auth0-deploy-cli 8.23.2 → 8.25.0

package/CHANGELOG.md

@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.25.0] - 2026-01-08
+
+### Added
+
+- `AUTH0_INCLUDED_CONNECTIONS` config property to include only selected `connection`. [#1242]
+
+### Fixed
+
+- Fix `tokenExchangeProfiles` profiles handling. [#1253]
+- Fix `idle_ephemeral_session_lifetime` and `ephemeral_session_lifetime` handling while importing [#1261]
+
+## [8.24.0] - 2025-12-22
+
+### Added
+
+- Add support for managing `riskAssessment` settings. [#1217]
+- Add directory provisioning support for `google-apps` connections. [#1246]
+
 ## [8.23.2] - 2025-12-18
 
 ### Fixed
@@ -1575,6 +1593,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1211]: https://github.com/auth0/auth0-deploy-cli/issues/1211
 [#1212]: https://github.com/auth0/auth0-deploy-cli/issues/1212
 [#1214]: https://github.com/auth0/auth0-deploy-cli/issues/1214
+[#1217]: https://github.com/auth0/auth0-deploy-cli/issues/1217
 [#1221]: https://github.com/auth0/auth0-deploy-cli/issues/1221
 [#1223]: https://github.com/auth0/auth0-deploy-cli/issues/1223
 [#1224]: https://github.com/auth0/auth0-deploy-cli/issues/1224
@@ -1583,8 +1602,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1232]: https://github.com/auth0/auth0-deploy-cli/issues/1232
 [#1239]: https://github.com/auth0/auth0-deploy-cli/issues/1239
 [#1240]: https://github.com/auth0/auth0-deploy-cli/issues/1240
+[#1242]: https://github.com/auth0/auth0-deploy-cli/issues/1242
 [#1244]: https://github.com/auth0/auth0-deploy-cli/issues/1244
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.2...HEAD
+[#1246]: https://github.com/auth0/auth0-deploy-cli/issues/1246
+[#1253]: https://github.com/auth0/auth0-deploy-cli/issues/1253
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...HEAD
+[8.25.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.24.0...v8.25.0
+[8.24.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.2...v8.24.0
 [8.23.2]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.1...v8.23.2
 [8.23.1]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.0...v8.23.1
 [8.23.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.22.0...v8.23.0

package/lib/context/directory/handlers/index.js

@@ -23,6 +23,7 @@ const actions_1 = __importDefault(require("./actions"));
 const organizations_1 = __importDefault(require("./organizations"));
 const triggers_1 = __importDefault(require("./triggers"));
 const attackProtection_1 = __importDefault(require("./attackProtection"));
+const riskAssessment_1 = __importDefault(require("./riskAssessment"));
 const branding_1 = __importDefault(require("./branding"));
 const phoneProvider_1 = __importDefault(require("./phoneProvider"));
 const phoneTemplates_1 = __importDefault(require("./phoneTemplates"));
@@ -65,6 +66,7 @@ const directoryHandlers = {
     organizations: organizations_1.default,
     triggers: triggers_1.default,
     attackProtection: attackProtection_1.default,
+    riskAssessment: riskAssessment_1.default,
     branding: branding_1.default,
     phoneProviders: phoneProvider_1.default,
     phoneTemplates: phoneTemplates_1.default,

package/lib/context/directory/handlers/riskAssessment.d.ts

@@ -0,0 +1,6 @@
+import { DirectoryHandler } from '.';
+import { ParsedAsset } from '../../../types';
+import { RiskAssessment } from '../../../tools/auth0/handlers/riskAssessment';
+type ParsedRiskAssessment = ParsedAsset<'riskAssessment', RiskAssessment>;
+declare const riskAssessmentHandler: DirectoryHandler<ParsedRiskAssessment>;
+export default riskAssessmentHandler;

package/lib/context/directory/handlers/riskAssessment.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = __importDefault(require("path"));
+const fs_extra_1 = __importDefault(require("fs-extra"));
+const tools_1 = require("../../../tools");
+const utils_1 = require("../../../utils");
+function parse(context) {
+    const riskAssessmentDirectory = path_1.default.join(context.filePath, tools_1.constants.RISK_ASSESSMENT_DIRECTORY);
+    const riskAssessmentFile = path_1.default.join(riskAssessmentDirectory, 'settings.json');
+    if (!(0, utils_1.existsMustBeDir)(riskAssessmentDirectory)) {
+        return { riskAssessment: null };
+    }
+    if (!(0, utils_1.isFile)(riskAssessmentFile)) {
+        return { riskAssessment: null };
+    }
+    const riskAssessment = (0, utils_1.loadJSON)(riskAssessmentFile, {
+        mappings: context.mappings,
+        disableKeywordReplacement: context.disableKeywordReplacement,
+    });
+    return {
+        riskAssessment,
+    };
+}
+async function dump(context) {
+    const { riskAssessment } = context.assets;
+    if (!riskAssessment)
+        return;
+    const riskAssessmentDirectory = path_1.default.join(context.filePath, tools_1.constants.RISK_ASSESSMENT_DIRECTORY);
+    const riskAssessmentFile = path_1.default.join(riskAssessmentDirectory, 'settings.json');
+    fs_extra_1.default.ensureDirSync(riskAssessmentDirectory);
+    (0, utils_1.dumpJSON)(riskAssessmentFile, riskAssessment);
+}
+const riskAssessmentHandler = {
+    parse,
+    dump,
+};
+exports.default = riskAssessmentHandler;

