Describe the problem
internal/keyring/keyring.go's StoreAccessToken has a copy-paste error in the loop that is meant to clear previously-stored access-token chunks. Instead of deleting the indexed secretAccessToken chunks, it deletes the secretClientSecret key on every iteration:
// First, clear any existing chunks to prevent concatenation issues.
for i := 0; i < secretAccessTokenMaxChunks; i++ {
if err := keyring.Delete(secretClientSecret, tenant); err != nil { // <-- wrong key
...
}
}This was introduced in #1358.
Expected behavior
The loop should delete the indexed access-token chunks (fmt.Sprintf("%s %d", secretAccessToken, i)), exactly as DeleteSecretsForTenant already does, and must not touch the client secret.
Impact — two distinct failures
1. Stale chunks → "authentication token is corrupted".
Because old access-token chunks are never cleared, re-storing a token that spans fewer chunks than the previous one leaves trailing chunks behind. GetAccessToken concatenates them into a malformed JWT, CheckAuthenticationStatus fails jwt.ParseInsecure, and commands error with authentication token is corrupted, please run: auth0 logout && auth0 login.
2. Machine (client-credentials) logins can never refresh.
RunLoginAsMachineSecret stores the client secret and then calls StoreAccessToken, which immediately deletes that secret. Once the access token expires, RegenerateAccessToken → GetClientSecret fails with failed to retrieve client secret from keyring, so client-credentials sessions break at the first token expiry (~24h for the Management API) and require a brand-new auth0 login every time. Auto-renewal never works.
Reproduction (machine auth)
auth0 login --domain <tenant> --client-id <id> --client-secret <secret>
# works for ~24h, then on next expiry:
auth0 apps list
# -> failed to fetch access token using client credentials ... please re-authenticate
Environment
- auth0-cli v1.30.0 (also confirmed present on
main and at the v1.30.0 tag)
- macOS Keychain via go-keyring, but the bug is OS-independent
Fix
One-line correction + regression tests (deletes the indexed access-token chunks; leaves the client secret intact). PR incoming.
Describe the problem
internal/keyring/keyring.go'sStoreAccessTokenhas a copy-paste error in the loop that is meant to clear previously-stored access-token chunks. Instead of deleting the indexedsecretAccessTokenchunks, it deletes thesecretClientSecretkey on every iteration:This was introduced in #1358.
Expected behavior
The loop should delete the indexed access-token chunks (
fmt.Sprintf("%s %d", secretAccessToken, i)), exactly asDeleteSecretsForTenantalready does, and must not touch the client secret.Impact — two distinct failures
1. Stale chunks → "authentication token is corrupted".
Because old access-token chunks are never cleared, re-storing a token that spans fewer chunks than the previous one leaves trailing chunks behind.
GetAccessTokenconcatenates them into a malformed JWT,CheckAuthenticationStatusfailsjwt.ParseInsecure, and commands error withauthentication token is corrupted, please run: auth0 logout && auth0 login.2. Machine (client-credentials) logins can never refresh.
RunLoginAsMachineSecretstores the client secret and then callsStoreAccessToken, which immediately deletes that secret. Once the access token expires,RegenerateAccessToken → GetClientSecretfails withfailed to retrieve client secret from keyring, so client-credentials sessions break at the first token expiry (~24h for the Management API) and require a brand-newauth0 loginevery time. Auto-renewal never works.Reproduction (machine auth)
Environment
mainand at thev1.30.0tag)Fix
One-line correction + regression tests (deletes the indexed access-token chunks; leaves the client secret intact). PR incoming.