auth0-deploy-cli 8.24.0 → 8.26.0

package/.github/workflows/claude-code-review.yml

@@ -1,10 +1,7 @@
 name: Claude Code PR Review
 
 on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
+  workflow_dispatch:
 
 jobs:
   claude-review:

package/CHANGELOG.md

@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.26.0] - 2026-01-30
+
+### Added
+
+- Add support for `use_for_organization_discovery` in organizations `discovery-domains`. [#1283]
+- Add support for passwordless authentication methods (`email_otp` and `phone_otp`) in `databases`. [#1282]
+- Add support for `relying_party_identifier` in `customDomains`. [#1280]
+- Add support for `allow_all_scopes` property in `clientGrants`. [#1278]
+- Add OIDC logout configuration support with session metadata in `clients`. [#1263]
+
+### Changed
+
+- Optimize directory provisioning configuration fetching for `connections`. [#1284]
+
+### Fixed
+
+- Fix exclude read-only `is_default` from `customDomains`. [#1279]
+- Fix pagination skipping last page. [#1277]
+
+## [8.25.0] - 2026-01-08
+
+### Added
+
+- `AUTH0_INCLUDED_CONNECTIONS` config property to include only selected `connection`. [#1242]
+
+### Fixed
+
+- Fix `tokenExchangeProfiles` profiles handling. [#1253]
+- Fix `idle_ephemeral_session_lifetime` and `ephemeral_session_lifetime` handling while importing [#1261]
+
 ## [8.24.0] - 2025-12-22
 
 ### Added
@@ -1591,9 +1621,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1232]: https://github.com/auth0/auth0-deploy-cli/issues/1232
 [#1239]: https://github.com/auth0/auth0-deploy-cli/issues/1239
 [#1240]: https://github.com/auth0/auth0-deploy-cli/issues/1240
+[#1242]: https://github.com/auth0/auth0-deploy-cli/issues/1242
 [#1244]: https://github.com/auth0/auth0-deploy-cli/issues/1244
 [#1246]: https://github.com/auth0/auth0-deploy-cli/issues/1246
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.24.0...HEAD
+[#1253]: https://github.com/auth0/auth0-deploy-cli/issues/1253
+[#1261]: https://github.com/auth0/auth0-deploy-cli/issues/1261
+[#1263]: https://github.com/auth0/auth0-deploy-cli/issues/1263
+[#1277]: https://github.com/auth0/auth0-deploy-cli/issues/1277
+[#1278]: https://github.com/auth0/auth0-deploy-cli/issues/1278
+[#1279]: https://github.com/auth0/auth0-deploy-cli/issues/1279
+[#1280]: https://github.com/auth0/auth0-deploy-cli/issues/1280
+[#1282]: https://github.com/auth0/auth0-deploy-cli/issues/1282
+[#1283]: https://github.com/auth0/auth0-deploy-cli/issues/1283
+[#1284]: https://github.com/auth0/auth0-deploy-cli/issues/1284
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.26.0...HEAD
+[8.26.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...v8.26.0
+[8.25.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.24.0...v8.25.0
 [8.24.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.2...v8.24.0
 [8.23.2]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.1...v8.23.2
 [8.23.1]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.0...v8.23.1

package/lib/context/directory/handlers/tenant.js

@@ -15,12 +15,17 @@ function parse(context) {
         return { tenant: null };
     }
     /* eslint-disable camelcase */
-    const { session_lifetime, idle_session_lifetime, ...tenant } = (0, utils_1.loadJSON)(tenantFile, {
+    const { session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, ...tenant } = (0, utils_1.loadJSON)(tenantFile, {
         mappings: context.mappings,
         disableKeywordReplacement: context.disableKeywordReplacement,
     });
     (0, utils_1.clearTenantFlags)(tenant);
-    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({ session_lifetime, idle_session_lifetime });
+    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({
+        session_lifetime,
+        idle_session_lifetime,
+        idle_ephemeral_session_lifetime,
+        ephemeral_session_lifetime,
+    });
     return {
         //@ts-ignore
         tenant: {

package/lib/context/directory/index.js

@@ -63,6 +63,9 @@ class DirectoryContext {
             resourceServers: config.AUTH0_EXCLUDED_RESOURCE_SERVERS || [],
             defaults: config.AUTH0_EXCLUDED_DEFAULTS || [],
         };
+        this.assets.include = {
+            connections: config.AUTH0_INCLUDED_CONNECTIONS || [],
+        };
     }
     loadFile(f, folder) {
         const basePath = path.join(this.filePath, folder);

