auth0-deploy-cli 8.25.0 → 8.26.0

package/.github/workflows/claude-code-review.yml

@@ -1,10 +1,7 @@
 name: Claude Code PR Review
 
 on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
+  workflow_dispatch:
 
 jobs:
   claude-review:

package/CHANGELOG.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.26.0] - 2026-01-30
+
+### Added
+
+- Add support for `use_for_organization_discovery` in organizations `discovery-domains`. [#1283]
+- Add support for passwordless authentication methods (`email_otp` and `phone_otp`) in `databases`. [#1282]
+- Add support for `relying_party_identifier` in `customDomains`. [#1280]
+- Add support for `allow_all_scopes` property in `clientGrants`. [#1278]
+- Add OIDC logout configuration support with session metadata in `clients`. [#1263]
+
+### Changed
+
+- Optimize directory provisioning configuration fetching for `connections`. [#1284]
+
+### Fixed
+
+- Fix exclude read-only `is_default` from `customDomains`. [#1279]
+- Fix pagination skipping last page. [#1277]
+
 ## [8.25.0] - 2026-01-08
 
 ### Added
@@ -1606,7 +1625,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1244]: https://github.com/auth0/auth0-deploy-cli/issues/1244
 [#1246]: https://github.com/auth0/auth0-deploy-cli/issues/1246
 [#1253]: https://github.com/auth0/auth0-deploy-cli/issues/1253
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...HEAD
+[#1261]: https://github.com/auth0/auth0-deploy-cli/issues/1261
+[#1263]: https://github.com/auth0/auth0-deploy-cli/issues/1263
+[#1277]: https://github.com/auth0/auth0-deploy-cli/issues/1277
+[#1278]: https://github.com/auth0/auth0-deploy-cli/issues/1278
+[#1279]: https://github.com/auth0/auth0-deploy-cli/issues/1279
+[#1280]: https://github.com/auth0/auth0-deploy-cli/issues/1280
+[#1282]: https://github.com/auth0/auth0-deploy-cli/issues/1282
+[#1283]: https://github.com/auth0/auth0-deploy-cli/issues/1283
+[#1284]: https://github.com/auth0/auth0-deploy-cli/issues/1284
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.26.0...HEAD
+[8.26.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...v8.26.0
 [8.25.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.24.0...v8.25.0
 [8.24.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.2...v8.24.0
 [8.23.2]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.1...v8.23.2

package/lib/tools/auth0/handlers/actions.js

@@ -114,7 +114,7 @@ class ActionHandler extends default_1.default {
             type: 'actions',
             functions: {
                 create: (action) => this.createAction(action),
-                update: ({ id }, action) => this.updateAction(id, action),
+                update: (id, action) => this.updateAction(id, action),
                 delete: (actionId) => this.deleteAction(actionId),
             },
             stripUpdateFields: ['deployed', 'status'],

package/lib/tools/auth0/handlers/clientGrants.d.ts

@@ -33,6 +33,10 @@ export declare const schema: {
                 };
                 uniqueItems: boolean;
             };
+            allow_all_scopes: {
+                type: string;
+                description: string;
+            };
         };
         required: string[];
     };
@@ -42,6 +46,7 @@ export default class ClientGrantsHandler extends DefaultHandler {
     existing: ClientGrant[] | null;
     constructor(config: DefaultAPIHandler);
     objString(item: any): string;
+    validate(assets: Assets): Promise<void>;
     getType(): Promise<ClientGrant[]>;
     processChanges(assets: Assets): Promise<void>;
 }

