auth0 · sergiught · Aug 30, 2023 · Aug 26, 2023 · Aug 29, 2023
diff --git a/docs/data-sources/client.md b/docs/data-sources/client.md
@@ -52,7 +52,7 @@ data "auth0_client" "some-client-by-id" {
 - `id` (String) The ID of this resource.
 - `initiate_login_uri` (String) Initiate login URI. Must be HTTPS or an empty string.
 - `is_first_party` (Boolean) Indicates whether this client is a first-party client.
-- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted. This attribute can only be updated after the client gets created.
+- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to `client_secret_post` or `client_secret_basic`. Setting this property when creating the resource, will default the authentication method to `client_secret_post`. To change the authentication method to `client_secret_basic` use the `auth0_client_credentials` resource.
 - `jwt_configuration` (List of Object) Configuration settings for the JWTs issued for this client. (see [below for nested schema](#nestedatt--jwt_configuration))
 - `logo_uri` (String) URL of the logo for the client. Recommended size is 150px x 150px. If none is set, the default badge for the application type will be shown.
 - `mobile` (List of Object) Additional configuration for native mobile apps. (see [below for nested schema](#nestedatt--mobile))

diff --git a/docs/resources/client.md b/docs/resources/client.md
@@ -107,7 +107,7 @@ resource "auth0_client" "my_client" {
 - `grant_types` (List of String) Types of grants that this client is authorized to use.
 - `initiate_login_uri` (String) Initiate login URI. Must be HTTPS or an empty string.
 - `is_first_party` (Boolean) Indicates whether this client is a first-party client.
-- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted. This attribute can only be updated after the client gets created.
+- `is_token_endpoint_ip_header_trusted` (Boolean) Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to `client_secret_post` or `client_secret_basic`. Setting this property when creating the resource, will default the authentication method to `client_secret_post`. To change the authentication method to `client_secret_basic` use the `auth0_client_credentials` resource.
 - `jwt_configuration` (Block List, Max: 1) Configuration settings for the JWTs issued for this client. (see [below for nested schema](#nestedblock--jwt_configuration))
 - `logo_uri` (String) URL of the logo for the client. Recommended size is 150px x 150px. If none is set, the default badge for the application type will be shown.
 - `mobile` (Block List, Max: 1) Additional configuration for native mobile apps. (see [below for nested schema](#nestedblock--mobile))

diff --git a/internal/auth0/client/expand.go b/internal/auth0/client/expand.go
@@ -13,41 +13,42 @@ func expandClient(data *schema.ResourceData) *management.Client {
 	config := data.GetRawConfig()
 
