ERROR: "Unsupported response mode: auth0_pq_openid" when loggin in

We have our our auth0 stack set up from terraform.
It currently consists of a regular web app and a SAML connection pointing to SAMLING ( Samling ).

Our goal is to implement IDP-initiated login (according to client requirements).

Another point; we have a post login action that will attach two claims to the id_token.

When the response is posted back from SAMLING, the user is created perfectly, the action is triggered perfectly but then we get redirected to auth0 error page saying " unsupported_response_mode : Unsupported response mode: auth0_pq_openid"

It is absolutely frustrating the lack of resources related to auth0_pq_openid response_mode we find no helpful information at all.

We have tried setting “front_channel” and “back_channel” on the SAML connection with no luck (it seem this config is associated with response_modes).

We have previously set up everything by hand on another account and it worked just fine and when we compare it from the UI, the terraform generated resources and the manually created ones on the other account are identical. I assume there mmight be a hidden default when resources are created by terraform that prevent it from working.

Any thoughts on it?!?!?! Thanks!

Our terraform script:

variable "env" { type = string }
variable "potato_default_role" { type = string }
variable "potato_admin_aggregate_id" { type = string }
variable "auth0_terraform_client_id" { type = string }
variable "auth0_terraform_client_secret" { type = string }
variable "auth0_provider_debug_mode" { type = bool }
variable "auth0_tenant_name" { type = string }

variable "aws_account_id" { type = string }
variable "aws_account_region" { type = string }

variable "mlos_idp_connection_name" { type = string }
variable "customers_idp_connection_debug" { type = bool }
variable "customers_idp_certificate_path" { type = string }
variable "customers_idp_metadata_path" { type = string }
variable "customers_idp_signin_url" { type = string }
variable "customers_idp_redirect_uri" { type = string }
variable "customers_idp_allowed_callbacks" { type = list(string) }
variable "customers_idp_allowed_logout_urls" { type = list(string) }

locals {
  customers_idp_allowed_callbacks = concat(var.customers_idp_allowed_callbacks, [var.customers_idp_redirect_uri])
  auth0_domain = "${var.auth0_tenant_name}.us.auth0.com"
  customers_idp_connection_name = "${var.env}-potato"
}

terraform {
  required_version = ">= 1.5.7"

  required_providers {
    # aws = "5.19.0"
    auth0 = {
      source  = "auth0/auth0"
      version = ">= 1.0.0"
    }
  }

  # backend "s3" { }
}

provider "auth0" {
  domain        = local.auth0_domain
  client_id     = var.auth0_terraform_client_id
  client_secret = var.auth0_terraform_client_secret
  debug         = var.auth0_provider_debug_mode
}

resource "auth0_client" "potato_client_mm" {
  name                                = "${var.env}-potato"
  app_type                            = "non_interactive"
  custom_login_page_on                = false
}

resource "auth0_client" "potato_client" {
  name                                = "${var.env}-homestory"
  app_type                            = "regular_web"
  custom_login_page_on                = true
  is_first_party                      = true
  is_token_endpoint_ip_header_trusted = false
  oidc_conformant                     = true
  callbacks                           = local.customers_idp_allowed_callbacks
  allowed_logout_urls                 = var.customers_idp_allowed_logout_urls
}

resource "auth0_connection" "samlp" {
  name     = local.customers_idp_connection_name
  strategy = "samlp"
  show_as_button = true
  options {
    type                = "front_channel"
    debug               = var.customers_idp_connection_debug
    signing_cert        = file(var.customers_idp_certificate_path)
    sign_in_endpoint    = var.customers_idp_signin_url
    disable_sign_out    = true
    set_user_root_attributes = "on_each_login" 
    protocol_binding    = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    user_id_attribute   = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    signature_algorithm = "rsa-sha256"
    digest_algorithm    = "sha256"
    entity_id           = "urn:auth0:${var.auth0_tenant_name}:${local.customers_idp_connection_name}"
    metadata_xml        = file(var.customers_idp_metadata_path)
    sign_saml_request   = true
    fields_map = jsonencode({
      "email": "Email Address",
      "given_name": "FirstName",
      "name": "FirstName",
      "family_name": "LastName",
      "memberNumber": "MemberNumber",
      "phone_number": "PrimaryPhoneNumber",
    })

    idp_initiated {
      client_id              = auth0_client.potato_client.client_id
      client_protocol        = "openid"
      client_authorize_query = "redirect_uri=${urlencode(var.customers_idp_redirect_uri)}"
    }
  }
}