package/lib/tools/auth0/handlers/clientGrants.js

@@ -69,6 +69,10 @@ exports.schema = {
                 },
                 uniqueItems: true,
             },
+            allow_all_scopes: {
+                type: 'boolean',
+                description: 'When enabled, all scopes configured on the resource server are allowed for by this client grant.',
+            },
         },
         required: ['client_id', 'audience'],
     },
@@ -81,15 +85,26 @@ class ClientGrantsHandler extends default_1.default {
             id: 'id',
             // @ts-ignore because not sure why two-dimensional array passed in
             identifiers: ['id', ['client_id', 'audience']],
-            functions: {
-                update: async ({ id }, bodyParams) => this.client.clientGrants.update(id, bodyParams),
-            },
             stripUpdateFields: ['audience', 'client_id', 'subject_type', 'is_system'],
         });
     }
     objString(item) {
         return super.objString({ id: item.id, client_id: item.client_id, audience: item.audience });
     }
+    async validate(assets) {
+        const { clientGrants } = assets;
+        // Do nothing if not set
+        if (!clientGrants)
+            return;
+        // Validate each client grant
+        clientGrants.forEach((grant) => {
+            // When allow_all_scopes is true, scope should not be present
+            if (grant.allow_all_scopes === true && grant.scope && grant.scope.length > 0) {
+                throw new Error(`Client grant for client_id "${grant.client_id}" and audience "${grant.audience}": Cannot specify "scope" when "allow_all_scopes" is set to true. Remove the "scope" property or set "allow_all_scopes" to false.`);
+            }
+        });
+        await super.validate(assets);
+    }
     async getType() {
         if (this.existing) {
             return this.existing;

package/lib/tools/auth0/handlers/clients.d.ts

@@ -263,6 +263,49 @@ export declare const schema: {
                     };
                 };
             };
+            oidc_logout: {
+                type: string[];
+                description: string;
+                properties: {
+                    backchannel_logout_urls: {
+                        type: string;
+                        description: string;
+                        items: {
+                            type: string;
+                        };
+                    };
+                    backchannel_logout_initiators: {
+                        type: string;
+                        description: string;
+                        properties: {
+                            mode: {
+                                type: string;
+                                schemaName: string;
+                                enum: string[];
+                                description: string;
+                            };
+                            selected_initiators: {
+                                type: string;
+                                items: {
+                                    type: string;
+                                    enum: string[];
+                                    description: string;
+                                };
+                            };
+                        };
+                    };
+                    backchannel_logout_session_metadata: {
+                        type: string[];
+                        description: string;
+                        properties: {
+                            include: {
+                                type: string;
+                                description: string;
+                            };
+                        };
+                    };
+                };
+            };
         };
         required: string[];
     };
@@ -273,14 +316,6 @@ export default class ClientHandler extends DefaultAPIHandler {
     constructor(config: DefaultAPIHandler);
     objString(item: any): string;
     processChanges(assets: Assets): Promise<void>;
-    /**
-     * @description
-     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
-     *
-     * @param {Client[]} clients - The client array to sanitize.
-     * @returns {Client[]} The sanitized array of clients.
-     */
-    private sanitizeCrossOriginAuth;
     getType(): Promise<Management.Client[]>;
     sanitizeMapExpressConfiguration(auth0Client: Auth0APIClient, clientList: Client[]): Promise<Client[]>;
 }