package/lib/context/directory/handlers/tenant.js

@@ -15,12 +15,17 @@ function parse(context) {
         return { tenant: null };
     }
     /* eslint-disable camelcase */
-    const { session_lifetime, idle_session_lifetime, ...tenant } = (0, utils_1.loadJSON)(tenantFile, {
+    const { session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, ...tenant } = (0, utils_1.loadJSON)(tenantFile, {
         mappings: context.mappings,
         disableKeywordReplacement: context.disableKeywordReplacement,
     });
     (0, utils_1.clearTenantFlags)(tenant);
-    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({ session_lifetime, idle_session_lifetime });
+    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({
+        session_lifetime,
+        idle_session_lifetime,
+        idle_ephemeral_session_lifetime,
+        ephemeral_session_lifetime,
+    });
     return {
         //@ts-ignore
         tenant: {

package/lib/context/directory/index.js

@@ -63,6 +63,9 @@ class DirectoryContext {
             resourceServers: config.AUTH0_EXCLUDED_RESOURCE_SERVERS || [],
             defaults: config.AUTH0_EXCLUDED_DEFAULTS || [],
         };
+        this.assets.include = {
+            connections: config.AUTH0_INCLUDED_CONNECTIONS || [],
+        };
     }
     loadFile(f, folder) {
         const basePath = path.join(this.filePath, folder);

package/lib/context/index.js

@@ -26,6 +26,7 @@ const nonPrimitiveProps = [
     'AUTH0_INCLUDED_ONLY',
     'EXCLUDED_PROPS',
     'INCLUDED_PROPS',
+    'AUTH0_INCLUDED_CONNECTIONS',
 ];
 const EA_FEATURES = [];
 const setupContext = async (config, command) => {
@@ -97,6 +98,15 @@ const setupContext = async (config, command) => {
             logger_1.default.warn(`Usage of the ${usedDeprecatedParams.join(', ')} exclusion ${usedDeprecatedParams.length > 1 ? 'params are' : 'param is'} deprecated and may be removed from future major versions. See: https://github.com/auth0/auth0-deploy-cli/issues/451#user-content-deprecated-exclusion-props for details.`);
         }
     })(config);
+    ((config) => {
+        const hasIncludedConnections = config.AUTH0_INCLUDED_CONNECTIONS !== undefined &&
+            config.AUTH0_INCLUDED_CONNECTIONS.length > 0;
+        const hasExcludedConnections = config.AUTH0_EXCLUDED_CONNECTIONS !== undefined &&
+            config.AUTH0_EXCLUDED_CONNECTIONS.length > 0;
+        if (hasIncludedConnections && hasExcludedConnections) {
+            throw new Error('Both AUTH0_INCLUDED_CONNECTIONS and AUTH0_EXCLUDED_CONNECTIONS configuration values are defined, only one can be configured at a time.');
+        }
+    })(config);
     ((config) => {
         // Check if experimental early access features are enabled
         if (config.AUTH0_EXPERIMENTAL_EA) {

package/lib/context/yaml/handlers/index.js

@@ -23,6 +23,7 @@ const organizations_1 = __importDefault(require("./organizations"));
 const actions_1 = __importDefault(require("./actions"));
 const triggers_1 = __importDefault(require("./triggers"));
 const attackProtection_1 = __importDefault(require("./attackProtection"));
+const riskAssessment_1 = __importDefault(require("./riskAssessment"));
 const branding_1 = __importDefault(require("./branding"));
 const phoneProvider_1 = __importDefault(require("./phoneProvider"));
 const phoneTemplates_1 = __importDefault(require("./phoneTemplates"));
@@ -65,6 +66,7 @@ const yamlHandlers = {
     organizations: organizations_1.default,
     triggers: triggers_1.default,
     attackProtection: attackProtection_1.default,
+    riskAssessment: riskAssessment_1.default,
     branding: branding_1.default,
     phoneProviders: phoneProvider_1.default,
     phoneTemplates: phoneTemplates_1.default,

package/lib/context/yaml/handlers/riskAssessment.d.ts

@@ -0,0 +1,6 @@
+import { YAMLHandler } from '.';
+import { RiskAssessment } from '../../../tools/auth0/handlers/riskAssessment';
+import { ParsedAsset } from '../../../types';
+type ParsedRiskAssessment = ParsedAsset<'riskAssessment', RiskAssessment>;
+declare const riskAssessmentHandler: YAMLHandler<ParsedRiskAssessment>;
+export default riskAssessmentHandler;

package/lib/context/yaml/handlers/riskAssessment.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+async function parse(context) {
+    const { riskAssessment } = context.assets;
+    if (!riskAssessment)
+        return { riskAssessment: null };
+    return {
+        riskAssessment,
+    };
+}
+async function dump(context) {
+    const { riskAssessment } = context.assets;
+    if (!riskAssessment)
+        return { riskAssessment: null };
+    return {
+        riskAssessment,
+    };
+}
+const riskAssessmentHandler = {
+    parse,
+    dump,
+};
+exports.default = riskAssessmentHandler;

package/lib/context/yaml/handlers/tenant.js

@@ -6,9 +6,14 @@ async function parse(context) {
     if (!context.assets.tenant)
         return { tenant: null };
     /* eslint-disable camelcase */
-    const { session_lifetime, idle_session_lifetime, ...tenant } = context.assets.tenant;
+    const { session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, ...tenant } = context.assets.tenant;
     (0, utils_1.clearTenantFlags)(tenant);
-    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({ session_lifetime, idle_session_lifetime });
+    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({
+        session_lifetime,
+        idle_session_lifetime,
+        idle_ephemeral_session_lifetime,
+        ephemeral_session_lifetime,
+    });
     return {
         tenant: {
             ...tenant,

