`1.39.0` `auth0_client_grant` emitting 400 Bad Request when allow_all_scopes unset

[mackcooper-legitscript]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this provider and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

resource "auth0_client_grant" "auth0_management_client" {
  client_id = auth0_client.auth0_management_client.id
  audience  = "https://${var.auth0_domain}/api/v2/"
  scopes = [
    "scope:myscope",
    ...
  ]
}

I previously had this working, but had not constrained the provider version upper limit, so when it used 1.39.0 it was failing with the above. I downgraded to 1.38.0 and it worked again. I think it might have to do with this change since that was the thing that stuck out in the most recent CHANGELOG.

Expectation

It should create the client grant ezpz.

Reproduction

Given: using provider version 1.39.0
When: providing scopes and not providing allow_all_scopes to a system level API using the auth0_client_grant resource
Then: it produces a "400 Bad Request: allow_all_scopes cannot be provided when audience is a system API"

Auth0 Terraform Provider version

1.39.0

Terraform version

1.5.5

[bkiran6398]

Hi @mackcooper-legitscript
Thanks for reporting this, I'll triage this shortly and revert back.

[sethatron]

Just to add some additional context, I believe we're also experiencing this issue after upgrading to v1.39.0.

Configuration

resource "auth0_client_grant" "db_client_read_users" {
  client_id = "auth0_client.auth0_management_client.id
  audience  = "https://${var.auth0_domain}/api/v2/"
  scopes    = ["read:users"]
}

Error: Provider produced inconsistent result after apply
When applying changes to auth0_client_grant.db_client_read_users
provider "provider[\"registry.terraform.io/auth0/auth0\"]" produced
an unexpected new value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's
own issue tracker.

Pinning to 1.38.0 resolved this

[ramya18101]

Hello @sethatron,

Thanks for sharing the details. Could you please share your tenant name?

[tchikuba]

I encountered the same issue when creating a new auth0_client_grant for the Management API.

Environment

• Terraform: 1.6.4
• Auth0 Provider: 1.39.0

Additional Context

Downgrading to v1.38.0 is not possible in our case because we also use the options[0].email field in auth0_connection resource's lifecycle.ignore_changes, which was introduced in the same v1.39.0 release (PR #1453).

This creates a situation where:

• v1.39.0: auth0_client_grant fails with allow_all_scopes error
• v1.38.x: auth0_connection fails with options[0].email not found error

Workaround

For anyone stuck on v1.39.0, here's a workaround:

Step 1: Create auth0_client resources first

terraform apply -target='module.your_module["key"]'

Step 2: Create the client grant via Auth0 Management API

# Get access token
ACCESS_TOKEN=$(curl -s --request POST \
  --url "https://${AUTH0_DOMAIN}/oauth/token" \
  --header "content-type: application/json" \
  --data '{
    "client_id": "<your_m2m_client_id>",
    "client_secret": "<your_m2m_client_secret>",
    "audience": "https://'${AUTH0_DOMAIN}'/api/v2/",
    "grant_type": "client_credentials"
  }' | jq -r '.access_token')

# Create client grant
curl --request POST \
  --url "https://${AUTH0_DOMAIN}/api/v2/client-grants" \
  --header "Authorization: Bearer ${ACCESS_TOKEN}" \
  --header "content-type: application/json" \
  --data '{
    "client_id": "<your_client_id>",
    "audience": "https://'${AUTH0_DOMAIN}'/api/v2/",
    "scope": ["read:users", "update:users", ...]
  }'

Step 3: Find the grant ID

# List all client grants and find yours by client_id
curl -s --request GET \
  --url "https://${AUTH0_DOMAIN}/api/v2/client-grants?audience=https://${AUTH0_DOMAIN}/api/v2/" \
  --header "Authorization: Bearer ${ACCESS_TOKEN}" \
  | jq '.[] | select(.client_id == "<your_client_id>") | {id, client_id}'

Step 4: Import into Terraform

terraform import 'auth0_client_grant.your_grant["key"]' <grant_id>

Root Cause Analysis

Looking at the provider source code (expand.go), the issue appears to be in expandClientGrant:

if data.IsNewResource() || data.HasChange("allow_all_scopes") {
    clientGrant.AllowAllScopes = value.Bool(cfg.GetAttr("allow_all_scopes"))
}

For new resources, this always sets AllowAllScopes even when not specified in the config, which the Management API rejects.