package/lib/tools/auth0/handlers/clients.js

@@ -263,10 +263,111 @@ exports.schema = {
                     },
                 },
             },
+            oidc_logout: {
+                type: ['object', 'null'],
+                description: 'Configuration for OIDC backchannel logout',
+                properties: {
+                    backchannel_logout_urls: {
+                        type: 'array',
+                        description: 'Comma-separated list of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.',
+                        items: {
+                            type: 'string',
+                        },
+                    },
+                    backchannel_logout_initiators: {
+                        type: 'object',
+                        description: 'Configuration for OIDC backchannel logout initiators',
+                        properties: {
+                            mode: {
+                                type: 'string',
+                                schemaName: 'ClientOIDCBackchannelLogoutInitiatorsModeEnum',
+                                enum: ['custom', 'all'],
+                                description: 'The `mode` property determines the configuration method for enabling initiators. `custom` enables only the initiators listed in the selected_initiators array, `all` enables all current and future initiators.',
+                            },
+                            selected_initiators: {
+                                type: 'array',
+                                items: {
+                                    type: 'string',
+                                    enum: [
+                                        'rp-logout',
+                                        'idp-logout',
+                                        'password-changed',
+                                        'session-expired',
+                                        'session-revoked',
+                                        'account-deleted',
+                                        'email-identifier-changed',
+                                        'mfa-phone-unenrolled',
+                                        'account-deactivated',
+                                    ],
+                                    description: 'The `selected_initiators` property contains the list of initiators to be enabled for the given application.',
+                                },
+                            },
+                        },
+                    },
+                    backchannel_logout_session_metadata: {
+                        type: ['object', 'null'],
+                        description: 'Controls whether session metadata is included in the logout token. Default value is null.',
+                        properties: {
+                            include: {
+                                type: 'boolean',
+                                description: 'The `include` property determines whether session metadata is included in the logout token.',
+                            },
+                        },
+                    },
+                },
+            },
         },
         required: ['name'],
     },
 };
+const createClientSanitizer = (clients) => {
+    let sanitized = clients;
+    return {
+        sanitizeCrossOriginAuth() {
+            const deprecatedClients = [];
+            sanitized = sanitized.map((client) => {
+                let updated = { ...client };
+                if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
+                    const clientName = client.name || client.client_id || 'unknown client';
+                    deprecatedClients.push(clientName);
+                    if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
+                        updated.cross_origin_authentication = updated.cross_origin_auth;
+                    }
+                    updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
+                }
+                return updated;
+            });
+            if (deprecatedClients.length > 0) {
+                logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                    `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+            }
+            return this;
+        },
+        sanitizeOidcLogout() {
+            const deprecatedClients = [];
+            sanitized = sanitized.map((client) => {
+                let updated = { ...client };
+                if ((0, lodash_1.has)(updated, 'oidc_backchannel_logout')) {
+                    const clientName = client.name || client.client_id || 'unknown client';
+                    deprecatedClients.push(clientName);
+                    if (!(0, lodash_1.has)(updated, 'oidc_logout')) {
+                        updated.oidc_logout = updated.oidc_backchannel_logout;
+                    }
+                    updated = (0, lodash_1.omit)(updated, 'oidc_backchannel_logout');
+                }
+                return updated;
+            });
+            if (deprecatedClients.length > 0) {
+                logger_1.default.warn("The 'oidc_backchannel_logout' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                    `Use 'oidc_logout' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+            }
+            return this;
+        },
+        get: () => {
+            return sanitized;
+        },
+    };
+};
 class ClientHandler extends default_1.default {
     constructor(config) {
         super({
@@ -284,11 +385,6 @@ class ClientHandler extends default_1.default {
                 'jwt_configuration.secret_encoded',
                 'resource_server_identifier',
             ],
-            functions: {
-                update: async (
-                // eslint-disable-next-line camelcase
-                { client_id }, bodyParams) => this.client.clients.update(client_id, bodyParams),
-            },
         });
     }
     objString(item) {
@@ -319,7 +415,10 @@ class ClientHandler extends default_1.default {
             (!excludeThirdPartyClients || item.is_first_party));
         // Sanitize client fields
         const sanitizeClientFields = (list) => {
-            const sanitizedClients = this.sanitizeCrossOriginAuth(list);
+            const sanitizedClients = createClientSanitizer(list)
+                .sanitizeCrossOriginAuth()
+                .sanitizeOidcLogout()
+                .get();
             return sanitizedClients.map((item) => {
                 if (item.app_type === 'resource_server') {
                     if ('oidc_backchannel_logout' in item) {
@@ -345,33 +444,6 @@ class ClientHandler extends default_1.default {
             ...changes,
         });
     }
-    /**
-     * @description
-     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
-     *
-     * @param {Client[]} clients - The client array to sanitize.
-     * @returns {Client[]} The sanitized array of clients.
-     */
-    sanitizeCrossOriginAuth(clients) {
-        const deprecatedClients = [];
-        const updatedClients = clients.map((client) => {
-            let updated = { ...client };
-            if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
-                const clientName = client.name || client.client_id || 'unknown client';
-                deprecatedClients.push(clientName);
-                if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
-                    updated.cross_origin_authentication = updated.cross_origin_auth;
-                }
-                updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
-            }
-            return updated;
-        });
-        if (deprecatedClients.length > 0) {
-            logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
-                `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
-        }
-        return updatedClients;
-    }
     async getType() {
         if (this.existing)
             return this.existing;
@@ -382,8 +454,7 @@ class ClientHandler extends default_1.default {
             is_global: false,
             ...(excludeThirdPartyClients && { is_first_party: true }),
         });
-        const sanitizedClients = this.sanitizeCrossOriginAuth(clients);
-        this.existing = sanitizedClients;
+        this.existing = createClientSanitizer(clients).sanitizeCrossOriginAuth().get();
         return this.existing;
     }
     // convert names back to IDs for express configuration

