We have our our auth0 stack set up from terraform.
It currently consists of a regular web app and a SAML connection pointing to SAMLING ( Samling ).
Our goal is to implement IDP-initiated login (according to client requirements).
Another point; we have a post login action that will attach two claims to the id_token.
When the response is posted back from SAMLING, the user is created perfectly, the action is triggered perfectly but then we get redirected to auth0 error page saying " unsupported_response_mode : Unsupported response mode: auth0_pq_openid"
It is absolutely frustrating the lack of resources related to auth0_pq_openid response_mode we find no helpful information at all.
We have tried setting “front_channel” and “back_channel” on the SAML connection with no luck (it seem this config is associated with response_modes).
We have previously set up everything by hand on another account and it worked just fine and when we compare it from the UI, the terraform generated resources and the manually created ones on the other account are identical. I assume there mmight be a hidden default when resources are created by terraform that prevent it from working.
Any thoughts on it?!?!?! Thanks!
Our terraform script:
variable "env" { type = string }
variable "potato_default_role" { type = string }
variable "potato_admin_aggregate_id" { type = string }
variable "auth0_terraform_client_id" { type = string }
variable "auth0_terraform_client_secret" { type = string }
variable "auth0_provider_debug_mode" { type = bool }
variable "auth0_tenant_name" { type = string }
variable "aws_account_id" { type = string }
variable "aws_account_region" { type = string }
variable "mlos_idp_connection_name" { type = string }
variable "customers_idp_connection_debug" { type = bool }
variable "customers_idp_certificate_path" { type = string }
variable "customers_idp_metadata_path" { type = string }
variable "customers_idp_signin_url" { type = string }
variable "customers_idp_redirect_uri" { type = string }
variable "customers_idp_allowed_callbacks" { type = list(string) }
variable "customers_idp_allowed_logout_urls" { type = list(string) }
locals {
customers_idp_allowed_callbacks = concat(var.customers_idp_allowed_callbacks, [var.customers_idp_redirect_uri])
auth0_domain = "${var.auth0_tenant_name}.us.auth0.com"
customers_idp_connection_name = "${var.env}-potato"
}
terraform {
required_version = ">= 1.5.7"
required_providers {
# aws = "5.19.0"
auth0 = {
source = "auth0/auth0"
version = ">= 1.0.0"
}
}
# backend "s3" { }
}
provider "auth0" {
domain = local.auth0_domain
client_id = var.auth0_terraform_client_id
client_secret = var.auth0_terraform_client_secret
debug = var.auth0_provider_debug_mode
}
resource "auth0_client" "potato_client_mm" {
name = "${var.env}-potato"
app_type = "non_interactive"
custom_login_page_on = false
}
resource "auth0_client" "potato_client" {
name = "${var.env}-homestory"
app_type = "regular_web"
custom_login_page_on = true
is_first_party = true
is_token_endpoint_ip_header_trusted = false
oidc_conformant = true
callbacks = local.customers_idp_allowed_callbacks
allowed_logout_urls = var.customers_idp_allowed_logout_urls
}
resource "auth0_connection" "samlp" {
name = local.customers_idp_connection_name
strategy = "samlp"
show_as_button = true
options {
type = "front_channel"
debug = var.customers_idp_connection_debug
signing_cert = file(var.customers_idp_certificate_path)
sign_in_endpoint = var.customers_idp_signin_url
disable_sign_out = true
set_user_root_attributes = "on_each_login"
protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
user_id_attribute = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
signature_algorithm = "rsa-sha256"
digest_algorithm = "sha256"
entity_id = "urn:auth0:${var.auth0_tenant_name}:${local.customers_idp_connection_name}"
metadata_xml = file(var.customers_idp_metadata_path)
sign_saml_request = true
fields_map = jsonencode({