resource "auth0_connection_client" "potato_client_samlp" {
  connection_id = auth0_connection.samlp.id
  client_id     = auth0_client.potato_client.id
}

resource "auth0_resource_server" "potato_profile_api" {
  name        = "POTATO Profile API"
  identifier  = "https://potato.api/profiles"
  signing_alg = "RS256"
  skip_consent_for_verifiable_first_party_clients = true
}

resource "auth0_resource_server_scopes" "potato_profile_api_scopes" {
  resource_server_identifier = auth0_resource_server.potato_profile_api.identifier
  scopes {
    name        = "profile/write"
    description = "Allows for creating a profile"
  }
  scopes {
    name        = "profile/read"
    description = "Allows for reading a profile by email"
  }
}

resource "auth0_client_grant" "potato_profile_api_grant" {
  client_id = auth0_client.potato_client.id
  audience  = auth0_resource_server.potato_profile_api.identifier
  scopes    = ["profile/read", "profile/write"]
}

resource "auth0_resource_server" "potato_webhooks_api" {
  name        = "POTATO Webhooks API"
  identifier  = "https://potato.api/webhooks"
  signing_alg = "RS256"
  skip_consent_for_verifiable_first_party_clients = true
}

resource "auth0_resource_server_scopes" "potato_webhooks_api_scopes" {
  resource_server_identifier = auth0_resource_server.potato_webhooks_api.identifier
  scopes {
    name        = "webhooks/write"
    description = "Write webhook"
  }
  scopes {
    name        = "webhooks/read"
    description = "Read webhook"
  }
}

resource "auth0_client_grant" "potato_webhooks_api_grant" {
  client_id = auth0_client.potato_client_mm.id
  audience  = auth0_resource_server.potato_webhooks_api.identifier
  scopes    = ["webhooks/read", "webhooks/write"]
}

resource "auth0_client_grant" "auth0_managment_api_grant" {
  client_id = auth0_client.potato_client.id
  audience  = "https://${local.auth0_domain}/api/v2/"
  scopes    = ["update:users", "read:users" , "read:user_idp_tokens"]
}

resource "auth0_log_stream" "aws_event_bridge" {
  name   = "AWS EventBridge"
  type   = "eventbridge"
  status = "active"
  sink {
    aws_account_id = var.aws_account_id
    aws_region     = var.aws_account_region
  }
}

data "auth0_client" "potato_client" {
  client_id = auth0_client.potato_client.client_id
}

resource "auth0_action" "post_login_action" {
  name    = "post_login"
  runtime = "node18"
  deploy  = true
  code    = file("./actions/postLogin/index.js")

  supported_triggers {
    id      = "post-login"
    version = "v3"
  }

  secrets {
    name  = "clientId" 
    value = auth0_client.potato_client.client_id
  }

  secrets {
    name  = "auth0Domain" 
    value = local.auth0_domain
  }

  secrets {
    name  = "auth0URL" 
    value = "https://${local.auth0_domain}"
  }

  secrets {
    name  = "clientSecret" 
    value = data.auth0_client.potato_client.client_secret
  }

  secrets {
    name  = "mloRoleConnection" 
    value = var.mlos_idp_connection_name
  }

  secrets {
    name  = "customerRoleConnection" 
    value = local.customers_idp_connection_name
  }

  secrets {
    name  = "defaultRole" 
    value = var.potato_default_role
  }
}

resource "auth0_trigger_action" "post_login_action_binding" {
  trigger   = "post-login"
  action_id = auth0_action.post_login_action.id
}

resource "auth0_action" "client_credentials_action" {
  name    = "client_credentials"
  runtime = "node18"
  deploy  = true
  code    = file("./actions/clientCredentials/index.js")

  supported_triggers {
    id      = "credentials-exchange"
    version = "v2"
  }

  secrets {
    name  = "adminAggregateId" 
    value = var.potato_admin_aggregate_id
  }
}

resource "auth0_trigger_action" "client_credentials_action_binding" {
  trigger   = "credentials-exchange"
  action_id = auth0_action.client_credentials_action.id
}

output "aws_partner_event_source" {
  description = "AWS Partner event source"
  value       = auth0_log_stream.aws_event_bridge.sink[0].aws_partner_event_source
}

replace with

client_protocol = "oauth2"

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.