package/lib/tools/auth0/handlers/connectionProfiles.js

@@ -206,9 +206,6 @@ class ConnectionProfilesHandler extends default_1.default {
             type: 'connectionProfiles',
             id: 'id',
             identifiers: ['id', 'name'],
-            functions: {
-                update: (args, data) => this.client.connectionProfiles.update(args?.id, data),
-            },
         });
     }
     objString(item) {

package/lib/tools/auth0/handlers/connections.d.ts

@@ -107,10 +107,10 @@ export declare const schema: {
         required: string[];
     };
 };
-type DirectoryProvisioningConfig = Management.GetDirectoryProvisioningResponseContent;
+type DirectoryProvisioningConfig = Management.DirectoryProvisioning;
 export type Connection = Management.ConnectionForList & {
     enabled_clients?: string[];
-    directory_provisioning_configuration?: DirectoryProvisioningConfig;
+    directory_provisioning_configuration?: Pick<DirectoryProvisioningConfig, 'mapping' | 'synchronize_automatically'>;
 };
 export declare const addExcludedConnectionPropertiesToChanges: ({ proposedChanges, existingConnections, config, }: {
     proposedChanges: CalculatedChanges;
@@ -165,11 +165,10 @@ export default class ConnectionsHandler extends DefaultAPIHandler {
         options?: undefined;
     };
     /**
-     * Retrieves directory provisioning configuration for a specific Auth0 connection.
-     * @param connectionId - The unique identifier of the connection
-     * @returns A promise that resolves to the configuration object, or null if not configured/supported
+     * Retrieves all directory provisioning configurations for all connections.
+     * @returns A promise that resolves to the configurations object, or null if not configured/supported
      */
-    getConnectionDirectoryProvisioning(connectionId: string): Promise<DirectoryProvisioningConfig | null>;
+    getConnectionDirectoryProvisionings(): Promise<DirectoryProvisioningConfig[] | null>;
     /**
      * Creates directory provisioning configuration for a connection.
      */

