" "default" {
  name                                = "my client"
  app_type                            = "regular_web"
  grant_types                         = ["authorization_code", "refresh_token"]
  is_first_party                      = true
  is_token_endpoint_ip_header_trusted = false
  callbacks                           = ["http://app.localhost/callback"]
  initiate_login_uri                  = "https://app.localhost/initiate-login"

  session_transfer {
    allowed_authentication_methods = ["cookie", "query"]
    enforce_device_binding         = "none"
    allow_refresh_token            = true
    enforce_online_refresh_tokens  = false
  }
}

And apply it to create the client.

Go to the Management API, and update the client to remove the session_transfer property:

curl -L -X PATCH 'https://<tenant>.eu.auth0.com/api/v2/clients/<client-id>' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 🔒' \
-d '{"session_transfer":null}'

And then update it again to not have "enfore_online_refresh_tokens" defined:

curl -L -X PATCH 'https://<tenant>.eu.auth0.com/api/v2/clients/<client-id>' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer 🔒' \
-d '{"session_transfer":{"allow_refresh_token":true,"allowed_authentication_methods":["cookie","query"],"enforce_device_binding":"none"}}'

And then run terraform apply again. It will report "No changes", but it should have detected that is SHOULD set the "enforce_online_refresh_tokens" to "true"

[duedares-rvj]

Hello again @bendiknesbo,

Thank you for your patience. I followed the exact steps you outlined and wanted to share our findings.

Resources that are already defined via IaC should ideally continue to be managed through Terraform itself (unless the provider does not support the required configuration). Managing this client outside of Terraform would not be recommended.

If you’d like to set session_transfer to null, you can do so by commenting out the block in your Terraform configuration, for example:

resource "auth0_client" "default" {
  name                                = "my client temp"
  app_type                            = "regular_web"
  grant_types                         = ["authorization_code", "refresh_token"]
  is_first_party                      = true
  is_token_endpoint_ip_header_trusted = false
  callbacks                           = ["http://app.localhost/callback"]
  initiate_login_uri                  = "https://app.localhost/initiate-login"

  # session_transfer {
  #   allowed_authentication_methods = ["cookie", "query"]
  #   enforce_device_binding         = "none"
  #   allow_refresh_token            = true
  # }
}

This results in the following planned change:

From there, you can redeclare the session_transfer block as needed:

session_transfer {
        allowed_authentication_methods = ["cookie", "query"]
        enforce_device_binding         = "none"
        allow_refresh_token            = true
    }

On a successful apply, the updated configuration is reflected in the state file, with enforce_online_refresh_tokens set to false. (Which should not be the case)

Hence, we revalidated this with the API team and confirmed that both enforce_online_refresh_tokens and enforce_cascade_revocation have default values of true. We’ve addressed this in #1446, and going forward, the provider will now correctly reflect these defaults as true - as highlighted in your findings.

Thanks again for raising this and for your detailed reproduction steps.
Let us know if the behaviour now aligns with your expectations.

Regards.

[bendiknesbo]

I did not actually use non-terraform methods to change the clients, I configured the session_transfer block in Terraform (using provider version v1.29.0), and then upgraded to provider version v1.30.0 where enforce_online_refresh_tokens and enforce_cascade_revocation were added. But even when setting their values to false, nothing was configured.

Even now (on version v1.38.0), after explicitly setting these properties to false, if they are undefined in the API, then Terraform will not set their version, because their state in Terraform thinks that they are already false.