Cant create or update a okta_app_oauth with token_endpoint_auth_method of "none"

[mcrobbj]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform 1.0.3
okta prrovider: 3.1..1.

Affected Resource(s)

• okta_app_oauth

Terraform Configuration Files

resource "okta_app_oauth" "WebApp" {
  label                      = format("%s-%s", var.choices_prefix, "web")
  type                       = "web"
  grant_types                = ["authorization_code"] #, "implicit", "client_credentials"
  redirect_uris              = ["https://localhost", "https://www.thunderclient.io/oauth/callback"]
  response_types             = ["code"] # , "token","id_token"
  **token_endpoint_auth_method = "none"**
  consent_method             = "REQUIRED"
  omit_secret                = true
}

Debug Output

Panic Output

Expected Behavior

It should create the app with a token endpoint auth method of none

Actual Behavior

failed to update OAuth application: The API returned an error: Api validation failed: token_endpoint_auth_method. Causes: errorSummary: token_endpoint_auth_method: 'token_endpoint_auth_method' is invalid. Valid values: [client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt]

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[bogdanprodan-okta]

Hi @mcrobbj! Thanks for submitting this issue! It's clearly a bug from the Okta API itself. According to the official documentation, none is a valid value, so I'll try to request assistance from the team responsible for this functionality.

[monde]

hello @mcrobbj creating a web app which has a client_secret none can’t be used for token_endpoint_auth_method e.g. client_secret_basic, client_secret_post, client_secret_jwt: Use one of these methods when the client has a client secret. Public clients (such as single-page and mobile apps) that can't protect a client secret must use none below.
https://developer.okta.com/docs/reference/api/oidc/#client-authentication-methods

[mcrobbj]

If it helps it used to work, or certainly not error. I have another resource that I created a few months ago with those settings.

…

On Fri, 13 Aug 2021 at 16:35, bogdanprodan-okta ***@***.***> wrote: Hi @mcrobbj <https://github.com/mcrobbj>! Thanks for submitting this issue! It's clearly a bug from the Okta API itself. According to the official documentation <https://developer.okta.com/docs/reference/api/apps/#credentials>, none is a valid value, so I'll try to request assistance from the team responsible for this functionality. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#580 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACQL2EHO32GLCJZKZNWV3Z3T4U3VDANCNFSM5CDJPR2Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[monde]

@mcrobbj is this something you can work around? I'll pass this issue along and see what other information I can gather.

[mcrobbj]

I need to check what happens when you create from the portal - it seems from terraform and possibly the api if you dont specify anything the default to client_secret_basic John

…

On Fri, 13 Aug 2021 at 19:05, Mike Mondragon ***@***.***> wrote: @mcrobbj <https://github.com/mcrobbj> is this something you work around? I'll pass this issue along and see what other information I can gather. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#580 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACQL2EFNHWEIB5XGXJWGZHTT4VNIFANCNFSM5CDJPR2Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[monde]

@mcrobbj I discussed this with the feature team that does federation and showed them your feedback. This was their response "we have had this check for a long time now, this is not something that changed recently. If the client's grantTypes contains authorization_code, we allow only browser and native clients to create the app with token_endpoint_auth_method=none. We do not have this restriction if the grantType is implicit."

Let me know if there is anything else @bogdanprodan-okta or myself can do for you.

[mcrobbj]

That's not the case. The Gant type is Auth code and doesn't allow none. If I comment the token_endpoint_auth_method out it defaults to basic. I have talked to support and confirmed this.

…

On Fri, 13 Aug 2021, 22:16 Mike Mondragon, ***@***.***> wrote: @mcrobbj <https://github.com/mcrobbj> I discussed this with the feature team that does federation and showed them your feedback. This was their response "we have had this check for a long time now, this is not something that changed recently. If the client's grantTypes contains authorization_code, we allow only browser and native clients to create the app with token_endpoint_auth_method=none. We do not have this restriction if the grantType is implicit." Let me know if there is anything else @bogdanprodan-okta <https://github.com/bogdanprodan-okta> or myself can do for you. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#580 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACQL2ECOX33B7T4X7B4S4X3T4WDRRANCNFSM5CDJPR2Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[bogdanprodan-okta]

Here is the JSON payload that is used to create this app:

{
 "credentials": {
  "oauthClient": {
   "autoKeyRotation": true,
   "token_endpoint_auth_method": "none"
  }
 },
 "label": "testAcc_AUTH",
 "name": "oidc_client",
 "settings": {
  "implicitAssignment": false,
  "oauthClient": {
   "application_type": "web",
   "consent_method": "REQUIRED",
   "grant_types": [
    "authorization_code"
   ],
   "idp_initiated_login": {
    "default_scope": [],
    "mode": "DISABLED"
   },
   "issuer_mode": "ORG_URL",
   "redirect_uris": [
    "https://localhost",
    "https://www.thunderclient.io/oauth/callback"
   ],
   "response_types": [
    "code"
   ],
   "wildcard_redirect": "DISABLED"
  }
 },
 "signOnMode": "OPENID_CONNECT",
 "visibility": {
  "autoSubmitToolbar": false,
  "hide": {
   "iOS": true,
   "web": true
  }
 }
}

And it's clear that grant_types contains authorization_code

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[bellis-ai]

so... Is this just left broken or something? Literally impossible to create an SPA App integration with this if I can't select "none" when setting an auth code flow.

The official documentation explicitly says to set this to none.
https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_oauth#token_endpoint_auth_method

token_endpoint_auth_method - (Optional) Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". To enable PKCE, set this to "none".

[bellis-ai]

so... Is this just left broken or something? Literally impossible to create an SPA App integration with this if I can't select "none" when setting an auth code flow.

The official documentation explicitly says to set this to none. https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_oauth#token_endpoint_auth_method

token_endpoint_auth_method - (Optional) Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". To enable PKCE, set this to "none".

Nvm, looks like you just need to make sure the type is "browser" if you're going to make an SPA. It would help if the values of the "type" variable were made a bit more distinct in the documentation ("browser" vs "web"... really???)

[monde]

I’ll update the docs, no problem!

[monde]

https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

Parameter	Description	DataType
application_type	The type of client application	web, native, browser, or service

Application Type	Valid Grant Type	Requirements
browser	authorization_code, implicit
native	authorization_code, implicit, password, refresh_token	Must have at least authorization_code
service	client_credentials	Works with OAuth 2.0 flow (not OpenID Connect)
web	authorization_code, implicit, refresh_token	Must have at least authorization_code