package/lib/context/yaml/index.js

@@ -32,6 +32,9 @@ class YAMLContext {
             resourceServers: config.AUTH0_EXCLUDED_RESOURCE_SERVERS || [],
             defaults: config.AUTH0_EXCLUDED_DEFAULTS || [],
         };
+        this.assets.include = {
+            connections: config.AUTH0_INCLUDED_CONNECTIONS || [],
+        };
         this.basePath = (() => {
             if (!!config.AUTH0_BASE_PATH)
                 return config.AUTH0_BASE_PATH;
@@ -80,6 +83,7 @@ class YAMLContext {
         }, {});
         const initialAssets = {
             exclude: this.assets.exclude, // Keep the exclude rules in result assets
+            include: this.assets.include, // Keep the include rules in result assets
         };
         this.assets = Object.keys(this.assets).reduce((acc, key) => {
             // Get the list of asset types to include
@@ -173,6 +177,7 @@ class YAMLContext {
         let cleaned = (0, readonly_1.default)(this.assets, this.config);
         // Delete exclude as it's not part of the auth0 tenant config
         delete cleaned.exclude;
+        delete cleaned.include;
         // Optionally Strip identifiers
         if (!this.config.AUTH0_EXPORT_IDENTIFIERS) {
             cleaned = (0, utils_1.stripIdentifiers)(auth0, cleaned);

package/lib/sessionDurationsToMinutes.d.ts

@@ -1,7 +1,11 @@
-export declare const sessionDurationsToMinutes: ({ session_lifetime, idle_session_lifetime, }: {
+export declare const sessionDurationsToMinutes: ({ session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, }: {
     session_lifetime?: number;
     idle_session_lifetime?: number;
+    idle_ephemeral_session_lifetime?: number;
+    ephemeral_session_lifetime?: number;
 }) => {
     session_lifetime_in_minutes?: number;
     idle_session_lifetime_in_minutes?: number;
+    idle_ephemeral_session_lifetime_in_minutes?: number;
+    ephemeral_session_lifetime_in_minutes?: number;
 };

package/lib/sessionDurationsToMinutes.js

@@ -4,12 +4,16 @@ exports.sessionDurationsToMinutes = void 0;
 function hoursToMinutes(hours) {
     return Math.round(hours * 60);
 }
-const sessionDurationsToMinutes = ({ session_lifetime, idle_session_lifetime, }) => {
+const sessionDurationsToMinutes = ({ session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, }) => {
     const sessionDurations = {};
     if (!!session_lifetime)
         sessionDurations.session_lifetime_in_minutes = hoursToMinutes(session_lifetime);
     if (!!idle_session_lifetime)
         sessionDurations.idle_session_lifetime_in_minutes = hoursToMinutes(idle_session_lifetime);
+    if (!!idle_ephemeral_session_lifetime)
+        sessionDurations.idle_ephemeral_session_lifetime_in_minutes = hoursToMinutes(idle_ephemeral_session_lifetime);
+    if (!!ephemeral_session_lifetime)
+        sessionDurations.ephemeral_session_lifetime_in_minutes = hoursToMinutes(ephemeral_session_lifetime);
     return sessionDurations;
 };
 exports.sessionDurationsToMinutes = sessionDurationsToMinutes;

package/lib/tools/auth0/handlers/connections.d.ts

@@ -78,11 +78,40 @@ export declare const schema: {
                 required: string[];
                 additionalProperties: boolean;
             };
+            directory_provisioning_configuration: {
+                type: string;
+                properties: {
+                    mapping: {
+                        type: string;
+                        items: {
+                            type: string;
+                            properties: {
+                                auth0: {
+                                    type: string;
+                                    description: string;
+                                };
+                                idp: {
+                                    type: string;
+                                    description: string;
+                                };
+                            };
+                        };
+                    };
+                    synchronize_automatically: {
+                        type: string;
+                        description: string;
+                    };
+                };
+            };
         };
         required: string[];
     };
 };
-export type Connection = Management.ConnectionForList;
+type DirectoryProvisioningConfig = Management.GetDirectoryProvisioningResponseContent;
+export type Connection = Management.ConnectionForList & {
+    enabled_clients?: string[];
+    directory_provisioning_configuration?: DirectoryProvisioningConfig;
+};
 export declare const addExcludedConnectionPropertiesToChanges: ({ proposedChanges, existingConnections, config, }: {
     proposedChanges: CalculatedChanges;
     existingConnections: Asset[];
@@ -135,7 +164,33 @@ export default class ConnectionsHandler extends DefaultAPIHandler {
     } | {
         options?: undefined;
     };
+    /**
+     * Retrieves directory provisioning configuration for a specific Auth0 connection.
+     * @param connectionId - The unique identifier of the connection
+     * @returns A promise that resolves to the configuration object, or null if not configured/supported
+     */
+    getConnectionDirectoryProvisioning(connectionId: string): Promise<DirectoryProvisioningConfig | null>;
+    /**
+     * Creates directory provisioning configuration for a connection.
+     */
+    private createConnectionDirectoryProvisioning;
+    /**
+     * Updates directory provisioning configuration for a connection.
+     */
+    private updateConnectionDirectoryProvisioning;
+    /**
+     * Deletes directory provisioning configuration for a connection.
+     */
+    private deleteConnectionDirectoryProvisioning;
+    /**
+     * This function processes directory provisioning for create, update, and conflict operations.
+     * Directory provisioning is only supported for google-apps strategy connections.
+     *
+     * @param changes - Object containing arrays of connections to create, update, and resolve conflicts for
+     */
+    processConnectionDirectoryProvisioning(changes: CalculatedChanges): Promise<void>;
     getType(): Promise<Asset[] | null>;
     calcChanges(assets: Assets): Promise<CalculatedChanges>;
     processChanges(assets: Assets): Promise<void>;
 }
+export {};

