auth0-deploy-cli 8.25.0 → 8.27.0

package/.github/workflows/claude-code-review.yml

@@ -1,10 +1,7 @@
 name: Claude Code PR Review
 
 on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
+  workflow_dispatch:
 
 jobs:
   claude-review:

package/CHANGELOG.md

@@ -7,6 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.27.0] - 2026-02-13
+
+### Added
+
+- Add support for `custom_password_hash.action_id` in `databases` (Universal Custom Password Hash EA). [#1288]
+- Add support for `allowed_strategies` in `selfServiceProfiles`. [#1298]
+
+### Fixed
+
+- Fix validation handling for `authentication_methods.password.enabled` and `disable_self_service_change_password` in `databases`. [#1297]
+- Fix stripping deprecated `enabled_clients` for `connections` with enhanced client management. [#1294]
+- Fix exclude third-party `clientGrants` when `AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS` is enabled. [#1289]
+
+## [8.26.0] - 2026-01-30
+
+### Added
+
+- Add support for `use_for_organization_discovery` in organizations `discovery-domains`. [#1283]
+- Add support for passwordless authentication methods (`email_otp` and `phone_otp`) in `databases`. [#1282]
+- Add support for `relying_party_identifier` in `customDomains`. [#1280]
+- Add support for `allow_all_scopes` property in `clientGrants`. [#1278]
+- Add OIDC logout configuration support with session metadata in `clients`. [#1263]
+
+### Changed
+
+- Optimize directory provisioning configuration fetching for `connections`. [#1284]
+
+### Fixed
+
+- Fix exclude read-only `is_default` from `customDomains`. [#1279]
+- Fix pagination skipping last page. [#1277]
+
 ## [8.25.0] - 2026-01-08
 
 ### Added
@@ -1606,7 +1638,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1244]: https://github.com/auth0/auth0-deploy-cli/issues/1244
 [#1246]: https://github.com/auth0/auth0-deploy-cli/issues/1246
 [#1253]: https://github.com/auth0/auth0-deploy-cli/issues/1253
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...HEAD
+[#1261]: https://github.com/auth0/auth0-deploy-cli/issues/1261
+[#1263]: https://github.com/auth0/auth0-deploy-cli/issues/1263
+[#1277]: https://github.com/auth0/auth0-deploy-cli/issues/1277
+[#1278]: https://github.com/auth0/auth0-deploy-cli/issues/1278
+[#1279]: https://github.com/auth0/auth0-deploy-cli/issues/1279
+[#1280]: https://github.com/auth0/auth0-deploy-cli/issues/1280
+[#1282]: https://github.com/auth0/auth0-deploy-cli/issues/1282
+[#1283]: https://github.com/auth0/auth0-deploy-cli/issues/1283
+[#1284]: https://github.com/auth0/auth0-deploy-cli/issues/1284
+[#1288]: https://github.com/auth0/auth0-deploy-cli/issues/1288
+[#1289]: https://github.com/auth0/auth0-deploy-cli/issues/1289
+[#1294]: https://github.com/auth0/auth0-deploy-cli/issues/1294
+[#1297]: https://github.com/auth0/auth0-deploy-cli/issues/1297
+[#1298]: https://github.com/auth0/auth0-deploy-cli/issues/1298
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.27.0...HEAD
+[8.27.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.26.0...v8.27.0
+[8.26.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...v8.26.0
 [8.25.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.24.0...v8.25.0
 [8.24.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.2...v8.24.0
 [8.23.2]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.1...v8.23.2

package/lib/tools/auth0/handlers/actions.js

@@ -114,7 +114,7 @@ class ActionHandler extends default_1.default {
             type: 'actions',
             functions: {
                 create: (action) => this.createAction(action),
-                update: ({ id }, action) => this.updateAction(id, action),
+                update: (id, action) => this.updateAction(id, action),
                 delete: (actionId) => this.deleteAction(actionId),
             },
             stripUpdateFields: ['deployed', 'status'],

package/lib/tools/auth0/handlers/clientGrants.d.ts

@@ -33,6 +33,10 @@ export declare const schema: {
                 };
                 uniqueItems: boolean;
             };
+            allow_all_scopes: {
+                type: string;
+                description: string;
+            };
         };
         required: string[];
     };
@@ -42,6 +46,7 @@ export default class ClientGrantsHandler extends DefaultHandler {
     existing: ClientGrant[] | null;
     constructor(config: DefaultAPIHandler);
     objString(item: any): string;
+    validate(assets: Assets): Promise<void>;
     getType(): Promise<ClientGrant[]>;
     processChanges(assets: Assets): Promise<void>;
 }