 	client := &management.Client{
-		Name:                        value.String(config.GetAttr("name")),
-		Description:                 value.String(config.GetAttr("description")),
-		AppType:                     value.String(config.GetAttr("app_type")),
-		LogoURI:                     value.String(config.GetAttr("logo_uri")),
-		IsFirstParty:                value.Bool(config.GetAttr("is_first_party")),
-		OIDCConformant:              value.Bool(config.GetAttr("oidc_conformant")),
-		ClientAliases:               value.Strings(config.GetAttr("client_aliases")),
-		Callbacks:                   value.Strings(config.GetAttr("callbacks")),
-		AllowedLogoutURLs:           value.Strings(config.GetAttr("allowed_logout_urls")),
-		AllowedOrigins:              value.Strings(config.GetAttr("allowed_origins")),
-		AllowedClients:              value.Strings(config.GetAttr("allowed_clients")),
-		GrantTypes:                  value.Strings(config.GetAttr("grant_types")),
-		OrganizationUsage:           value.String(config.GetAttr("organization_usage")),
-		OrganizationRequireBehavior: value.String(config.GetAttr("organization_require_behavior")),
-		WebOrigins:                  value.Strings(config.GetAttr("web_origins")),
-		SSO:                         value.Bool(config.GetAttr("sso")),
-		SSODisabled:                 value.Bool(config.GetAttr("sso_disabled")),
-		CrossOriginAuth:             value.Bool(config.GetAttr("cross_origin_auth")),
-		CrossOriginLocation:         value.String(config.GetAttr("cross_origin_loc")),
-		CustomLoginPageOn:           value.Bool(config.GetAttr("custom_login_page_on")),
-		CustomLoginPage:             value.String(config.GetAttr("custom_login_page")),
-		FormTemplate:                value.String(config.GetAttr("form_template")),
-		InitiateLoginURI:            value.String(config.GetAttr("initiate_login_uri")),
-		EncryptionKey:               value.MapOfStrings(config.GetAttr("encryption_key")),
-		OIDCBackchannelLogout:       expandOIDCBackchannelLogout(data),
-		ClientMetadata:              expandClientMetadata(data),
-		RefreshToken:                expandClientRefreshToken(data),
-		JWTConfiguration:            expandClientJWTConfiguration(data),
-		Addons:                      expandClientAddons(data),
-		NativeSocialLogin:           expandClientNativeSocialLogin(data),
-		Mobile:                      expandClientMobile(data),
-	}
-
-	if !data.IsNewResource() {
-		client.IsTokenEndpointIPHeaderTrusted = value.Bool(config.GetAttr("is_token_endpoint_ip_header_trusted"))
+		Name:                           value.String(config.GetAttr("name")),
+		Description:                    value.String(config.GetAttr("description")),
+		AppType:                        value.String(config.GetAttr("app_type")),
+		LogoURI:                        value.String(config.GetAttr("logo_uri")),
+		IsFirstParty:                   value.Bool(config.GetAttr("is_first_party")),
+		OIDCConformant:                 value.Bool(config.GetAttr("oidc_conformant")),
+		ClientAliases:                  value.Strings(config.GetAttr("client_aliases")),
+		Callbacks:                      value.Strings(config.GetAttr("callbacks")),
+		AllowedLogoutURLs:              value.Strings(config.GetAttr("allowed_logout_urls")),
+		AllowedOrigins:                 value.Strings(config.GetAttr("allowed_origins")),
+		AllowedClients:                 value.Strings(config.GetAttr("allowed_clients")),
+		GrantTypes:                     value.Strings(config.GetAttr("grant_types")),
+		OrganizationUsage:              value.String(config.GetAttr("organization_usage")),
+		OrganizationRequireBehavior:    value.String(config.GetAttr("organization_require_behavior")),
+		WebOrigins:                     value.Strings(config.GetAttr("web_origins")),
+		SSO:                            value.Bool(config.GetAttr("sso")),
+		SSODisabled:                    value.Bool(config.GetAttr("sso_disabled")),
+		CrossOriginAuth:                value.Bool(config.GetAttr("cross_origin_auth")),
+		CrossOriginLocation:            value.String(config.GetAttr("cross_origin_loc")),
+		CustomLoginPageOn:              value.Bool(config.GetAttr("custom_login_page_on")),
+		CustomLoginPage:                value.String(config.GetAttr("custom_login_page")),
+		FormTemplate:                   value.String(config.GetAttr("form_template")),
+		InitiateLoginURI:               value.String(config.GetAttr("initiate_login_uri")),
+		EncryptionKey:                  value.MapOfStrings(config.GetAttr("encryption_key")),
+		IsTokenEndpointIPHeaderTrusted: value.Bool(config.GetAttr("is_token_endpoint_ip_header_trusted")),
+		OIDCBackchannelLogout:          expandOIDCBackchannelLogout(data),
+		ClientMetadata:                 expandClientMetadata(data),
+		RefreshToken:                   expandClientRefreshToken(data),
+		JWTConfiguration:               expandClientJWTConfiguration(data),
+		Addons:                         expandClientAddons(data),
+		NativeSocialLogin:              expandClientNativeSocialLogin(data),
+		Mobile:                         expandClientMobile(data),
+	}
+
+	if data.IsNewResource() && client.IsTokenEndpointIPHeaderTrusted != nil {
+		client.TokenEndpointAuthMethod = auth0.String("client_secret_post")
 	}
 
 	return client

diff --git a/internal/auth0/client/resource.go b/internal/auth0/client/resource.go
@@ -78,10 +78,13 @@ func NewResource() *schema.Resource {
 				Description: "Indicates whether this client is a first-party client.",
 			},
 			"is_token_endpoint_ip_header_trusted": {
-				Type:        schema.TypeBool,
-				Optional:    true,
-				Computed:    true,
-				Description: "Indicates whether the token endpoint IP header is trusted. This attribute can only be updated after the client gets created.",
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+				Description: "Indicates whether the token endpoint IP header is trusted. Requires the authentication " +
+					"method to be set to `client_secret_post` or `client_secret_basic`. Setting this property when " +
+					"creating the resource, will default the authentication method to `client_secret_post`. To change " +
+					"the authentication method to `client_secret_basic` use the `auth0_client_credentials` resource.",
 			},
 			"oidc_conformant": {
 				Type:        schema.TypeBool,

diff --git a/internal/auth0/client/resource_test.go b/internal/auth0/client/resource_test.go
@@ -6,7 +6,8 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/stretchr/testify/assert"
 