package/lib/tools/auth0/handlers/connections.js

@@ -93,6 +93,25 @@ exports.schema = {
                 required: ['active'],
                 additionalProperties: false,
             },
+            directory_provisioning_configuration: {
+                type: 'object',
+                properties: {
+                    mapping: {
+                        type: 'array',
+                        items: {
+                            type: 'object',
+                            properties: {
+                                auth0: { type: 'string', description: 'The field location in the Auth0 schema' },
+                                idp: { type: 'string', description: 'The field location in the IDP schema' },
+                            },
+                        },
+                    },
+                    synchronize_automatically: {
+                        type: 'boolean',
+                        description: 'The field whether periodic automatic synchronization is enabled',
+                    },
+                },
+            },
         },
         required: ['name', 'strategy'],
     },
@@ -286,6 +305,169 @@ class ConnectionsHandler extends default_1.default {
             return {};
         }
     }
+    /**
+     * Retrieves directory provisioning configuration for a specific Auth0 connection.
+     * @param connectionId - The unique identifier of the connection
+     * @returns A promise that resolves to the configuration object, or null if not configured/supported
+     */
+    async getConnectionDirectoryProvisioning(connectionId) {
+        if (!connectionId)
+            return null;
+        const creates = [connectionId];
+        let config = null;
+        try {
+            await this.client.pool
+                .addEachTask({
+                data: creates || [],
+                generator: async (id) => this.client.connections.directoryProvisioning
+                    .get(id)
+                    .then((resp) => {
+                    config = resp;
+                })
+                    .catch((err) => {
+                    throw new auth0_1.ManagementError(err);
+                }),
+            })
+                .promise();
+            const stripKeysFromOutput = [
+                'connection_id',
+                'connection_name',
+                'strategy',
+                'created_at',
+                'updated_at',
+            ];
+            stripKeysFromOutput.forEach((key) => {
+                if (config && key in config) {
+                    delete config[key];
+                }
+            });
+            return config;
+        }
+        catch (error) {
+            const errLog = `Unable to fetch directory provisioning for connection '${connectionId}'. `;
+            if (error instanceof auth0_1.ManagementError) {
+                const bodyMessage = error.body?.message;
+                logger_1.default.warn(errLog + bodyMessage);
+            }
+            else {
+                logger_1.default.error(errLog, error?.message);
+            }
+            return null;
+        }
+    }
+    /**
+     * Creates directory provisioning configuration for a connection.
+     */
+    async createConnectionDirectoryProvisioning(connectionId, payload) {
+        if (!connectionId) {
+            throw new Error('Connection ID is required to create directory provisioning configuration.');
+        }
+        const createPayload = {
+            mapping: payload.mapping,
+            synchronize_automatically: payload.synchronize_automatically,
+        };
+        await this.client.connections.directoryProvisioning.create(connectionId, createPayload);
+        logger_1.default.debug(`Created directory provisioning for connection '${connectionId}'`);
+    }
+    /**
+     * Updates directory provisioning configuration for a connection.
+     */
+    async updateConnectionDirectoryProvisioning(connectionId, payload) {
+        if (!connectionId) {
+            throw new Error('Connection ID is required to update directory provisioning configuration.');
+        }
+        const updatePayload = {
+            mapping: payload.mapping,
+            synchronize_automatically: payload.synchronize_automatically,
+        };
+        await this.client.connections.directoryProvisioning.update(connectionId, updatePayload);
+        logger_1.default.debug(`Updated directory provisioning for connection '${connectionId}'`);
+    }
+    /**
+     * Deletes directory provisioning configuration for a connection.
+     */
+    async deleteConnectionDirectoryProvisioning(connectionId) {
+        if (!connectionId) {
+            throw new Error('Connection ID is required to delete directory provisioning configuration.');
+        }
+        await this.client.connections.directoryProvisioning.delete(connectionId);
+        logger_1.default.debug(`Deleted directory provisioning for connection '${connectionId}'`);
+    }
+    /**
+     * This function processes directory provisioning for create, update, and conflict operations.
+     * Directory provisioning is only supported for google-apps strategy connections.
+     *
+     * @param changes - Object containing arrays of connections to create, update, and resolve conflicts for
+     */
+    async processConnectionDirectoryProvisioning(changes) {
+        const { create, update, conflicts } = changes;
+        // Build a map of existing connections by ID for quick lookup
+        const existingConnectionsMap = (0, lodash_1.keyBy)(this.existing || [], 'id');
+        // Filter to only google-apps connections
+        const googleAppsWithDirProvFilter = (conn) => conn.strategy === 'google-apps';
+        const connectionsToProcess = [
+            ...update.filter(googleAppsWithDirProvFilter),
+            ...create.filter(googleAppsWithDirProvFilter),
+            ...conflicts.filter(googleAppsWithDirProvFilter),
+        ];
+        if (connectionsToProcess.length === 0) {
+            return;
+        }
+        const directoryConnectionsToUpdate = [];
+        const directoryConnectionsToCreate = [];
+        const directoryConnectionsToDelete = [];
+        for (const conn of connectionsToProcess) {
+            if (!conn.id)
+                continue;
+            const existingConn = existingConnectionsMap[conn.id];
+            const existingConfig = existingConn?.directory_provisioning_configuration;
+            const proposedConfig = conn.directory_provisioning_configuration;
+            if (existingConfig && proposedConfig) {
+                directoryConnectionsToUpdate.push(conn);
+            }
+            else if (!existingConfig && proposedConfig) {
+                directoryConnectionsToCreate.push(conn);
+            }
+            else if (existingConfig && !proposedConfig) {
+                directoryConnectionsToDelete.push(conn);
+            }
+        }
+        // Process updates first
+        await this.client.pool
+            .addEachTask({
+            data: directoryConnectionsToUpdate || [],
+            generator: (conn) => this.updateConnectionDirectoryProvisioning(conn.id, conn.directory_provisioning_configuration).catch((err) => {
+                throw new Error(`Failed to update directory provisioning for connection '${conn.id}':\n${err}`);
+            }),
+        })
+            .promise();
+        // Process creates
+        await this.client.pool
+            .addEachTask({
+            data: directoryConnectionsToCreate || [],
+            generator: (conn) => this.createConnectionDirectoryProvisioning(conn.id, conn.directory_provisioning_configuration).catch((err) => {
+                throw new Error(`Failed to create directory provisioning for connection '${conn.id}':\n${err}`);
+            }),
+        })
+            .promise();
+        // Process deletes
+        if (this.config('AUTH0_ALLOW_DELETE') === 'true' ||
+            this.config('AUTH0_ALLOW_DELETE') === true) {
+            await this.client.pool
+                .addEachTask({
+                data: directoryConnectionsToDelete || [],
+                generator: (conn) => this.deleteConnectionDirectoryProvisioning(conn.id).catch((err) => {
+                    throw new Error(`Failed to delete directory provisioning for connection '${conn.id}':\n${err}`);
+                }),
+            })
+                .promise();
+        }
+        else if (directoryConnectionsToDelete.length) {
+            logger_1.default.warn(`Detected directory provisioning configs to delete. Deletes are disabled (set 'AUTH0_ALLOW_DELETE' to true to allow).\n${directoryConnectionsToDelete
+                .map((i) => this.objString(i))
+                .join('\n')}`);
+        }
+    }
     async getType() {
         if (this.existing)
             return this.existing;
@@ -306,10 +488,18 @@ class ConnectionsHandler extends default_1.default {
             if (!con?.id)
                 return con;
             const enabledClients = await (0, exports.getConnectionEnabledClients)(this.client, con.id);
+            // Cast to Asset to allow adding properties
+            let connection = { ...con };
             if (enabledClients && enabledClients?.length) {
-                return { ...con, enabled_clients: enabledClients };
+                connection.enabled_clients = enabledClients;
+            }
+            if (connection.strategy === 'google-apps') {
+                const dirProvConfig = await this.getConnectionDirectoryProvisioning(con.id);
+                if (dirProvConfig) {
+                    connection.directory_provisioning_configuration = dirProvConfig;
+                }
             }
-            return con;
+            return connection;
         }));
         this.existing = connectionsWithEnabledClients;
         // Apply `scim_configuration` to all the relevant `SCIM` connections. This method mutates `this.existing`.
@@ -361,11 +551,16 @@ class ConnectionsHandler extends default_1.default {
         if (!isOptionExists) {
             logger_1.default.warn(`Insufficient scope the update:connections_options scope is required to update ${this.type} options.`);
         }
+        const includedConnections = (assets.include && assets.include.connections) || [];
         const excludedConnections = (assets.exclude && assets.exclude.connections) || [];
-        const changes = await this.calcChanges(assets);
-        await super.processChanges(assets, (0, utils_1.filterExcluded)(changes, excludedConnections));
+        let changes = await this.calcChanges(assets);
+        changes = (0, utils_1.filterExcluded)(changes, excludedConnections);
+        changes = (0, utils_1.filterIncluded)(changes, includedConnections);
+        await super.processChanges(assets, changes);
         // process enabled clients
-        await (0, exports.processConnectionEnabledClients)(this.client, this.type, (0, utils_1.filterExcluded)(changes, excludedConnections));
+        await (0, exports.processConnectionEnabledClients)(this.client, this.type, changes);
+        // process directory provisioning
+        await this.processConnectionDirectoryProvisioning(changes);
     }
 }
 exports.default = ConnectionsHandler;