package/lib/tools/auth0/handlers/clientGrants.js

@@ -69,6 +69,10 @@ exports.schema = {
                 },
                 uniqueItems: true,
             },
+            allow_all_scopes: {
+                type: 'boolean',
+                description: 'When enabled, all scopes configured on the resource server are allowed for by this client grant.',
+            },
         },
         required: ['client_id', 'audience'],
     },
@@ -81,15 +85,26 @@ class ClientGrantsHandler extends default_1.default {
             id: 'id',
             // @ts-ignore because not sure why two-dimensional array passed in
             identifiers: ['id', ['client_id', 'audience']],
-            functions: {
-                update: async ({ id }, bodyParams) => this.client.clientGrants.update(id, bodyParams),
-            },
             stripUpdateFields: ['audience', 'client_id', 'subject_type', 'is_system'],
         });
     }
     objString(item) {
         return super.objString({ id: item.id, client_id: item.client_id, audience: item.audience });
     }
+    async validate(assets) {
+        const { clientGrants } = assets;
+        // Do nothing if not set
+        if (!clientGrants)
+            return;
+        // Validate each client grant
+        clientGrants.forEach((grant) => {
+            // When allow_all_scopes is true, scope should not be present
+            if (grant.allow_all_scopes === true && grant.scope && grant.scope.length > 0) {
+                throw new Error(`Client grant for client_id "${grant.client_id}" and audience "${grant.audience}": Cannot specify "scope" when "allow_all_scopes" is set to true. Remove the "scope" property or set "allow_all_scopes" to false.`);
+            }
+        });
+        await super.validate(assets);
+    }
     async getType() {
         if (this.existing) {
             return this.existing;
@@ -102,6 +117,15 @@ class ClientGrantsHandler extends default_1.default {
         // As it could cause problems if the grants are deleted or updated etc
         const currentClient = this.config('AUTH0_CLIENT_ID');
         this.existing = this.existing.filter((grant) => grant.client_id !== currentClient);
+        // Filter out third-party client grants when AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS is enabled
+        if ((0, utils_1.shouldExcludeThirdPartyClients)(this.config)) {
+            const clients = await (0, client_1.paginate)(this.client.clients.list, {
+                paginate: true,
+                is_first_party: true,
+            });
+            const firstPartyClientIds = new Set(clients.map((c) => c.client_id));
+            this.existing = this.existing.filter((grant) => firstPartyClientIds.has(grant.client_id));
+        }
         return this.existing;
     }
     // Run after clients are updated so we can convert client_id names to id's
@@ -125,19 +149,28 @@ class ClientGrantsHandler extends default_1.default {
         });
         // Always filter out the client we are using to access Auth0 Management API
         const currentClient = this.config('AUTH0_CLIENT_ID');
+        // Build a set of third-party client IDs for efficient lookup
+        const thirdPartyClientIds = new Set(clients.filter((c) => c.is_first_party === false).map((c) => c.client_id));
         const { del, update, create, conflicts } = await this.calcChanges({
             ...assets,
             clientGrants: formatted,
         });
         const filterGrants = (list) => {
+            let filtered = list;
+            // Filter out the current client (Auth0 Management API client)
+            filtered = filtered.filter((item) => item.client_id !== currentClient);
+            // Filter out excluded clients
             if (excludedClients.length) {
-                return list.filter((item) => item.client_id !== currentClient &&
-                    item.client_id &&
+                filtered = filtered.filter((item) => item.client_id &&
                     ![...excludedClientsByNames, ...excludedClients].includes(item.client_id));
             }
-            return list
-                .filter((item) => item.client_id !== currentClient)
-                .filter((item) => item.is_system !== true);
+            // Filter out system grants
+            filtered = filtered.filter((item) => item.is_system !== true);
+            // Filter out third-party client grants when flag is enabled
+            if ((0, utils_1.shouldExcludeThirdPartyClients)(this.config)) {
+                filtered = filtered.filter((item) => !thirdPartyClientIds.has(item.client_id));
+            }
+            return filtered;
         };
         const changes = {
             // @ts-ignore because this expects `client_id` and that's not yet typed on Asset

