Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Inconsistent connection update behavior, potentially causing client_secret deletion

See original GitHub issue

Description

deploying config a0deploy deploy -c tenant/config.json --input_file tenant/tenant.yaml

results in error:

error: Problem running command deploy during stage processChanges when processing type connections error: Problem updating connections {“name”:“###”,“id”:“###”} Bad Request: Before creating Windows Azure Active Directory connections you must configure the client_id and client_secret settings in the dashboard. For more information go to https://docs.auth0.com/waad-clientid

also:

error: Problem running command deploy during stage processChanges when processing type connections error: Problem updating connections {“name”:“####”,“id”:“####”} Bad Request: The signing certificate is not valid. Please provide a .pem or .cer certificate base64 encoded public key

Reproduction

Export an existing environment, including one or more AzureAD connections

We are stripping out some sensitive information on export

config.json:

{
...
  "AUTH0_ALLOW_DELETE": false,
  "AUTH0_EXPORT_IDENTIFIERS": false,
  "AUTH0_EXCLUDED_RULES": [ "rule-1-name" ],
  "AUTH0_EXCLUDED_CONNECTIONS" : [
    "####",
    "smoke-test"
  ],
  "EXCLUDED_PROPS": {
    "connections": [
        "options.client_secret",
        "options.admin_access_token",
        "options.admin_access_token_expiresin",
        "options.cert",
        "options.signingCert"
    ]
  },
    "INCLUDED_PROPS": {
      "rulesConfigs": [ "key" ]
  }
}

tenant.yaml:

connections:
  - name: ####
    strategy: waad
    enabled_clients:
      - ####
    is_domain_connection: false
    options:
      domain: ####.com
      granted: true
      tenantId: ####
      client_id: ####
      use_wsfed: false
      app_domain: ####.auth0.com
      ext_groups: true
      ext_profile: true
      thumbprints:
        - ####
        - ####
        - ####
        - ####
        - ####
        - ####
      identity_api: azure-active-directory-v1.0
      basic_profile: false
      tenant_domain: ####.com
      waad_protocol: openid-connect
      domain_aliases:
        - ####.com
      api_enable_users: false
      ext_nested_groups: true
      useCommonEndpoint: false
      should_trust_email_verified_connection: ####
    show_as_button: false

Deploy the config: a0deploy deploy -c tenant/config.json --input_file tenant/tenant.yaml

the deployment halts with the given error.

The strange thing is that this worked perfectly in 2 other environments, with almost identical configurations (azuread and samlp connections) just a few days ago. Re-testing those environments they now throw the same errors. It looks like these options are now required instead of optional.

Workaround:

for now, you can add the failing connections to the AUTH0_EXCLUDED_CONNECTIONS list to skip them entirely

Environment

Version of this library used: latest = 7.3.7

Issue Analytics

State:
Created 2 years ago
Comments:15 (8 by maintainers)

Top GitHub Comments

2reactions

willveddcommented, Mar 3, 2022

This was also a big thing for me, I had assumed they were bi-directional and the documentation makes no mention that it will only be adhered to on import.

My understanding is that this only affects properties nested under the options property for connections. This is because most other endpoints adhere to normal PATCH conventions where excluded properties are ignored. However, as we can see in the endpoint docs, the options property does not adhere to that convention. So for most other circumstances it turns out to work bi-directionally.

1reaction

willveddcommented, Mar 9, 2022

@lundybernard @kanocarra thanks for being patient. We’ve addressed this in our 7.5.0 release, I encourage you folks to update and test out.

The approach taken can be looked at more closely in #430 but in brief, we’ve just added excluded properties back onto the PATCH payload, which makes the bi-directional exclusion more explicit. We did consider the __IGNORE__ syntax, but it would’ve added much more surface area to the problem when this only affects connections. So for the sake of simplicity and backwards compatibility, we decided against it for now.

I appreciate the patience and feedback on this issue; don’t ever want to have the usage of this tool result in destructive changes. Going to close this out but please raise another issue if you’re experiencing any issues with the new release.

Top Results From Across the Web

Troubleshoot mapping data flows - Azure Data Factory

Cause: The id property is missed for update and delete operations. ... Potential causes include misconfigured connections at sources or a ...

Fix packs for DataPower Gateway version 2018.4.1

Lists of fixes in fix packs for IBM DataPower Gateway version 2018.4.1. Download Description. For integration with API Connect 2018.4.1.x, DataPower Gateway and ......

OAuth 2.0 Dynamic Client Registration Management Protocol

This access token is associated with a particular registered client. 1.3. ... potentially including a new registration access token and a new set...

Troubleshooting Guide for Cisco Unity Connection ...

Inconsistent Behavior in Calls Placed through Unity Connection and Calls Placed ... causes include the incorrect values of Application ID, Client Secret and....

API Terms of Use - SoundCloud Developers

To access the SoundCloud ® API, you will first need to register your app at ... When you've done that, we'll issue you...