Okta Workforce Connection Bug: Cannot read properties of undefined (reading 'trim')

[mustafahasan]

Checklist

• [X] I have looked into the README and have not found a suitable solution or answer.
• [X] I have looked into the documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have upgraded to the latest version of this provider and the issue still persists.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

When creating an Okta workforce connection through terraform I see the following error in the Auth0 Logs when trying to sign in with the connection: Cannot read properties of undefined (reading 'trim'). This is preventing me from signing in.

When I manually create the same Okta Workforce connection through the console it works.

Expectation

I expect to not see this error message and be able to sign in with the Okta workforce connection.

Reproduction

1. Create a Okta workforce connection through Terraform
2. Try to sign in with the connection

Auth0 Terraform Provider version

1.0.0

Terraform version

1.5.7

[mustafahasan]

Here's what my tf code looks like:

resource "auth0_connection" "test_okta" {
  name           = "Test"
  display_name   = "Test Okta"
  strategy       = "okta"
  show_as_button = false

  options {
    client_id      = secret
    client_secret  = secret
    domain         = "secret.com"
    domain_aliases = ["secret.com"]
  }
}

I've also tried manually adding PKCE and basic_profile attributes to the options part, but still run into the same issue.

[mustafahasan]

I believe I found the issue: when creating Okta connections through the Web UI the scopes field is automatically set to the following values: openid profile email

However, when the Okta workforce connection is created through terraform no default values are set for the scopes field. The scopes field is a required field so that field being set to none should not be allowed by the auth0 terraform provider. I would recommend setting the same three values as defaults: openid profile email. At the very least, the documentation needs to be updated to state that this is a required field.

As a workaround for now I am manually setting the scopes field.

[sergiught]

Hey @mustafahasan 👋🏻

We greatly appreciate you taking the time to bring this to our attention. It's fantastic to hear that you've found a solution, and your commitment to sharing it here is invaluable for other users who may encounter the same issue.

Your suggestions are indeed valid. However, we must exercise caution when considering default values for the scope property, as it is shared across various other connection types. Rest assured, we will thoroughly investigate this matter and, at the very least, ensure that our documentation is updated accordingly.

I'll remove the "bug" label for now, but we'll keep this issue open while we explore options for improving default values or making documentation updates.

Once again, thank you for your valuable input!

[jessesuen]

We found this issue since we faced the same error.

This appears to be a breaking behavior in the auth0 backend. In our case, we use auth0 API to configure connectors programmatically (so we are similar to terraform provider in that regard). Previously, we had never set any scopes as part of the Connection and it just worked. Perhaps auth0 was already defaulting scopes in the backend. But it appears to have stopped doing that sometime recently, causing this error.

Our solution was to set some default scopes as suggested in https://github.com/auth0/terraform-provider-auth0/issues/852#issuecomment-1740139165, but I consider this breaking behavior in the auth0 APIs.

[adrianosela]

I think I can confirm that the following statement is very likely true:

Perhaps auth0 was already defaulting scopes in the backend. But it appears to have stopped doing that sometime recently, causing this error.

I can vouch my application (which is an Auth0 API Client) never set these scopes on created Okta Workforce connections. One day my customer complained that they saw the error in this issue. I found that new connections created via the API did not have the scopes, older connections did. Setting the scopes manually via the UI fixed my customer's issue, and setting the scopes in code fixed it going forward.

Thanks @jessesuen for the tip!