Enabling Native to Web SSO with Terraform

This article explains why the following error occurs when attempting to exchange a refresh token for Single Sign-On (SSO) credentials and provides the steps to resolve it by enabling the feature with the Auth0 Terraform Provider.

Auth0.CredentialsManagerError.Code.ssoExchangeFailed
Feature is disabled for this client
Status Code: 400

• Auth0
• Terraform
• Native to Web SSO

The error occurs because the Native to Web SSO feature has not been enabled for the Auth0 Client (application) in the Terraform configuration. The session_transfer block, which is required to activate this functionality, is missing from the auth0_client resource definition.

Upgrade to an Enterprise plan to access this feature. To resolve this issue, update the Terraform configuration to enable session transfers for the client. 

1. Ensure the environment uses version 1.38.0 or later of the Auth0 Terraform provider. The latest version can be found in the CHANGELOG.

2. Add the session_transfer block to the appropriate auth0_client resource in the Terraform configuration file. The configurable parameters are documented in the Terraform provider documentation. The following sample can be customised to the requirements. 

   resource "auth0_client" "my_native_app" {
     # ... other client settings
   
     session_transfer {
       allow_refresh_token           = true
       allowed_authentication_methods    = ["cookie", "query"]
       can_create_session_transfer_token = true
       enforce_cascade_revocation        = true
       enforce_device_binding            = "ip"
       enforce_online_refresh_tokens     = true
     }
   }
   

3. Refer to the API documentation for more details on creating and managing session transfer tokens.