You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat(apps): add support for third-party security mode and redirection policy
- Introduced new flags for third-party applications:
- `third-party-security-mode` to specify 'strict' or 'permissive'.
- `redirection-policy` to control Auth0's behavior on authentication errors.
- Updated `createAppCmd` and `updateAppCmd` functions to handle new inputs.
- Enhanced `applicationView` to display third-party security mode and redirection policy.
- Ensured backward compatibility by integrating new features without affecting existing functionality.
* feat(cli): enhance client grant resource fetching with default_for support
- Updated the FetchData method in clientGrantResourceFetcher to handle
grants marked as default_for, allowing for more accurate resource naming.
- Introduced a new test case to validate the handling of default_for grants
in TestClientGrantResourceFetcher_FetchData, ensuring expected behavior
when fetching client grants with different audiences.
* feat(docs): update application creation and update examples with new flags
- Added examples for `auth0 apps create` and `auth0 apps update` commands
to demonstrate the usage of `--third-party-security-mode` and
`--redirection-policy` flags.
- Updated documentation to reflect the new security features for
third-party applications, enhancing clarity for users.
* test(apps): add test case for creating regular app with third-party security mode
- Added a new test case to validate the creation of a regular app
with third-party security mode set to strict and redirection policy
set to open_redirect_protection.
- The test ensures that the app is created successfully and outputs
the expected JSON response.
* chore(terraform): lint fix
* feat(apps): add is-first-party flag for application creation and update
- Introduced a new flag `--is-first-party` to differentiate between first-party and third-party applications.
- Updated the command examples in `auth0_apps_create.md` and `auth0_apps_update.md` to reflect the new flag usage.
- Modified the `createAppCmd` and `updateAppCmd` functions in `apps.go` to handle the new flag.
- Enhanced the `applicationView` struct in `display/apps.go` to include the `IsFirstParty` field for display purposes.
* chore(terraform_generate): add comment to client grant resource naming for default_for grants
* test(apps): add tests for third-party app creation and management
- Added integration tests for creating, showing, updating, and deleting a third-party app.
- Created a new script `get-3p-app-id.sh` to handle the app ID retrieval for testing.
- Updated existing test cases to reflect the new structure and ensure proper validation of third-party app properties.
* chore(apps): lint fix
* docs(apps): require --is-first-party=false for redirection policy and security mode
- Updated documentation for `auth0 apps create` and `auth0 apps update` commands to specify that the `--is-first-party=false` flag is required when using the `--redirection-policy` and `--third-party-security-mode` options.
- Enhanced user clarity on the usage of these flags to prevent misconfiguration.
* fix(cli): update resource naming for client grants
- Refactored the logic for generating resource names in the FetchData method of clientGrantResourceFetcher.
- The resource name now uses the client ID or default_for value, ensuring consistency in naming.
- Updated test cases to reflect the new naming convention for third-party client grants.
-c, --callbacks strings After the user authenticates we will only call back to any of these URLs. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native apps, all callbacks should use protocol https://.
43
44
-d, --description string Description of the application. Max character count is 140.
44
45
-g, --grants strings List of grant types supported for this application. Can include code, implicit, refresh-token, credentials, password, password-realm, mfa-oob, mfa-otp, mfa-recovery-code, and device-code.
46
+
-f, --is-first-party Whether the application is a first-party client (true) or third-party client (false). (default true)
45
47
--json Output in json format.
46
48
--json-compact Output in compact json format.
47
49
-l, --logout-urls strings Comma-separated list of URLs that are valid to redirect to after logout from Auth0. Wildcards are allowed for subdomains.
48
50
--metadata stringToString Arbitrary keys-value pairs (max 255 characters each), that can be assigned to each application. More about application metadata: https://auth0.com/docs/get-started/applications/configure-application-metadata (default [])
49
51
-n, --name string Name of the application.
50
52
-o, --origins strings Comma-separated list of URLs allowed to make requests from JavaScript to Auth0 API (typically used with CORS). By default, all your callback URLs will be allowed. This field allows you to enter other origins if necessary. You can also use wildcards at the subdomain level (e.g., https://*.contoso.com). Query strings and hash information are not taken into account when validating these URLs.