"email": "Email Address",
"given_name": "FirstName",
"name": "FirstName",
"family_name": "LastName",
"memberNumber": "MemberNumber",
"phone_number": "PrimaryPhoneNumber",
})
idp_initiated {
client_id = auth0_client.potato_client.client_id
client_protocol = "openid"
client_authorize_query = "redirect_uri=${urlencode(var.customers_idp_redirect_uri)}"
}
}
}
resource "auth0_connection_client" "potato_client_samlp" {
connection_id = auth0_connection.samlp.id
client_id = auth0_client.potato_client.id
}
resource "auth0_resource_server" "potato_profile_api" {
name = "POTATO Profile API"
identifier = "https://potato.api/profiles"
signing_alg = "RS256"
skip_consent_for_verifiable_first_party_clients = true
}
resource "auth0_resource_server_scopes" "potato_profile_api_scopes" {
resource_server_identifier = auth0_resource_server.potato_profile_api.identifier
scopes {
name = "profile/write"
description = "Allows for creating a profile"
}
scopes {
name = "profile/read"
description = "Allows for reading a profile by email"
}
}
resource "auth0_client_grant" "potato_profile_api_grant" {
client_id = auth0_client.potato_client.id
audience = auth0_resource_server.potato_profile_api.identifier
scopes = ["profile/read", "profile/write"]
}
resource "auth0_resource_server" "potato_webhooks_api" {
name = "POTATO Webhooks API"
identifier = "https://potato.api/webhooks"
signing_alg = "RS256"
skip_consent_for_verifiable_first_party_clients = true
}
resource "auth0_resource_server_scopes" "potato_webhooks_api_scopes" {
resource_server_identifier = auth0_resource_server.potato_webhooks_api.identifier
scopes {
name = "webhooks/write"
description = "Write webhook"
}
scopes {
name = "webhooks/read"
description = "Read webhook"
}
}
resource "auth0_client_grant" "potato_webhooks_api_grant" {
client_id = auth0_client.potato_client_mm.id
audience = auth0_resource_server.potato_webhooks_api.identifier
scopes = ["webhooks/read", "webhooks/write"]
}
resource "auth0_client_grant" "auth0_managment_api_grant" {
client_id = auth0_client.potato_client.id
audience = "https://${local.auth0_domain}/api/v2/"
scopes = ["update:users", "read:users" , "read:user_idp_tokens"]
}
resource "auth0_log_stream" "aws_event_bridge" {
name = "AWS EventBridge"
type = "eventbridge"
status = "active"
sink {
aws_account_id = var.aws_account_id
aws_region = var.aws_account_region
}
}
data "auth0_client" "potato_client" {
client_id = auth0_client.potato_client.client_id
}
resource "auth0_action" "post_login_action" {
name = "post_login"
runtime = "node18"
deploy = true
code = file("./actions/postLogin/index.js")
supported_triggers {
id = "post-login"
version = "v3"
}
secrets {
name = "clientId"
value = auth0_client.potato_client.client_id
}
secrets {
name = "auth0Domain"
value = local.auth0_domain
}
secrets {
name = "auth0URL"
value = "https://${local.auth0_domain}"
}
secrets {
name = "clientSecret"
value = data.auth0_client.potato_client.client_secret
}
secrets {
name = "mloRoleConnection"
value = var.mlos_idp_connection_name
}
secrets {
name = "customerRoleConnection"
value = local.customers_idp_connection_name
}
secrets {
name = "defaultRole"
value = var.potato_default_role
}
}
resource "auth0_trigger_action" "post_login_action_binding" {
trigger = "post-login"
action_id = auth0_action.post_login_action.id
}
resource "auth0_action" "client_credentials_action" {
name = "client_credentials"
runtime = "node18"
deploy = true
code = file("./actions/clientCredentials/index.js")
supported_triggers {
id = "credentials-exchange"
version = "v2"
}
secrets {
name = "adminAggregateId"
value = var.potato_admin_aggregate_id
}
}
resource "auth0_trigger_action" "client_credentials_action_binding" {
trigger = "credentials-exchange"
action_id = auth0_action.client_credentials_action.id
}
output "aws_partner_event_source" {
description = "AWS Partner event source"
value = auth0_log_stream.aws_event_bridge.sink[0].aws_partner_event_source
}