package/lib/context/index.js

@@ -26,6 +26,7 @@ const nonPrimitiveProps = [
     'AUTH0_INCLUDED_ONLY',
     'EXCLUDED_PROPS',
     'INCLUDED_PROPS',
+    'AUTH0_INCLUDED_CONNECTIONS',
 ];
 const EA_FEATURES = [];
 const setupContext = async (config, command) => {
@@ -97,6 +98,15 @@ const setupContext = async (config, command) => {
             logger_1.default.warn(`Usage of the ${usedDeprecatedParams.join(', ')} exclusion ${usedDeprecatedParams.length > 1 ? 'params are' : 'param is'} deprecated and may be removed from future major versions. See: https://github.com/auth0/auth0-deploy-cli/issues/451#user-content-deprecated-exclusion-props for details.`);
         }
     })(config);
+    ((config) => {
+        const hasIncludedConnections = config.AUTH0_INCLUDED_CONNECTIONS !== undefined &&
+            config.AUTH0_INCLUDED_CONNECTIONS.length > 0;
+        const hasExcludedConnections = config.AUTH0_EXCLUDED_CONNECTIONS !== undefined &&
+            config.AUTH0_EXCLUDED_CONNECTIONS.length > 0;
+        if (hasIncludedConnections && hasExcludedConnections) {
+            throw new Error('Both AUTH0_INCLUDED_CONNECTIONS and AUTH0_EXCLUDED_CONNECTIONS configuration values are defined, only one can be configured at a time.');
+        }
+    })(config);
     ((config) => {
         // Check if experimental early access features are enabled
         if (config.AUTH0_EXPERIMENTAL_EA) {

package/lib/context/yaml/handlers/tenant.js

@@ -6,9 +6,14 @@ async function parse(context) {
     if (!context.assets.tenant)
         return { tenant: null };
     /* eslint-disable camelcase */
-    const { session_lifetime, idle_session_lifetime, ...tenant } = context.assets.tenant;
+    const { session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, ...tenant } = context.assets.tenant;
     (0, utils_1.clearTenantFlags)(tenant);
-    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({ session_lifetime, idle_session_lifetime });
+    const sessionDurations = (0, sessionDurationsToMinutes_1.sessionDurationsToMinutes)({
+        session_lifetime,
+        idle_session_lifetime,
+        idle_ephemeral_session_lifetime,
+        ephemeral_session_lifetime,
+    });
     return {
         tenant: {
             ...tenant,

package/lib/context/yaml/index.js

@@ -32,6 +32,9 @@ class YAMLContext {
             resourceServers: config.AUTH0_EXCLUDED_RESOURCE_SERVERS || [],
             defaults: config.AUTH0_EXCLUDED_DEFAULTS || [],
         };
+        this.assets.include = {
+            connections: config.AUTH0_INCLUDED_CONNECTIONS || [],
+        };
         this.basePath = (() => {
             if (!!config.AUTH0_BASE_PATH)
                 return config.AUTH0_BASE_PATH;
@@ -80,6 +83,7 @@ class YAMLContext {
         }, {});
         const initialAssets = {
             exclude: this.assets.exclude, // Keep the exclude rules in result assets
+            include: this.assets.include, // Keep the include rules in result assets
         };
         this.assets = Object.keys(this.assets).reduce((acc, key) => {
             // Get the list of asset types to include
@@ -173,6 +177,7 @@ class YAMLContext {
         let cleaned = (0, readonly_1.default)(this.assets, this.config);
         // Delete exclude as it's not part of the auth0 tenant config
         delete cleaned.exclude;
+        delete cleaned.include;
         // Optionally Strip identifiers
         if (!this.config.AUTH0_EXPORT_IDENTIFIERS) {
             cleaned = (0, utils_1.stripIdentifiers)(auth0, cleaned);

package/lib/sessionDurationsToMinutes.d.ts

@@ -1,7 +1,11 @@
-export declare const sessionDurationsToMinutes: ({ session_lifetime, idle_session_lifetime, }: {
+export declare const sessionDurationsToMinutes: ({ session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, }: {
     session_lifetime?: number;
     idle_session_lifetime?: number;
+    idle_ephemeral_session_lifetime?: number;
+    ephemeral_session_lifetime?: number;
 }) => {
     session_lifetime_in_minutes?: number;
     idle_session_lifetime_in_minutes?: number;
+    idle_ephemeral_session_lifetime_in_minutes?: number;
+    ephemeral_session_lifetime_in_minutes?: number;
 };