 	"github.com/auth0/terraform-provider-auth0/internal/acctest"
 )
@@ -2100,44 +2101,47 @@ resource "auth0_client" "my_client" {
 
   is_token_endpoint_ip_header_trusted = true
 }
+`
+
+const testAccImportClientCredentialsForClientWithIsTokenEndpointIPHeaderTrustedSetToTrueOnCreate = `
+resource "auth0_client" "my_client" {
+  name = "Test IP Header Trusted - {{.testName}}"
+
+  is_token_endpoint_ip_header_trusted = true
+}
 
-resource "auth0_client_credentials" "my_client-credentials" {
+resource "auth0_client_credentials" "my_client_credentials" {
   client_id = auth0_client.my_client.id
 
   authentication_method = "client_secret_post"
 }
 `
 
-func TestAccClientGetsCreatedWithoutSettingIsTokenEndpointIPHeaderTrustedOnCreate(t *testing.T) {
+func TestAccClientGetsCreatedWithIsTokenEndpointIPHeaderTrustedEnabled(t *testing.T) {
 	acctest.Test(t, resource.TestCase{
 		Steps: []resource.TestStep{
 			{
-				Config:             acctest.ParseTestName(testAccCreateClientWithIsTokenEndpointIPHeaderTrustedSetToTrue, t.Name()),
-				ExpectNonEmptyPlan: true,
-				ConfigPlanChecks: resource.ConfigPlanChecks{
-					PostApplyPostRefresh: []plancheck.PlanCheck{
-						plancheck.ExpectResourceAction("auth0_client.my_client", plancheck.ResourceActionUpdate),
-					},
-				},
+				Config: acctest.ParseTestName(testAccCreateClientWithIsTokenEndpointIPHeaderTrustedSetToTrue, t.Name()),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Test IP Header Trusted - %s", t.Name())),
-					resource.TestCheckResourceAttr("auth0_client.my_client", "is_token_endpoint_ip_header_trusted", "false"),
-					resource.TestCheckTypeSetElemAttrPair("auth0_client_credentials.my_client-credentials", "client_id", "auth0_client.my_client", "id"),
-					resource.TestCheckResourceAttr("auth0_client_credentials.my_client-credentials", "authentication_method", "client_secret_post"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "is_token_endpoint_ip_header_trusted", "true"),
 				),
 			},
 			{
-				Config: acctest.ParseTestName(testAccCreateClientWithIsTokenEndpointIPHeaderTrustedSetToTrue, t.Name()),
-				ConfigPlanChecks: resource.ConfigPlanChecks{
-					PostApplyPostRefresh: []plancheck.PlanCheck{
-						plancheck.ExpectEmptyPlan(),
-					},
+				Config:       acctest.ParseTestName(testAccImportClientCredentialsForClientWithIsTokenEndpointIPHeaderTrustedSetToTrueOnCreate, t.Name()),
+				ResourceName: "auth0_client_credentials.my_client_credentials",
+				ImportState:  true,
+				ImportStateIdFunc: func(state *terraform.State) (string, error) {
+					clientID, err := acctest.ExtractResourceAttributeFromState(state, "auth0_client.my_client", "id")
+					assert.NoError(t, err)
+					return clientID, nil
 				},
+				ImportStatePersist: true,
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Test IP Header Trusted - %s", t.Name())),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "is_token_endpoint_ip_header_trusted", "true"),
-					resource.TestCheckTypeSetElemAttrPair("auth0_client_credentials.my_client-credentials", "client_id", "auth0_client.my_client", "id"),
-					resource.TestCheckResourceAttr("auth0_client_credentials.my_client-credentials", "authentication_method", "client_secret_post"),
+					resource.TestCheckTypeSetElemAttrPair("auth0_client_credentials.my_client_credentials", "client_id", "auth0_client.my_client", "id"),
+					resource.TestCheckResourceAttr("auth0_client_credentials.my_client_credentials", "authentication_method", "client_secret_post"),
 				),
 			},
 		},