package/lib/tools/auth0/handlers/connections.js

@@ -168,16 +168,21 @@ const getConnectionEnabledClients = async (auth0Client, connectionId) => {
     try {
         const enabledClientsFormatted = [];
         let enabledClients = await auth0Client.connections.clients.get(connectionId);
-        do {
-            if (enabledClients && enabledClients.data?.length > 0) {
-                enabledClients.data.forEach((client) => {
-                    if (client?.client_id) {
-                        enabledClientsFormatted.push(client.client_id);
-                    }
-                });
+        // Process first page
+        enabledClients.data?.forEach((client) => {
+            if (client?.client_id) {
+                enabledClientsFormatted.push(client.client_id);
             }
+        });
+        // Fetch remaining pages
+        while (enabledClients.hasNextPage()) {
             enabledClients = await enabledClients.getNextPage();
-        } while (enabledClients.hasNextPage());
+            enabledClients.data?.forEach((client) => {
+                if (client?.client_id) {
+                    enabledClientsFormatted.push(client.client_id);
+                }
+            });
+        }
         return enabledClientsFormatted;
     }
     catch (error) {
@@ -277,7 +282,7 @@ class ConnectionsHandler extends default_1.default {
             functions: {
                 // When `connections` is updated, it can result in `update`,`create` or `delete` action on SCIM.
                 // Because, `scim_configuration` is inside `connections`.
-                update: async (requestParams, bodyParams) => this.scimHandler.updateOverride(requestParams, bodyParams),
+                update: async (connectionId, bodyParams) => this.scimHandler.updateOverride(connectionId, bodyParams),
                 // When a new `connection` is created. We can perform only `create` option on SCIM.
                 // When a connection is `deleted`. `scim_configuration` is also deleted along with it; no action on SCIM is required.
                 create: async (bodyParams) => this.scimHandler.createOverride(bodyParams),
@@ -306,45 +311,19 @@ class ConnectionsHandler extends default_1.default {
         }
     }
     /**
-     * Retrieves directory provisioning configuration for a specific Auth0 connection.
-     * @param connectionId - The unique identifier of the connection
-     * @returns A promise that resolves to the configuration object, or null if not configured/supported
+     * Retrieves all directory provisioning configurations for all connections.
+     * @returns A promise that resolves to the configurations object, or null if not configured/supported
      */
-    async getConnectionDirectoryProvisioning(connectionId) {
-        if (!connectionId)
-            return null;
-        const creates = [connectionId];
-        let config = null;
+    async getConnectionDirectoryProvisionings() {
+        let directoryProvisioningConfigs;
         try {
-            await this.client.pool
-                .addEachTask({
-                data: creates || [],
-                generator: async (id) => this.client.connections.directoryProvisioning
-                    .get(id)
-                    .then((resp) => {
-                    config = resp;
-                })
-                    .catch((err) => {
-                    throw new auth0_1.ManagementError(err);
-                }),
-            })
-                .promise();
-            const stripKeysFromOutput = [
-                'connection_id',
-                'connection_name',
-                'strategy',
-                'created_at',
-                'updated_at',
-            ];
-            stripKeysFromOutput.forEach((key) => {
-                if (config && key in config) {
-                    delete config[key];
-                }
+            directoryProvisioningConfigs = await (0, client_1.paginate)(this.client.connections.directoryProvisioning.list, {
+                checkpoint: true,
             });
-            return config;
+            return directoryProvisioningConfigs;
         }
         catch (error) {
-            const errLog = `Unable to fetch directory provisioning for connection '${connectionId}'. `;
+            const errLog = `Unable to fetch directory provisioning for connections. `;
             if (error instanceof auth0_1.ManagementError) {
                 const bodyMessage = error.body?.message;
                 logger_1.default.warn(errLog + bodyMessage);
@@ -471,9 +450,12 @@ class ConnectionsHandler extends default_1.default {
     async getType() {
         if (this.existing)
             return this.existing;
-        const connections = await (0, client_1.paginate)(this.client.connections.list, {
-            checkpoint: true,
-        });
+        const [connections, directoryProvisioningConfigs] = await Promise.all([
+            (0, client_1.paginate)(this.client.connections.list, {
+                checkpoint: true,
+            }),
+            this.getConnectionDirectoryProvisionings(),
+        ]);
         // Filter out database connections as we have separate handler for it
         const filteredConnections = connections.filter((c) => c.strategy !== 'auth0');
         // If options option is empty for all connection, log the missing options scope.
@@ -493,10 +475,13 @@ class ConnectionsHandler extends default_1.default {
             if (enabledClients && enabledClients?.length) {
                 connection.enabled_clients = enabledClients;
             }
-            if (connection.strategy === 'google-apps') {
-                const dirProvConfig = await this.getConnectionDirectoryProvisioning(con.id);
+            if (connection.strategy === 'google-apps' && directoryProvisioningConfigs) {
+                const dirProvConfig = directoryProvisioningConfigs.find((congigCon) => congigCon.connection_id === con.id);
                 if (dirProvConfig) {
-                    connection.directory_provisioning_configuration = dirProvConfig;
+                    connection.directory_provisioning_configuration = {
+                        mapping: dirProvConfig.mapping,
+                        synchronize_automatically: dirProvConfig.synchronize_automatically,
+                    };
                 }
             }
             return connection;

package/lib/tools/auth0/handlers/customDomains.d.ts

@@ -46,6 +46,10 @@ export declare const schema: {
                 description: string;
                 defaultValue: string;
             };
+            relying_party_identifier: {
+                type: string[];
+                description: string;
+            };
         };
         required: string[];
     };

package/lib/tools/auth0/handlers/customDomains.js

@@ -77,6 +77,10 @@ exports.schema = {
                 description: 'Custom domain verification method. Must be `txt`.',
                 defaultValue: 'txt',
             },
+            relying_party_identifier: {
+                type: ['string'],
+                description: 'Relying Party ID (rpId) to be used for Passkeys on this custom domain. If not provided or set to null, the full domain will be used.',
+            },
         },
         required: ['domain', 'type'],
     },
@@ -95,6 +99,7 @@ class CustomDomainsHadnler extends default_1.default {
                 'certificate',
                 'created_at',
                 'updated_at',
+                'is_default',
             ],
             stripUpdateFields: [
                 'status',
@@ -106,10 +111,8 @@ class CustomDomainsHadnler extends default_1.default {
                 'certificate',
                 'created_at',
                 'updated_at',
+                'is_default',
             ],
-            functions: {
-                update: (args, data) => this.client.customDomains.update(args.custom_domain_id, data),
-            },
         });
     }
     objString(item) {