package/lib/tools/auth0/handlers/clients.d.ts

@@ -263,6 +263,49 @@ export declare const schema: {
                     };
                 };
             };
+            oidc_logout: {
+                type: string[];
+                description: string;
+                properties: {
+                    backchannel_logout_urls: {
+                        type: string;
+                        description: string;
+                        items: {
+                            type: string;
+                        };
+                    };
+                    backchannel_logout_initiators: {
+                        type: string;
+                        description: string;
+                        properties: {
+                            mode: {
+                                type: string;
+                                schemaName: string;
+                                enum: string[];
+                                description: string;
+                            };
+                            selected_initiators: {
+                                type: string;
+                                items: {
+                                    type: string;
+                                    enum: string[];
+                                    description: string;
+                                };
+                            };
+                        };
+                    };
+                    backchannel_logout_session_metadata: {
+                        type: string[];
+                        description: string;
+                        properties: {
+                            include: {
+                                type: string;
+                                description: string;
+                            };
+                        };
+                    };
+                };
+            };
         };
         required: string[];
     };
@@ -273,14 +316,6 @@ export default class ClientHandler extends DefaultAPIHandler {
     constructor(config: DefaultAPIHandler);
     objString(item: any): string;
     processChanges(assets: Assets): Promise<void>;
-    /**
-     * @description
-     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
-     *
-     * @param {Client[]} clients - The client array to sanitize.
-     * @returns {Client[]} The sanitized array of clients.
-     */
-    private sanitizeCrossOriginAuth;
     getType(): Promise<Management.Client[]>;
     sanitizeMapExpressConfiguration(auth0Client: Auth0APIClient, clientList: Client[]): Promise<Client[]>;
 }