package/lib/tools/auth0/handlers/index.d.ts

@@ -4,5 +4,6 @@ declare const _default: { [key in AssetTypes]: {
     default: typeof APIHandler;
     excludeSchema?: any;
     schema: any;
+    includeSchema?: any;
 }; };
 export default _default;

package/lib/tools/auth0/handlers/index.js

@@ -60,6 +60,7 @@ const actions = __importStar(require("./actions"));
 const triggers = __importStar(require("./triggers"));
 const organizations = __importStar(require("./organizations"));
 const attackProtection = __importStar(require("./attackProtection"));
+const riskAssessment = __importStar(require("./riskAssessment"));
 const logStreams = __importStar(require("./logStreams"));
 const customDomains = __importStar(require("./customDomains"));
 const themes = __importStar(require("./themes"));
@@ -100,6 +101,7 @@ const auth0ApiHandlers = {
     triggers,
     organizations,
     attackProtection,
+    riskAssessment,
     logStreams,
     customDomains,
     themes,

package/lib/tools/auth0/handlers/riskAssessment.d.ts

@@ -0,0 +1,39 @@
+import DefaultAPIHandler from './default';
+import { Assets } from '../../../types';
+import { Management } from 'auth0';
+export declare const schema: {
+    type: string;
+    properties: {
+        settings: {
+            type: string;
+            properties: {
+                enabled: {
+                    type: string;
+                    description: string;
+                };
+            };
+            required: string[];
+        };
+        new_device: {
+            type: string;
+            properties: {
+                remember_for: {
+                    type: string;
+                    description: string;
+                };
+            };
+            required: string[];
+        };
+    };
+    required: string[];
+};
+export type RiskAssessment = {
+    settings: Management.GetRiskAssessmentsSettingsResponseContent;
+    new_device?: Management.GetRiskAssessmentsSettingsNewDeviceResponseContent;
+};
+export default class RiskAssessmentHandler extends DefaultAPIHandler {
+    existing: RiskAssessment;
+    constructor(config: DefaultAPIHandler);
+    getType(): Promise<RiskAssessment>;
+    processChanges(assets: Assets): Promise<void>;
+}

