DPoP for configuration with a lot of objects can cause failures during terraform plan

[PavelSlepushkin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

❯ terraform -v
Terraform v1.8.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/vault v3.2.1
+ provider registry.terraform.io/okta/okta v4.10.0

Affected Resource(s)

• okta_xxx

Terraform Configuration Files

NA

Debug Output

NA

Panic Output

Not related

Expected Behavior

terraform plan finishes without errors

Can this be done in the Admin UI?

Not related

Can this be done in the actual API call?

Not related

Actual Behavior

terraform plan reports errors

Error: failed to get application group assignment: the API returned an unknown error, Status: 400 Bad Request

for different types of resources
When I've analysed trace output from terraform I've detected following:

❯ rg -A30 'HTTP/2.0 400 Bad Request' run-9Whhof5SawKC7ziv-plan-log.txt|rg error_description |sed -e 's/.*error_//' |cut -f1 -d, |sort|uniq -c
  10 description": "Authorization server requires nonce in DPoP proof."
  10 description": "The DPoP proof JWT header is missing."
  48 description="The DPoP proof JWT has already been used."
❯

Errors with description Authorization server requires nonce in DPoP proof. and The DPoP proof JWT header is missing. seems as expected and correctly processed, while errors with The DPoP proof JWT has already been used. is what is causing terraform plan to fail
Sorry, I cannot share configuration or the trace.

Steps to Reproduce

1. terraform plan

Important Factoids

Our terraform state has about 1500 objects.
Configuration worked fine with API token, plan started to fail when we switched to OAuth2.0.
As a workaround - we've disabled DPoP for our OAuth2.0 Application and configuration started to work.

References

• #0000

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-799365

[duytiennguyen-okta]

@PavelSlepushkin so you are saying Dpop works normally if you reduce the size of the terraform script/less object involved? Am I understand that correctly?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Comment or this will be closed in 35 days