package/lib/sessionDurationsToMinutes.js

@@ -4,12 +4,16 @@ exports.sessionDurationsToMinutes = void 0;
 function hoursToMinutes(hours) {
     return Math.round(hours * 60);
 }
-const sessionDurationsToMinutes = ({ session_lifetime, idle_session_lifetime, }) => {
+const sessionDurationsToMinutes = ({ session_lifetime, idle_session_lifetime, idle_ephemeral_session_lifetime, ephemeral_session_lifetime, }) => {
     const sessionDurations = {};
     if (!!session_lifetime)
         sessionDurations.session_lifetime_in_minutes = hoursToMinutes(session_lifetime);
     if (!!idle_session_lifetime)
         sessionDurations.idle_session_lifetime_in_minutes = hoursToMinutes(idle_session_lifetime);
+    if (!!idle_ephemeral_session_lifetime)
+        sessionDurations.idle_ephemeral_session_lifetime_in_minutes = hoursToMinutes(idle_ephemeral_session_lifetime);
+    if (!!ephemeral_session_lifetime)
+        sessionDurations.ephemeral_session_lifetime_in_minutes = hoursToMinutes(ephemeral_session_lifetime);
     return sessionDurations;
 };
 exports.sessionDurationsToMinutes = sessionDurationsToMinutes;

package/lib/tools/auth0/handlers/actions.js

@@ -114,7 +114,7 @@ class ActionHandler extends default_1.default {
             type: 'actions',
             functions: {
                 create: (action) => this.createAction(action),
-                update: ({ id }, action) => this.updateAction(id, action),
+                update: (id, action) => this.updateAction(id, action),
                 delete: (actionId) => this.deleteAction(actionId),
             },
             stripUpdateFields: ['deployed', 'status'],

package/lib/tools/auth0/handlers/clientGrants.d.ts

@@ -33,6 +33,10 @@ export declare const schema: {
                 };
                 uniqueItems: boolean;
             };
+            allow_all_scopes: {
+                type: string;
+                description: string;
+            };
         };
         required: string[];
     };
@@ -42,6 +46,7 @@ export default class ClientGrantsHandler extends DefaultHandler {
     existing: ClientGrant[] | null;
     constructor(config: DefaultAPIHandler);
     objString(item: any): string;
+    validate(assets: Assets): Promise<void>;
     getType(): Promise<ClientGrant[]>;
     processChanges(assets: Assets): Promise<void>;
 }

package/lib/tools/auth0/handlers/clientGrants.js

@@ -69,6 +69,10 @@ exports.schema = {
                 },
                 uniqueItems: true,
             },
+            allow_all_scopes: {
+                type: 'boolean',
+                description: 'When enabled, all scopes configured on the resource server are allowed for by this client grant.',
+            },
         },
         required: ['client_id', 'audience'],
     },
@@ -81,15 +85,26 @@ class ClientGrantsHandler extends default_1.default {
             id: 'id',
             // @ts-ignore because not sure why two-dimensional array passed in
             identifiers: ['id', ['client_id', 'audience']],
-            functions: {
-                update: async ({ id }, bodyParams) => this.client.clientGrants.update(id, bodyParams),
-            },
             stripUpdateFields: ['audience', 'client_id', 'subject_type', 'is_system'],
         });
     }
     objString(item) {
         return super.objString({ id: item.id, client_id: item.client_id, audience: item.audience });
     }
+    async validate(assets) {
+        const { clientGrants } = assets;
+        // Do nothing if not set
+        if (!clientGrants)
+            return;
+        // Validate each client grant
+        clientGrants.forEach((grant) => {
+            // When allow_all_scopes is true, scope should not be present
+            if (grant.allow_all_scopes === true && grant.scope && grant.scope.length > 0) {
+                throw new Error(`Client grant for client_id "${grant.client_id}" and audience "${grant.audience}": Cannot specify "scope" when "allow_all_scopes" is set to true. Remove the "scope" property or set "allow_all_scopes" to false.`);
+            }
+        });
+        await super.validate(assets);
+    }
     async getType() {
         if (this.existing) {
             return this.existing;

