Keyword preservation fails for client grants

[DevinRiley]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this tool and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When I dump config to my tenant.yml file, it doesn't preserve keywords for my client grants. This appears to be related to this PR based on the caveat made in that PR description and my own testing between versions 7.18.0 and 7.19.0

Before:

clientGrants:
  - client_id: API Explorer Application
    audience: https://##TENANT##.us.auth0.com/api/v2/
    scope: '@@API_EXPLORER_APPLICATION_CLIENT_GRANT_SCOPES@@'
  - client_id: M2M Application
    audience: '##API_IDENTIFIER##'
    scope: []
  - client_id: M2M Application
    audience: https://##TENANT##.us.auth0.com/api/v2/
    scope:
      - create:users

Run a0deploy dump -c=config-dev.json --format=yaml --output_folder=resources

After:

clientGrants:
  - client_id: API Explorer Application
    audience: https://redacted.us.auth0.com/api/v2/
    scope:
      - read:users
      - update:users
      - delete:users
      - create:users
  - client_id: M2M application
    audience: http://localhost:3000
    scope: []
  - client_id: Entity Management M2M
    audience: https://redacted.us.auth0.com/api/v2/
    scope:
      - create:users

This is a problem for us because we deploy this tenant yaml to different environments and need the keyword replacements to work for each environment.

Expectation

I'd expect keywords to be preserved in the tenant.yml file.

Reproduction

I have only encountered this on my actual tenant, but I believe you could reproduce by settings up multiple client grants that use the same client_id

Deploy CLI version

7.19.0

Node version

14.19.3

[willvedd]

@DevinRiley Thanks for submitting this issue. I'm able to reproduce and I recognize the issue.

The problem here is the ordering that the client ID and client name happens with respect to keyword preservation. This exchange is what allows the client name to be expressed in the client_id field and maintain tenant-agnostic configuration. Unfortunately, this happens after the keyword preservation step and so the algorithm isn't able to correctly match the remote client grant with your local client grant. So this is not an issue with keyword preservation itself.

I attempted to address this issue by moving the ID-name exchange closer to the root of the process but I'm incurring issues maintaining backwards compatibility. Specifically, I need to be able to preserve the ability to deploy client grants based on their names and IDs and preserve them on export. I'm particularly nervous about modifying these areas of code because we've had a number of issues pertaining to client grants recently and don't want to disturb the stability.

We will need more time to investigate a proper fix for this.

Possible workaround
It's not elegant, but you're able to combine all the client grants data into its own keyword:

tenant.yaml

clientGrants: '@@CLIENT_GRANTS@@'

config.json

{
 ...
  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
    "CLIENT_GRANTS": [
      {
        "client_id": "API Explorer Application",
        "audience": "https://you-tenant.us.auth0.com/api/v2/",
        "scope": [
          "read:foo",
          "create:foo"
        ]
      }
    ]
  }
}

[michalica]

I have problem to preserve audience in clientGrant. I think It may be related to this. It is actually a big blocker for us to have smooth tenant deployment among environments.

[bensoutendijk]

I am having this issue as well. I was able to fix it by downgrading to 7.17.7