Here's what my tf code looks like:

resource "auth0_connection" "test_okta" {
  name           = "Test"
  display_name   = "Test Okta"
  strategy       = "okta"
  show_as_button = false

  options {
    client_id      = secret
    client_secret  = secret
    domain         = "secret.com"
    domain_aliases = ["secret.com"]
  }
}

I've also tried manually adding PKCE and basic_profile attributes to the options part, but still run into the same issue.

I believe I found the issue: when creating Okta connections through the Web UI the scopes field is automatically set to the following values: openid profile email

However, when the Okta workforce connection is created through terraform no default values are set for the scopes field. The scopes field is a required field so that field being set to none should not be allowed by the auth0 terraform provider. I would recommend setting the same three values as defaults: openid profile email. At the very least, the documentation needs to be updated to state that this is a required field.

As a workaround for now I am manually setting the scopes field.

Hey @mustafahasan 👋🏻

We greatly appreciate you taking the time to bring this to our attention. It's fantastic to hear that you've found a solution, and your commitment to sharing it here is invaluable for other users who may encounter the same issue.

Your suggestions are indeed valid. However, we must exercise caution when considering default values for the scope property, as it is shared across various other connection types. Rest assured, we will thoroughly investigate this matter and, at the very least, ensure that our documentation is updated accordingly.

I'll remove the "bug" label for now, but we'll keep this issue open while we explore options for improving default values or making documentation updates.

Once again, thank you for your valuable input!

We found this issue since we faced the same error.

This appears to be a breaking behavior in the auth0 backend. In our case, we use auth0 API to configure connectors programmatically (so we are similar to terraform provider in that regard). Previously, we had never set any scopes as part of the Connection and it just worked. Perhaps auth0 was already defaulting scopes in the backend. But it appears to have stopped doing that sometime recently, causing this error.

Our solution was to set some default scopes as suggested in #852 (comment), but I consider this breaking behavior in the auth0 APIs.

I think I can confirm that the following statement is very likely true:

Perhaps auth0 was already defaulting scopes in the backend. But it appears to have stopped doing that sometime recently, causing this error.

I can vouch my application (which is an Auth0 API Client) never set these scopes on created Okta Workforce connections.
One day my customer complained that they saw the error in this issue. I found that new connections created via the API did not have the scopes, older connections did. Setting the scopes manually via the UI fixed my customer's issue, and setting the scopes in code fixed it going forward.

Thanks @jessesuen for the tip!