package/lib/tools/auth0/handlers/clients.js

@@ -10,6 +10,7 @@ const default_1 = __importDefault(require("./default"));
 const connectionProfiles_1 = require("./connectionProfiles");
 const userAttributeProfiles_1 = require("./userAttributeProfiles");
 const logger_1 = __importDefault(require("../../../logger"));
+const utils_1 = require("../../utils");
 const multiResourceRefreshTokenPoliciesSchema = {
     type: ['array', 'null'],
     description: 'A collection of policies governing multi-resource refresh token exchange (MRRT), defining how refresh tokens can be used across different resource servers',
@@ -263,10 +264,111 @@ exports.schema = {
                     },
                 },
             },
+            oidc_logout: {
+                type: ['object', 'null'],
+                description: 'Configuration for OIDC backchannel logout',
+                properties: {
+                    backchannel_logout_urls: {
+                        type: 'array',
+                        description: 'Comma-separated list of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.',
+                        items: {
+                            type: 'string',
+                        },
+                    },
+                    backchannel_logout_initiators: {
+                        type: 'object',
+                        description: 'Configuration for OIDC backchannel logout initiators',
+                        properties: {
+                            mode: {
+                                type: 'string',
+                                schemaName: 'ClientOIDCBackchannelLogoutInitiatorsModeEnum',
+                                enum: ['custom', 'all'],
+                                description: 'The `mode` property determines the configuration method for enabling initiators. `custom` enables only the initiators listed in the selected_initiators array, `all` enables all current and future initiators.',
+                            },
+                            selected_initiators: {
+                                type: 'array',
+                                items: {
+                                    type: 'string',
+                                    enum: [
+                                        'rp-logout',
+                                        'idp-logout',
+                                        'password-changed',
+                                        'session-expired',
+                                        'session-revoked',
+                                        'account-deleted',
+                                        'email-identifier-changed',
+                                        'mfa-phone-unenrolled',
+                                        'account-deactivated',
+                                    ],
+                                    description: 'The `selected_initiators` property contains the list of initiators to be enabled for the given application.',
+                                },
+                            },
+                        },
+                    },
+                    backchannel_logout_session_metadata: {
+                        type: ['object', 'null'],
+                        description: 'Controls whether session metadata is included in the logout token. Default value is null.',
+                        properties: {
+                            include: {
+                                type: 'boolean',
+                                description: 'The `include` property determines whether session metadata is included in the logout token.',
+                            },
+                        },
+                    },
+                },
+            },
         },
         required: ['name'],
     },
 };
+const createClientSanitizer = (clients) => {
+    let sanitized = clients;
+    return {
+        sanitizeCrossOriginAuth() {
+            const deprecatedClients = [];
+            sanitized = sanitized.map((client) => {
+                let updated = { ...client };
+                if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
+                    const clientName = client.name || client.client_id || 'unknown client';
+                    deprecatedClients.push(clientName);
+                    if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
+                        updated.cross_origin_authentication = updated.cross_origin_auth;
+                    }
+                    updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
+                }
+                return updated;
+            });
+            if (deprecatedClients.length > 0) {
+                logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                    `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+            }
+            return this;
+        },
+        sanitizeOidcLogout() {
+            const deprecatedClients = [];
+            sanitized = sanitized.map((client) => {
+                let updated = { ...client };
+                if ((0, lodash_1.has)(updated, 'oidc_backchannel_logout')) {
+                    const clientName = client.name || client.client_id || 'unknown client';
+                    deprecatedClients.push(clientName);
+                    if (!(0, lodash_1.has)(updated, 'oidc_logout')) {
+                        updated.oidc_logout = updated.oidc_backchannel_logout;
+                    }
+                    updated = (0, lodash_1.omit)(updated, 'oidc_backchannel_logout');
+                }
+                return updated;
+            });
+            if (deprecatedClients.length > 0) {
+                logger_1.default.warn("The 'oidc_backchannel_logout' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
+                    `Use 'oidc_logout' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
+            }
+            return this;
+        },
+        get: () => {
+            return sanitized;
+        },
+    };
+};
 class ClientHandler extends default_1.default {
     constructor(config) {
         super({
@@ -284,11 +386,6 @@ class ClientHandler extends default_1.default {
                 'jwt_configuration.secret_encoded',
                 'resource_server_identifier',
             ],
-            functions: {
-                update: async (
-                // eslint-disable-next-line camelcase
-                { client_id }, bodyParams) => this.client.clients.update(client_id, bodyParams),
-            },
         });
     }
     objString(item) {
@@ -301,8 +398,6 @@ class ClientHandler extends default_1.default {
             return;
         assets.clients = await this.sanitizeMapExpressConfiguration(this.client, clients);
         const excludedClients = (assets.exclude && assets.exclude.clients) || [];
-        const excludeThirdPartyClients = this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
-            this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;
         const { del, update, create, conflicts } = await this.calcChanges(assets);
         // Always filter out the client we are using to access Auth0 Management API
         // As it could cause problems if it gets deleted or updated etc
@@ -316,10 +411,13 @@ class ClientHandler extends default_1.default {
         const filterClients = (list) => list.filter((item) => item.client_id !== currentClient &&
             item.name &&
             !excludedClients.includes(item.name) &&
-            (!excludeThirdPartyClients || item.is_first_party));
+            (!(0, utils_1.shouldExcludeThirdPartyClients)(this.config) || item.is_first_party));
         // Sanitize client fields
         const sanitizeClientFields = (list) => {
-            const sanitizedClients = this.sanitizeCrossOriginAuth(list);
+            const sanitizedClients = createClientSanitizer(list)
+                .sanitizeCrossOriginAuth()
+                .sanitizeOidcLogout()
+                .get();
             return sanitizedClients.map((item) => {
                 if (item.app_type === 'resource_server') {
                     if ('oidc_backchannel_logout' in item) {
@@ -345,45 +443,15 @@ class ClientHandler extends default_1.default {
             ...changes,
         });
     }
-    /**
-     * @description
-     * Sanitize the deprecated field `cross_origin_auth` to `cross_origin_authentication`
-     *
-     * @param {Client[]} clients - The client array to sanitize.
-     * @returns {Client[]} The sanitized array of clients.
-     */
-    sanitizeCrossOriginAuth(clients) {
-        const deprecatedClients = [];
-        const updatedClients = clients.map((client) => {
-            let updated = { ...client };
-            if ((0, lodash_1.has)(updated, 'cross_origin_auth')) {
-                const clientName = client.name || client.client_id || 'unknown client';
-                deprecatedClients.push(clientName);
-                if (!(0, lodash_1.has)(updated, 'cross_origin_authentication')) {
-                    updated.cross_origin_authentication = updated.cross_origin_auth;
-                }
-                updated = (0, lodash_1.omit)(updated, 'cross_origin_auth');
-            }
-            return updated;
-        });
-        if (deprecatedClients.length > 0) {
-            logger_1.default.warn("The 'cross_origin_auth' parameter is deprecated in clients and scheduled for removal in future releases.\n" +
-                `Use 'cross_origin_authentication' going forward. Clients using the deprecated setting: [${deprecatedClients.join(', ')}]`);
-        }
-        return updatedClients;
-    }
     async getType() {
         if (this.existing)
             return this.existing;
-        const excludeThirdPartyClients = this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
-            this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;
         const clients = await (0, client_1.paginate)(this.client.clients.list, {
             paginate: true,
             is_global: false,
-            ...(excludeThirdPartyClients && { is_first_party: true }),
+            ...((0, utils_1.shouldExcludeThirdPartyClients)(this.config) && { is_first_party: true }),
         });
-        const sanitizedClients = this.sanitizeCrossOriginAuth(clients);
-        this.existing = sanitizedClients;
+        this.existing = createClientSanitizer(clients).sanitizeCrossOriginAuth().get();
         return this.existing;
     }
     // convert names back to IDs for express configuration