package/lib/tools/auth0/handlers/riskAssessment.js

@@ -0,0 +1,95 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.schema = void 0;
+const default_1 = __importDefault(require("./default"));
+const auth0_1 = require("auth0");
+exports.schema = {
+    type: 'object',
+    properties: {
+        settings: {
+            type: 'object',
+            properties: {
+                enabled: {
+                    type: 'boolean',
+                    description: 'Whether or not risk assessment is enabled.',
+                },
+            },
+            required: ['enabled'],
+        },
+        new_device: {
+            type: 'object',
+            properties: {
+                remember_for: {
+                    type: 'number',
+                    description: 'Length of time to remember devices for, in days.',
+                },
+            },
+            required: ['remember_for'],
+        },
+    },
+    required: ['settings'],
+};
+class RiskAssessmentHandler extends default_1.default {
+    constructor(config) {
+        super({
+            ...config,
+            type: 'riskAssessment',
+        });
+    }
+    async getType() {
+        if (this.existing) {
+            return this.existing;
+        }
+        try {
+            const [settings, newDeviceSettings] = await Promise.all([
+                this.client.riskAssessments.settings.get(),
+                this.client.riskAssessments.settings.newDevice.get().catch((err) => {
+                    if (err instanceof auth0_1.ManagementError && err?.statusCode === 404) {
+                        return { remember_for: 0 };
+                    }
+                    throw err;
+                }),
+            ]);
+            const riskAssessment = {
+                settings: settings,
+                new_device: newDeviceSettings,
+                ...(newDeviceSettings.remember_for > 0 && {
+                    new_device: newDeviceSettings,
+                }),
+            };
+            this.existing = riskAssessment;
+            return this.existing;
+        }
+        catch (err) {
+            if (err instanceof auth0_1.ManagementError && err.statusCode === 404) {
+                const riskAssessment = {
+                    settings: { enabled: false },
+                };
+                this.existing = riskAssessment;
+                return this.existing;
+            }
+            throw err;
+        }
+    }
+    async processChanges(assets) {
+        const { riskAssessment } = assets;
+        // Non-existing section means it doesn't need to be processed
+        if (!riskAssessment) {
+            return;
+        }
+        const updates = [];
+        // Update main settings (enabled flag)
+        updates.push(this.client.riskAssessments.settings.update(riskAssessment?.settings));
+        // Update new device settings if provided
+        if (riskAssessment.new_device) {
+            updates.push(this.client.riskAssessments.settings.newDevice.update(riskAssessment.new_device));
+        }
+        await Promise.all(updates);
+        this.updated += 1;
+        this.didUpdate(riskAssessment);
+    }
+}
+exports.default = RiskAssessmentHandler;

package/lib/tools/auth0/handlers/scimHandler.js

@@ -190,6 +190,7 @@ class ScimHandler {
         // Remove `scim_configuration` from `bodyParams`, because `connections.update` doesn't accept it.
         const { scim_configuration: scimBodyParams } = bodyParams;
         delete bodyParams.scim_configuration;
+        delete bodyParams.directory_provisioning_configuration;
         // First, update `connections`.
         const updated = await this.connectionsManager.update(requestParams.id, bodyParams);
         const idMapEntry = this.idMap.get(requestParams.id);
@@ -223,6 +224,7 @@ class ScimHandler {
         // Remove `scim_configuration` from `bodyParams`, because `connections.create` doesn't accept it.
         const { scim_configuration: scimBodyParams } = bodyParams;
         delete bodyParams.scim_configuration;
+        delete bodyParams.directory_provisioning_configuration;
         // First, create the new `connection`.
         const data = await this.connectionsManager.create(bodyParams);
         if (data?.id && scimBodyParams && this.scimScopes.create) {

package/lib/tools/auth0/handlers/tokenExchangeProfiles.d.ts

@@ -11,10 +11,6 @@ export declare const schema: {
                 type: string;
                 description: string;
             };
-            id: {
-                type: string;
-                description: string;
-            };
             subject_token_type: {
                 type: string;
                 description: string;
@@ -28,16 +24,6 @@ export declare const schema: {
                 enum: string[];
                 description: string;
             };
-            created_at: {
-                type: string;
-                format: string;
-                description: string;
-            };
-            updated_at: {
-                type: string;
-                format: string;
-                description: string;
-            };
         };
         required: string[];
     };

