Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keyword preservation fails for client grants #855

Open
6 tasks done
DevinRiley opened this issue Sep 18, 2023 · 5 comments
Open
6 tasks done

Keyword preservation fails for client grants #855

DevinRiley opened this issue Sep 18, 2023 · 5 comments
Labels

Comments

@DevinRiley
Copy link

DevinRiley commented Sep 18, 2023

Checklist

  • I have looked into the README and have not found a suitable solution or answer.
  • I have looked into the documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have upgraded to the latest version of this tool and the issue still persists.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

When I dump config to my tenant.yml file, it doesn't preserve keywords for my client grants. This appears to be related to this PR based on the caveat made in that PR description and my own testing between versions 7.18.0 and 7.19.0

Before:

clientGrants:
  - client_id: API Explorer Application
    audience: https://##TENANT##.us.auth0.com/api/v2/
    scope: '@@API_EXPLORER_APPLICATION_CLIENT_GRANT_SCOPES@@'
  - client_id: M2M Application 1
    audience: '##API_IDENTIFIER##'
    scope: []
  - client_id: M2M Application 2
    audience: https://##TENANT##.us.auth0.com/api/v2/
    scope:
      - create:users

Run a0deploy dump -c=config-dev.json --format=yaml --output_folder=resources

After:

clientGrants:
  - client_id: API Explorer Application
    audience: https://redacted.us.auth0.com/api/v2/
    scope:
      - read:users
      - update:users
      - delete:users
      - create:users
  - client_id: M2M Application 1
    audience: http://localhost:3000
    scope: []
  - client_id: M2M Application 2
    audience: https://redacted.us.auth0.com/api/v2/
    scope:
      - create:users

This is a problem for us because we deploy this tenant yaml to different environments and need the keyword replacements to work for each environment.

Expectation

I'd expect keywords to be preserved in the tenant.yml file.

Reproduction

I have only encountered this on my actual tenant, but I believe you could reproduce by settings up multiple client grants that use the same client_id

Deploy CLI version

7.19.0

Node version

14.19.3

@willvedd
Copy link
Contributor

@DevinRiley Thanks for submitting this issue. I'm able to reproduce and I recognize the issue.

The problem here is the ordering that the client ID and client name happens with respect to keyword preservation. This exchange is what allows the client name to be expressed in the client_id field and maintain tenant-agnostic configuration. Unfortunately, this happens after the keyword preservation step and so the algorithm isn't able to correctly match the remote client grant with your local client grant. So this is not an issue with keyword preservation itself.

I attempted to address this issue by moving the ID-name exchange closer to the root of the process but I'm incurring issues maintaining backwards compatibility. Specifically, I need to be able to preserve the ability to deploy client grants based on their names and IDs and preserve them on export. I'm particularly nervous about modifying these areas of code because we've had a number of issues pertaining to client grants recently and don't want to disturb the stability.

We will need more time to investigate a proper fix for this.

Possible workaround
It's not elegant, but you're able to combine all the client grants data into its own keyword:

tenant.yaml

clientGrants: '@@CLIENT_GRANTS@@'

config.json

{
 ...
  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
    "CLIENT_GRANTS": [
      {
        "client_id": "API Explorer Application",
        "audience": "https://you-tenant.us.auth0.com/api/v2/",
        "scope": [
          "read:foo",
          "create:foo"
        ]
      }
    ]
  }
}

@michalica
Copy link

I have problem to preserve audience in clientGrant. I think It may be related to this. It is actually a big blocker for us to have smooth tenant deployment among environments.

@bensoutendijk
Copy link

bensoutendijk commented Jun 13, 2024

I am having this issue as well. I was able to fix it by downgrading to 7.17.7

@LeeJW1987
Copy link

LeeJW1987 commented Jul 26, 2024

@willvedd, the suggested workaround doesn't appear to work for me?

I've applied it in other areas on the tenant.yaml (thanks!). But when i try to do the same with clientGrants I get an error in the export job: error: Problem exporting clientGrants

this seems to behave different to most other places wherein the keyword mapping preservation fails in that it actually fails the export rather than just ignoring the keyword mapping.

edit: using version 7.23.1

@danloiterton
Copy link

danloiterton commented Sep 20, 2024

@willvedd, I have the same issue. I'm using the directory format. Is there a way to adapt your workaround to fit?

I seem to be at a dead end with the deploy-cli for now as I cannot deploy any grants to the Auth0 Management API - since the "audience" value varies between my dev/staging/production environments. Anyone have any suggestions? I'm not sure how I can implement a code-based multi-environment solution with this limitation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants