Creating a SPA sets client credentials authentication method to client secret post

[TaylorBriggs]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When creating a SPA, the auth0_client_credentials resource gets created with authentication_method = "client_secret_post" by default. This issue suggests it should be created with "none", as appropriate for SPA.

Expectation

The authentication_method should be set to "none" for a SPA.

Reproduction

Given a resource defined like so:

resource "auth0_client" "frontend_client" {
  name        = "name"
  description = "description"

  client_metadata = {} # some real values here

  app_type = "spa"

  # filled with real values
  initiate_login_uri  = ""
  callbacks           = []
  allowed_origins     = ""
  allowed_logout_urls = ""
  web_origins         = []

  oidc_conformant = true
  logo_uri        = "logo_uri"
  grant_types     = [
    "refresh_token",
    "authorization_code",
    "http://auth0.com/oauth/grant-type/mfa-otp"
  ]
  is_first_party  = true

  jwt_configuration {
    alg = "RS256"
  }

  refresh_token {
    rotation_type                = "rotating"
    expiration_type              = "expiring"
    token_lifetime               = 43200 # 12 hours
    idle_token_lifetime          = 28800 # 8 hours
    infinite_idle_token_lifetime = false
  }
}

When the resource is created, the token endpoint authentication method is set to client_secret_post instead of none.

This can be consistently reproduced.

Auth0 Terraform Provider version

1.0.0

Terraform version

1.5.6

[sergiught]

Hey @TaylorBriggs 👋🏻

Thanks for raising this with us. To manage a client's authentication method, please use the https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client_credentials resource, until we can look into adding these defaults as well when creating the client through the auth0_client resource.

Example:

resource "auth0_client" "frontend_client" {
  name        = "name"
  description = "description"
  app_type = "spa"
  #other config parameters ...
}

resource "auth0_client_credentials" "creds_for_frontend_client" {
  client_id = auth0_client.frontend_client.id
  authentication_method = "none"
}

[sergiught]

Hey folks, this has been now fixed within https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.1.0.