Creating a client with is_first_party = false requires terraform applying twice

[oderby]

Noticing a strange behavior when trying to create third party clients (applications) via terraform (that is, when is_third_party = false) - the flag does not appear to take when the client is created, but does on subsequent updates.

resource "auth0_client" "mds_provider" {
  name = "foobar"
  is_first_party = false
}

When running TF_LOG=DEBUG AUTH0_DEBUG=1 terraform apply, see the following relevant outputs (full output can be viewed here)

Terraform will perform the following actions:

  + module.mds-api-auth.auth0_client.mds_provider
      id:                                  <computed>
      client_id:                           <computed>
      client_secret:                       <computed>
      custom_login_page_on:                <computed>
      grant_types.#:                       <computed>
      is_first_party:                      "false"
      is_token_endpoint_ip_header_trusted: <computed>
      name:                                "foobar"
      token_endpoint_auth_method:          <computed>


Plan: 1 to add, 0 to change, 0 to destroy.

module.mds-api-auth.auth0_client.mds_provider: Creating...
  client_id:                           "" => "<computed>"
  client_secret:                       "<sensitive>" => "<sensitive>"
  custom_login_page_on:                "" => "<computed>"
  grant_types.#:                       "" => "<computed>"
  is_first_party:                      "" => "false"
  is_token_endpoint_ip_header_trusted: "" => "<computed>"
  name:                                "" => "foobar"
  token_endpoint_auth_method:          "" => "<computed>"
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: 2019/03/22 16:11:59 POST /api/v2/clients HTTP/1.1
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Host: REDACTED 
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Content-Type: application/json
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0:
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0:
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: HTTP/2.0 201 Created
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Content-Type: application/json; charset=utf-8
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Date: Fri, 22 Mar 2019 23:11:59 GMT
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Strict-Transport-Security: max-age=15724800
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: Vary: origin,accept-encoding  
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: X-Ratelimit-Limit: 10
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: X-Ratelimit-Remaining: 9
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: X-Ratelimit-Reset: 1553296321 
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: X-Robots-Tag: noindex, nofollow, nosnippet, noarchive
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0:
2019-03-22T16:11:59.878-0700 [DEBUG] plugin.terraform-provider-auth0: {"tenant":"REDACTED","global":false,"is_token_endpoint_ip_header_trusted":false,"name":"foobar","is_first_party":true,"sso_disabled":false,"cross_origin_auth":false,"oidc_conformant":false,"encrypted":true,"signing_keys":[REDACTED],"client_id":"hIJWkYMhFhHJUE7kdmw7NconvmfiTV0p","callback_url_template":false,"client_secret":"REDACTED","jwt_configuration":{"lifetime_in_seconds":36000,"secret_encoded":false},"grant_types":["authorization_code","implicit","refresh_token","client_credentials"],"custom_login_page_on":true}

Note, even in the response to the creation POST, Auth0 responds with "is_first_party":true.

Subsequently applying yields this plan:

Terraform will perform the following actions:

  ~ module.mds-api-auth.auth0_client.mds_provider
      is_first_party: "true" => "false"

and the modification succeeds.

[oderby]

Note - when I manually create a new client via curl, it works as expected:

curl -H "Authorization: Bearer REDACTED" -X POST  -H "Content-Type: application/json" -d '{"name":"foobar 2","is_first_party":false}' "https://REDACTED.auth0.com/api/v2/clients"

Auth0 returns

{"tenant":"REDACTED","global":false,"is_token_endpoint_ip_header_trusted":false,"name":"foobar 2","is_first_party":false,"sso_disabled":false,"cross_origin_auth":false,"oidc_conformant":true,"encrypted":true,"signing_keys":[REDACTED],"client_id":"ZE3PtCYNZghh0YpJhIBd30SvUIIDiDVy","callback_url_template":false,"client_secret":"REDACTED","jwt_configuration":{"lifetime_in_seconds":36000,"secret_encoded":false},"grant_types":["authorization_code","implicit","refresh_token","client_credentials"],"custom_login_page_on":true}

[oderby]

Also, I'm seeing the exact same behavior when I set the custom_login_page_on to false - that setting doesn't seem to be respected on creation, only on updates.

[github-actions]

This issue is stale because it has been open 30 days with no activity.
Stale issues will be closed after 5 days if no action is taken. If you
think this issue should not be closed, remove the stale label.

[alexkappa]

Hi @oderby, it took a while 😅 but I have the feeling I came up with a solution. It's pending in a PR now but I'll merge soon after some more testing.