package/lib/tools/auth0/handlers/connectionProfiles.js

@@ -206,9 +206,6 @@ class ConnectionProfilesHandler extends default_1.default {
             type: 'connectionProfiles',
             id: 'id',
             identifiers: ['id', 'name'],
-            functions: {
-                update: (args, data) => this.client.connectionProfiles.update(args?.id, data),
-            },
         });
     }
     objString(item) {

package/lib/tools/auth0/handlers/connections.d.ts

@@ -107,10 +107,10 @@ export declare const schema: {
         required: string[];
     };
 };
-type DirectoryProvisioningConfig = Management.GetDirectoryProvisioningResponseContent;
+type DirectoryProvisioningConfig = Management.DirectoryProvisioning;
 export type Connection = Management.ConnectionForList & {
     enabled_clients?: string[];
-    directory_provisioning_configuration?: DirectoryProvisioningConfig;
+    directory_provisioning_configuration?: Pick<DirectoryProvisioningConfig, 'mapping' | 'synchronize_automatically'>;
 };
 export declare const addExcludedConnectionPropertiesToChanges: ({ proposedChanges, existingConnections, config, }: {
     proposedChanges: CalculatedChanges;
@@ -141,7 +141,7 @@ export declare const getConnectionEnabledClients: (auth0Client: Auth0APIClient,
  * @returns Promise that resolves to true if the update was successful, false otherwise
  *
  */
-export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, connectionId: string, enabledClientIds: string[]) => Promise<boolean>;
+export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, connectionId: string, enabledClientIds: string[], existingConnections: Asset[] | Asset | null) => Promise<boolean>;
 /**
  * This function processes enabled clients for create, update, and conflict operations.
  * Note: This function mutates the `create` array by adding IDs to the connection objects after creation.
@@ -153,7 +153,7 @@ export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClien
  *
  * @returns A Promise that resolves when all enabled client updates are complete
  */
-export declare const processConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, changes: CalculatedChanges, delayMs?: number) => Promise<void>;
+export declare const processConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, existingConnections: Asset[] | null, changes: CalculatedChanges, delayMs?: number) => Promise<void>;
 export default class ConnectionsHandler extends DefaultAPIHandler {
     existing: Connection[] | null;
     scimHandler: ScimHandler;
@@ -165,11 +165,10 @@ export default class ConnectionsHandler extends DefaultAPIHandler {
         options?: undefined;
     };
     /**
-     * Retrieves directory provisioning configuration for a specific Auth0 connection.
-     * @param connectionId - The unique identifier of the connection
-     * @returns A promise that resolves to the configuration object, or null if not configured/supported
+     * Retrieves all directory provisioning configurations for all connections.
+     * @returns A promise that resolves to the configurations object, or null if not configured/supported
      */
-    getConnectionDirectoryProvisioning(connectionId: string): Promise<DirectoryProvisioningConfig | null>;
+    getConnectionDirectoryProvisionings(): Promise<DirectoryProvisioningConfig[] | null>;
     /**
      * Creates directory provisioning configuration for a connection.
      */