package/lib/tools/auth0/handlers/tokenExchangeProfiles.js

@@ -55,10 +55,6 @@ exports.schema = {
                 type: 'string',
                 description: 'The name of the token exchange profile',
             },
-            id: {
-                type: 'string',
-                description: 'The unique identifier of the token exchange profile',
-            },
             subject_token_type: {
                 type: 'string',
                 description: 'The URI representing the subject token type',
@@ -72,16 +68,6 @@ exports.schema = {
                 enum: ['custom_authentication'],
                 description: 'The type of token exchange profile',
             },
-            created_at: {
-                type: 'string',
-                format: 'date-time',
-                description: 'The timestamp when the profile was created',
-            },
-            updated_at: {
-                type: 'string',
-                format: 'date-time',
-                description: 'The timestamp when the profile was last updated',
-            },
         },
         required: ['name', 'subject_token_type', 'action', 'type'],
     },
@@ -92,10 +78,10 @@ class TokenExchangeProfilesHandler extends default_1.default {
             ...config,
             type: 'tokenExchangeProfiles',
             id: 'id',
-            identifiers: ['id', 'name'],
+            identifiers: ['id', 'subject_token_type'],
             // Only name and subject_token_type can be updated
-            stripUpdateFields: ['id', 'created_at', 'updated_at', 'action_id', 'type'],
-            stripCreateFields: ['id', 'created_at', 'updated_at'],
+            stripUpdateFields: ['created_at', 'updated_at', 'action_id', 'type'],
+            stripCreateFields: ['created_at', 'updated_at'],
         });
     }
     sanitizeForExport(profile, actions) {
@@ -145,9 +131,9 @@ class TokenExchangeProfilesHandler extends default_1.default {
                 paginate: true,
             });
             // Fetch all actions to map action_id to action name
-            const actions = await this.getActions();
+            this.actions = await this.getActions();
             // Map action_id to action name for each profile
-            this.existing = profiles.map((profile) => this.sanitizeForExport(profile, actions));
+            this.existing = profiles.map((profile) => this.sanitizeForExport(profile, this.actions ?? []));
             return this.existing;
         }
         catch (err) {
@@ -163,31 +149,34 @@ class TokenExchangeProfilesHandler extends default_1.default {
         // Do nothing if not set
         if (!tokenExchangeProfiles)
             return;
-        // Fetch actions to resolve action names to IDs
-        const actions = await this.getActions();
-        // Map action names to action_ids before processing
-        const sanitizedProfiles = tokenExchangeProfiles.map((profile) => this.sanitizeForAPI(profile, actions));
-        // Create modified assets with sanitized profiles
-        const modifiedAssets = {
-            ...assets,
-            tokenExchangeProfiles: sanitizedProfiles,
-        };
         // Calculate changes
-        const { del, update, create, conflicts } = await this.calcChanges(modifiedAssets);
+        const { del, update, create, conflicts } = await this.calcChanges(assets);
         logger_1.default.debug(`Start processChanges for tokenExchangeProfiles [delete:${del.length}] [update:${update.length}], [create:${create.length}], [conflicts:${conflicts.length}]`);
+        // Fetch actions to resolve action names to IDs
+        if (!this.actions || this.actions.length === 0) {
+            this.actions = await this.getActions();
+        }
         // Process changes in order: delete, create, update
         if (del.length > 0) {
-            await this.deleteTokenExchangeProfiles(del);
+            await this.deleteTokenExchangeProfiles(del.map((profile) => this.sanitizeForAPI(profile, this.actions ?? [])));
         }
         if (create.length > 0) {
-            await this.createTokenExchangeProfiles(create);
+            await this.createTokenExchangeProfiles(create.map((profile) => this.sanitizeForAPI(profile, this.actions ?? [])));
         }
         if (update.length > 0) {
-            await this.updateTokenExchangeProfiles(update);
+            await this.updateTokenExchangeProfiles(update.map((profile) => this.sanitizeForAPI(profile, this.actions ?? [])));
         }
     }
     async createTokenExchangeProfile(profile) {
-        const { id, created_at, updated_at, ...createParams } = profile;
+        if (!profile.name || !profile.subject_token_type || !profile.action_id || !profile.type) {
+            throw new Error(`Cannot create token exchange profile missing required fields`);
+        }
+        const createParams = {
+            name: profile.name,
+            subject_token_type: profile.subject_token_type,
+            action_id: profile.action_id,
+            type: profile.type,
+        };
         const created = await this.client.tokenExchangeProfiles.create(createParams);
         return created;
     }
@@ -207,10 +196,14 @@ class TokenExchangeProfilesHandler extends default_1.default {
             .promise();
     }
     async updateTokenExchangeProfile(profile) {
-        const { id, created_at, updated_at, action_id, type, ...updateParams } = profile;
+        const { id, name, subject_token_type } = profile;
         if (!id) {
             throw new Error(`Cannot update token exchange profile "${profile.name}" - missing id`);
         }
+        const updateParams = {
+            name,
+            subject_token_type,
+        };
         await this.client.tokenExchangeProfiles.update(id, updateParams);
     }
     async updateTokenExchangeProfiles(updates) {

package/lib/tools/auth0/schema.d.ts

@@ -9,6 +9,13 @@ declare const _default: {
             };
             default: {};
         };
+        include: {
+            type: string;
+            properties: {
+                [key: string]: Object;
+            };
+            default: {};
+        };
     };
     additionalProperties: boolean;
 };

package/lib/tools/auth0/schema.js

@@ -14,6 +14,12 @@ const excludeSchema = Object.entries(handlers_1.default).reduce((map, [name, obj
     }
     return map;
 }, {});
+const includeSchema = Object.entries(handlers_1.default).reduce((map, [name, obj]) => {
+    if (obj.includeSchema) {
+        map[name] = obj.includeSchema;
+    }
+    return map;
+}, {});
 exports.default = {
     type: 'object',
     $schema: 'http://json-schema.org/draft-07/schema#',
@@ -24,6 +30,11 @@ exports.default = {
             properties: { ...excludeSchema },
             default: {},
         },
+        include: {
+            type: 'object',
+            properties: { ...includeSchema },
+            default: {},
+        },
     },
     additionalProperties: false,
 };

package/lib/tools/constants.d.ts

@@ -57,6 +57,7 @@ declare const constants: {
     CONNECTIONS_ID_NAME: string;
     ROLES_DIRECTORY: string;
     ATTACK_PROTECTION_DIRECTORY: string;
+    RISK_ASSESSMENT_DIRECTORY: string;
     GUARDIAN_FACTORS: string[];
     GUARDIAN_POLICIES: string[];
     GUARDIAN_PHONE_PROVIDERS: string[];

package/lib/tools/constants.js

@@ -103,6 +103,7 @@ const constants = {
     CONNECTIONS_ID_NAME: 'id',
     ROLES_DIRECTORY: 'roles',
     ATTACK_PROTECTION_DIRECTORY: 'attack-protection',
+    RISK_ASSESSMENT_DIRECTORY: 'risk-assessment',
     GUARDIAN_FACTORS: [
         'sms',
         'push-notification',

package/lib/tools/utils.d.ts

@@ -19,6 +19,7 @@ export declare function stripFields(obj: Asset, fields: string[]): Asset;
 export declare function getEnabledClients(assets: Assets, connection: Asset, existing: Asset[], clients: Asset[]): string[] | undefined;
 export declare function duplicateItems(arr: Asset[], key: string): Asset[];
 export declare function filterExcluded(changes: CalculatedChanges, exclude: string[]): CalculatedChanges;
+export declare function filterIncluded(changes: CalculatedChanges, include: string[]): CalculatedChanges;
 export declare function areArraysEquals(x: any[], y: any[]): boolean;
 export declare const obfuscateSensitiveValues: (data: Asset | Asset[] | null, sensitiveFieldsToObfuscate: string[]) => Asset | Asset[] | null;
 export declare const stripObfuscatedFieldsFromPayload: (data: Asset | Asset[] | null, obfuscatedFields: string[]) => Asset | Asset[] | null;