53
+
-y, --redirection-policy string Controls whether Auth0 redirects users to the application's callback URL on authentication errors or in email verification flows: 'allow_always' or 'open_redirect_protection'. Require --is-first-party=false
51
54
-z, --refresh-token string Refresh Token Config for the application, formatted as JSON.
52
55
--resource-server-identifier string The identifier of the resource server that this client is associated with. This property can only be sent when app_type=resource_server and cannot be changed once the client is created.
53
56
-r, --reveal-secrets Display the application secrets ('signing_keys', 'client_secret') as part of the command output.
57
+
-s, --third-party-security-mode string Security mode for third-party clients: 'strict' or 'permissive'. Require --is-first-party=false
-c, --callbacks strings After the user authenticates we will only call back to any of these URLs. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native apps, all callbacks should use protocol https://.
42
43
-d, --description string Description of the application. Max character count is 140.
43
44
-g, --grants strings List of grant types supported for this application. Can include code, implicit, refresh-token, credentials, password, password-realm, mfa-oob, mfa-otp, mfa-recovery-code, and device-code.
45
+
-f, --is-first-party Whether the application is a first-party client (true) or third-party client (false). (default true)
44
46
--json Output in json format.
45
47
--json-compact Output in compact json format.
46
48
-l, --logout-urls strings Comma-separated list of URLs that are valid to redirect to after logout from Auth0. Wildcards are allowed for subdomains.
47
49
--metadata stringToString Arbitrary keys-value pairs (max 255 characters each), that can be assigned to each application. More about application metadata: https://auth0.com/docs/get-started/applications/configure-application-metadata (default [])
48
50
-n, --name string Name of the application.
49
51
-o, --origins strings Comma-separated list of URLs allowed to make requests from JavaScript to Auth0 API (typically used with CORS). By default, all your callback URLs will be allowed. This field allows you to enter other origins if necessary. You can also use wildcards at the subdomain level (e.g., https://*.contoso.com). Query strings and hash information are not taken into account when validating these URLs.
52
+
-y, --redirection-policy string Controls whether Auth0 redirects users to the application's callback URL on authentication errors or in email verification flows: 'allow_always' or 'open_redirect_protection'. Require --is-first-party=false
50
53
-z, --refresh-token string Refresh Token Config for the application, formatted as JSON.
51
54
-r, --reveal-secrets Display the application secrets ('signing_keys', 'client_secret') as part of the command output.
55
+
-s, --third-party-security-mode string Security mode for third-party clients: 'strict' or 'permissive'. Require --is-first-party=false
Copy file name to clipboardExpand all lines: internal/cli/apps.go
+79-21Lines changed: 79 additions & 21 deletions
Original file line number
Diff line number
Diff line change
@@ -176,6 +176,24 @@ var (
176
176
ShortForm: "p",
177
177
Help: "Comma-separated list of enabled token exchange types for this client. Possible values: custom_authentication, on_behalf_of_token_exchange.",
178
178
}
179
+
appIsFirstParty=Flag{
180
+
Name: "Is First Party",
181
+
LongForm: "is-first-party",
182
+
ShortForm: "f",
183
+
Help: "Whether the application is a first-party client (true) or third-party client (false).",
184
+
}
185
+
appThirdPartySecurityMode=Flag{
186
+
Name: "Third Party Security Mode",
187
+
LongForm: "third-party-security-mode",
188
+
ShortForm: "s",
189
+
Help: "Security mode for third-party clients: 'strict' or 'permissive'. Require --is-first-party=false",
190
+
}
191
+
appRedirectionPolicy=Flag{
192
+
Name: "Redirection Policy",
193
+
LongForm: "redirection-policy",
194
+
ShortForm: "y",
195
+
Help: "Controls whether Auth0 redirects users to the application's callback URL on authentication errors or in email verification flows: 'allow_always' or 'open_redirect_protection'. Require --is-first-party=false",
0 commit comments