package/lib/tools/auth0/handlers/clients.d.ts

@@ -263,6 +263,49 @@ export declare const schema: {
                     };
                 };
             };
+            oidc_logout: {
+                type: string[];
+                description: string;
+                properties: {
+                    backchannel_logout_urls: {
+                        type: string;
+                        description: string;
+                        items: {
+                            type: string;
+                        };
+                    };
+                    backchannel_logout_initiators: {
+                        type: string;
+                        description: string;
+                        properties: {
+                            mode: {
+                                type: string;
+                                schemaName: string;
+                                enum: string[];
+                                description: string;
+                            };
+                            selected_initiators: {
+                                type: string;
+                                items: {
+                                    type: string;
+                                    enum: string[];
+                                    description: string;
+                                };
+                            };
+                        };
+                    };
+                    backchannel_logout_session_metadata: {
+                        type: string[];
+                        description: string;
+                        properties: {
+                            include: {
+                                type: string;
+                                description: string;
+                            };
+                        };
+                    };
+                };
+            };
         };
         required: string[];
     };
@@ -273,14 +316,6 @@ export default class ClientHandler extends DefaultAPIHandler {
     constructor(config: DefaultAPIHandler);
     objString(item: any): string;
     processChanges(assets: Assets): Promise<void>;
-    /**
-     * @description
-     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
-     *
-     * @param {Client[]} clients - The client array to sanitize.
-     * @returns {Client[]} The sanitized array of clients.
-     */
-    private sanitizeCrossOriginAuth;
     getType(): Promise<Management.Client[]>;
     sanitizeMapExpressConfiguration(auth0Client: Auth0APIClient, clientList: Client[]): Promise<Client[]>;
 }

package/lib/tools/auth0/handlers/clients.js

@@ -263,10 +263,111 @@ exports.schema = {
                     },
                 },
             },
+            oidc_logout: {
+                type: ['object', 'null'],
+                description: 'Configuration for OIDC backchannel logout',
+                properties: {
+                    backchannel_logout_urls: {
+                        type: 'array',
+                        description: 'Comma-separated list of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.',
+                        items: {
+                            type: 'string',
+                        },
+                    },
+                    backchannel_logout_initiators: {
+                        type: 'object',
+                        description: 'Configuration for OIDC backchannel logout initiators',
+                        properties: {
+                            mode: {
+                                type: 'string',
+                                schemaName: 'ClientOIDCBackchannelLogoutInitiatorsModeEnum',
+                                enum: ['custom', 'all'],
+                                description: 'The `mode` property determines the configuration method for enabling initiators. `custom` enables only the initiators listed in the selected_initiators array, `all` enables all current and future initiators.',
+                            },
+                            selected_initiators: {
+                                type: 'array',
+                                items: {
+                                    type: 'string',
+                                    enum: [
+                                        'rp-logout',
+                                        'idp-logout',
+                                        'password-changed',
+                                        'session-expired',
+                                        'session-revoked',
+                                        'account-deleted',
+                                        'email-identifier-changed',
+                                        'mfa-phone-unenrolled',
+                                        'account-deactivated',
+                                    ],
+                                    description: 'The `selected_initiators` property contains the list of initiators to be enabled for the given application.',
+                                },
+                            },
+                        },
+                    },
+                    backchannel_logout_session_metadata: {
+                        type: ['object', 'null'],
+                        description: 'Controls whether session metadata is included in the logout token. Default value is null.',
+                        properties: {
+                            include: {
+                                type: 'boolean',
+                                description: 'The `include` property determines whether session metadata is included in the logout token.',
+                            },
+                        },
+                    },
+                },
+            },
         },
         required: ['name'],
     },
 };
+const createClientSanitizer = (clients) => {
+    let sanitized = clients;
+    return {
+        sanitizeCrossOriginAuth() {
+            const deprecatedClients = [];
+            sanitized = sanitized.map((client) => {
+                let updated = { ...client };
+                if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
+                    const clientName = client.name || client.client_id || 'unknown client';
+                    deprecatedClients.push(clientName);
+                    if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
+                        updated.cross_origin_authentication = updated.cross_origin_auth;
+                    }
+                    updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
+                }
+                return updated;
+            });
+            if (deprecatedClients.length > 0) {
+                logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                    `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+            }
+            return this;
+        },
+        sanitizeOidcLogout() {
+            const deprecatedClients = [];
+            sanitized = sanitized.map((client) => {
+                let updated = { ...client };
+                if ((0, lodash_1.has)(updated, 'oidc_backchannel_logout')) {
+                    const clientName = client.name || client.client_id || 'unknown client';
+                    deprecatedClients.push(clientName);
+                    if (!(0, lodash_1.has)(updated, 'oidc_logout')) {
+                        updated.oidc_logout = updated.oidc_backchannel_logout;
+                    }
+                    updated = (0, lodash_1.omit)(updated, 'oidc_backchannel_logout');
+                }
+                return updated;
+            });
+            if (deprecatedClients.length > 0) {
+                logger_1.default.warn("The 'oidc_backchannel_logout' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                    `Use 'oidc_logout' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+            }
+            return this;
+        },
+        get: () => {
+            return sanitized;
+        },
+    };
+};
 class ClientHandler extends default_1.default {
     constructor(config) {
         super({
@@ -284,11 +385,6 @@ class ClientHandler extends default_1.default {
                 'jwt_configuration.secret_encoded',
                 'resource_server_identifier',
             ],
-            functions: {
-                update: async (
-                // eslint-disable-next-line camelcase
-                { client_id }, bodyParams) => this.client.clients.update(client_id, bodyParams),
-            },
         });
     }
     objString(item) {
@@ -319,7 +415,10 @@ class ClientHandler extends default_1.default {
             (!excludeThirdPartyClients || item.is_first_party));
         // Sanitize client fields
         const sanitizeClientFields = (list) => {
-            const sanitizedClients = this.sanitizeCrossOriginAuth(list);
+            const sanitizedClients = createClientSanitizer(list)
+                .sanitizeCrossOriginAuth()
+                .sanitizeOidcLogout()
+                .get();
             return sanitizedClients.map((item) => {
                 if (item.app_type === 'resource_server') {
                     if ('oidc_backchannel_logout' in item) {
@@ -345,33 +444,6 @@ class ClientHandler extends default_1.default {
             ...changes,
         });
     }
-    /**
-     * @description
-     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
-     *
-     * @param {Client[]} clients - The client array to sanitize.
-     * @returns {Client[]} The sanitized array of clients.
-     */
-    sanitizeCrossOriginAuth(clients) {
-        const deprecatedClients = [];
-        const updatedClients = clients.map((client) => {
-            let updated = { ...client };
-            if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
-                const clientName = client.name || client.client_id || 'unknown client';
-                deprecatedClients.push(clientName);
-                if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
-                    updated.cross_origin_authentication = updated.cross_origin_auth;
-                }
-                updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
-            }
-            return updated;
-        });
-        if (deprecatedClients.length > 0) {
-            logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
-                `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
-        }
-        return updatedClients;
-    }
     async getType() {
         if (this.existing)
             return this.existing;
@@ -382,8 +454,7 @@ class ClientHandler extends default_1.default {
             is_global: false,
             ...(excludeThirdPartyClients && { is_first_party: true }),
         });
-        const sanitizedClients = this.sanitizeCrossOriginAuth(clients);
-        this.existing = sanitizedClients;
+        this.existing = createClientSanitizer(clients).sanitizeCrossOriginAuth().get();
         return this.existing;
     }
     // convert names back to IDs for express configuration