package/lib/tools/utils.js

@@ -50,6 +50,7 @@ exports.stripFields = stripFields;
 exports.getEnabledClients = getEnabledClients;
 exports.duplicateItems = duplicateItems;
 exports.filterExcluded = filterExcluded;
+exports.filterIncluded = filterIncluded;
 exports.areArraysEquals = areArraysEquals;
 exports.sleep = sleep;
 exports.maskSecretAtPath = maskSecretAtPath;
@@ -213,6 +214,19 @@ function filterExcluded(changes, exclude) {
         conflicts: filter(conflicts),
     };
 }
+function filterIncluded(changes, include) {
+    const { del, update, create, conflicts } = changes;
+    if (!include || !include.length) {
+        return changes;
+    }
+    const filter = (list) => list.filter((item) => include.includes(item.name));
+    return {
+        del: filter(del),
+        update: filter(update),
+        create: filter(create),
+        conflicts: filter(conflicts),
+    };
+}
 function areArraysEquals(x, y) {
     return lodash_1.default.isEqual(x && x.sort(), y && y.sort());
 }

package/lib/types.d.ts

@@ -18,6 +18,7 @@ import { NetworkACL } from './tools/auth0/handlers/networkACLs';
 import { UserAttributeProfile } from './tools/auth0/handlers/userAttributeProfiles';
 import { AttackProtection } from './tools/auth0/handlers/attackProtection';
 import { TokenExchangeProfile } from './tools/auth0/handlers/tokenExchangeProfiles';
+import { RiskAssessment } from './tools/auth0/handlers/riskAssessment';
 type SharedPaginationParams = {
     checkpoint?: boolean;
     paginate?: boolean;
@@ -75,6 +76,7 @@ export type Config = {
     INCLUDED_PROPS?: {
         [key: string]: string[];
     };
+    AUTH0_INCLUDED_CONNECTIONS?: string[];
     AUTH0_IGNORE_UNAVAILABLE_MIGRATIONS?: boolean;
     AUTH0_EXCLUDED_RULES?: string[];
     AUTH0_EXCLUDED_CLIENTS?: string[];
@@ -90,6 +92,7 @@ export type Asset = {
 export type Assets = Partial<{
     actions: Action[] | null;
     attackProtection: AttackProtection | null;
+    riskAssessment: RiskAssessment | null;
     branding: (Asset & {
         templates?: {
             template: string;
@@ -129,6 +132,9 @@ export type Assets = Partial<{
     exclude?: {
         [key: string]: string[];
     };
+    include?: {
+        [key: string]: string[];
+    };
     clientsOrig: Asset[] | null;
     themes: Theme[] | null;
     forms: Form[] | null;
@@ -147,7 +153,7 @@ export type CalculatedChanges = {
     conflicts: Asset[];
     create: Asset[];
 };
-export type AssetTypes = 'rules' | 'rulesConfigs' | 'hooks' | 'pages' | 'databases' | 'clientGrants' | 'resourceServers' | 'clients' | 'connections' | 'tenant' | 'emailProvider' | 'emailTemplates' | 'guardianFactors' | 'guardianFactorProviders' | 'guardianFactorTemplates' | 'guardianPhoneFactorMessageTypes' | 'guardianPhoneFactorSelectedProvider' | 'guardianPolicies' | 'roles' | 'actions' | 'organizations' | 'triggers' | 'attackProtection' | 'branding' | 'phoneProviders' | 'phoneTemplates' | 'logStreams' | 'prompts' | 'customDomains' | 'themes' | 'forms' | 'flows' | 'flowVaultConnections' | 'selfServiceProfiles' | 'networkACLs' | 'userAttributeProfiles' | 'connectionProfiles' | 'tokenExchangeProfiles';
+export type AssetTypes = 'rules' | 'rulesConfigs' | 'hooks' | 'pages' | 'databases' | 'clientGrants' | 'resourceServers' | 'clients' | 'connections' | 'tenant' | 'emailProvider' | 'emailTemplates' | 'guardianFactors' | 'guardianFactorProviders' | 'guardianFactorTemplates' | 'guardianPhoneFactorMessageTypes' | 'guardianPhoneFactorSelectedProvider' | 'guardianPolicies' | 'roles' | 'actions' | 'organizations' | 'triggers' | 'attackProtection' | 'riskAssessment' | 'branding' | 'phoneProviders' | 'phoneTemplates' | 'logStreams' | 'prompts' | 'customDomains' | 'themes' | 'forms' | 'flows' | 'flowVaultConnections' | 'selfServiceProfiles' | 'networkACLs' | 'userAttributeProfiles' | 'connectionProfiles' | 'tokenExchangeProfiles';
 export type KeywordMappings = {
     [key: string]: (string | number)[] | string | number;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-deploy-cli",
-  "version": "8.23.2",
+  "version": "8.25.0",
   "description": "A command line tool for deploying updates to your Auth0 tenant",
   "main": "lib/index.js",
   "bin": {
@@ -42,7 +42,7 @@
     "nconf": "^0.13.0",
     "promise-pool-executor": "^1.1.1",
     "sanitize-filename": "^1.6.3",
-    "undici": "^7.16.0",
+    "undici": "^7.18.0",
     "winston": "^3.19.0",
     "yargs": "^15.4.1"
   },
@@ -52,8 +52,8 @@
     "@types/mocha": "^10.0.10",
     "@types/nconf": "^0.10.7",
     "@eslint/js": "^9.39.2",
-    "@typescript-eslint/eslint-plugin": "^8.50.0",
-    "@typescript-eslint/parser": "^8.50.0",
+    "@typescript-eslint/eslint-plugin": "^8.52.0",
+    "@typescript-eslint/parser": "^8.52.0",
     "chai": "^4.5.0",
     "chai-as-promised": "^7.1.2",
     "eslint": "^9.39.2",