package/lib/tools/auth0/handlers/connectionProfiles.js

@@ -206,9 +206,6 @@ class ConnectionProfilesHandler extends default_1.default {
             type: 'connectionProfiles',
             id: 'id',
             identifiers: ['id', 'name'],
-            functions: {
-                update: (args, data) => this.client.connectionProfiles.update(args?.id, data),
-            },
         });
     }
     objString(item) {

package/lib/tools/auth0/handlers/connections.d.ts

@@ -107,10 +107,10 @@ export declare const schema: {
         required: string[];
     };
 };
-type DirectoryProvisioningConfig = Management.GetDirectoryProvisioningResponseContent;
+type DirectoryProvisioningConfig = Management.DirectoryProvisioning;
 export type Connection = Management.ConnectionForList & {
     enabled_clients?: string[];
-    directory_provisioning_configuration?: DirectoryProvisioningConfig;
+    directory_provisioning_configuration?: Pick<DirectoryProvisioningConfig, 'mapping' | 'synchronize_automatically'>;
 };
 export declare const addExcludedConnectionPropertiesToChanges: ({ proposedChanges, existingConnections, config, }: {
     proposedChanges: CalculatedChanges;
@@ -165,11 +165,10 @@ export default class ConnectionsHandler extends DefaultAPIHandler {
         options?: undefined;
     };
     /**
-     * Retrieves directory provisioning configuration for a specific Auth0 connection.
-     * @param connectionId - The unique identifier of the connection
-     * @returns A promise that resolves to the configuration object, or null if not configured/supported
+     * Retrieves all directory provisioning configurations for all connections.
+     * @returns A promise that resolves to the configurations object, or null if not configured/supported
      */
-    getConnectionDirectoryProvisioning(connectionId: string): Promise<DirectoryProvisioningConfig | null>;
+    getConnectionDirectoryProvisionings(): Promise<DirectoryProvisioningConfig[] | null>;
     /**
      * Creates directory provisioning configuration for a connection.
      */