chore(deps): In-sync feature capability master

.circleci/config.yml

@@ -93,6 +93,15 @@ jobs:
       - run: npm ci
       - run: npx tsc --noEmit
 
+  does_lint_pass:
+    docker:
+      - image: cimg/node:22.12.0
+    working_directory: ~/repo
+    steps:
+      - checkout
+      - run: npm ci
+      - run: npm run lint
+
 workflows:
   version: 2
 
@@ -110,6 +119,8 @@ workflows:
     jobs:
       - does_typescript_compile:
           name: Does Typescript compile?
+      - does_lint_pass:
+          name: Does lint pass?
       - unit_test:
           name: Unit tests with Node LTS
           v: "lts"

README.md

@@ -48,7 +48,7 @@ This guide will help you to a working implementation of the Deploy CLI tool used
 
 ### Prerequisites
 
-- [Node](https://nodejs.dev/) version 20(v20.18.1) or greater
+- [Node](https://nodejs.dev/) version 20(v20.19.0) or greater
 - [Auth0 Tenant](https://auth0.com/)
 
 ### Install the Deploy CLI

docs/configuring-the-deploy-cli.md

@@ -155,6 +155,10 @@ Provides ability to exclude any unwanted properties from management.
 
 String. Separate value from audience value while retrieving an access token for management API. Useful when default Management API endpoints are not publicly exposed.
 
+### `AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS`
+
+Boolean. When enabled, excludes third-party clients from being managed. Only first-party clients will be included in export and import operations. This is useful when you have Dynamic Client Registration (DCR) enabled and you have a lot of third-party clients in your tenant. Default: `false`.
+
 ### `AUTH0_EXCLUDED_RULES`
 
 Array of strings. Excludes the management of specific rules by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).

docs/excluding-from-management.md

@@ -55,6 +55,18 @@ Some resource types support exclusions of individual resource by name. This is p
 
 > ⚠️ **NOTE:** Excluding resources by ID is being considered for deprecation in future major versions. See the [resource exclusion proposal](https://github.com/auth0/auth0-deploy-cli/issues/451) for more details.
 
+### Excluding third-party clients
+
+You can also exclude all third-party clients at once using the `AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS` configuration option. When enabled, only first-party clients will be included in export and import operations. This is useful when you have Dynamic Client Registration (DCR) enabled and you have a lot of third-party clients in your tenant.
+
+```json
+{
+  "AUTH0_DOMAIN": "example-site.us.auth0.com",
+  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
+  "AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS": true
+}
+```
+
 ## Omitted vs excluded vs empty
 
 The above sections pertain to exclusion which forcefully ignore configurations bi-directionally. It is worth noting similar but very different concepts: “omissions” and “empty” states.

docs/resource-specific-documentation.md

@@ -628,3 +628,82 @@ Example `phone-templates/otp_verify.json`:
   }
 }
 ```
+
+## Connection Profiles
+
+Application specific configuration for use with the OIN Express Configuration feature
+
+### YAML Example
+
+```yaml
+# Contents of ./tenant.yaml
+connectionProfiles:
+  - name: 'Enterprise SSO Profile'
+    organization:
+      show_as_button: 'required'
+      assign_membership_on_login: 'required'
+    connection_name_prefix_template: 'org-{organization_name}'
+    enabled_features:
+      - scim
+      - universal_logout
+    strategy_overrides:
+      samlp:
+        enabled_features:
+          - universal_logout
+      oidc:
+        enabled_features:
+          - scim
+          - universal_logout
+  - name: 'Basic Connection Profile'
+    organization:
+      show_as_button: 'optional'
+      assign_membership_on_login: 'optional'
+    enabled_features:
+      - scim
+```
+
+### Directory Example
+
+File: `./connection-profiles/Enterprise SSO Profile.json`
+
+```json
+{
+  "name": "Enterprise SSO Profile",
+  "organization": {
+    "show_as_button": "required",
+    "assign_membership_on_login": "required"
+  },
+  "connection_name_prefix_template": "org-{organization_name}",
+  "enabled_features": ["scim", "universal_logout"],
+  "strategy_overrides": {
+    "samlp": {
+      "enabled_features": ["universal_logout"]
+    },
+    "oidc": {
+      "enabled_features": ["scim", "universal_logout"]
+    }
+  }
+}
+```
+
+### Express Configuration on Clients
+
+Connection profiles are used in conjunction with the `express_configuration` property on client applications: (In order to use express_configuration app_type should not be 'express_configuration')
+
+```yaml
+clients:
+  - name: 'My Enterprise App'
+    app_type: 'regular_web'
+    express_configuration:
+      initiate_login_uri_template: 'https://myapp.com/sso/start?org={organization_name}&conn={connection_name}'
+      user_attribute_profile_id: 'My User Attribute Profile'
+      connection_profile_id: 'Enterprise SSO Profile' # Reference to connection profile
+      enable_client: true
+      enable_organization: true
+      okta_oin_client_id: 'My Okta OIN Client'
+      admin_login_domain: 'login.myapp.com'
+      linked_clients:
+        - client_id: 'client_id_of_mobile_app'
+```
+
+For more details, see the [Management API documentation](https://auth0.com/docs/api/management/v2).

eslint.config.js

@@ -91,6 +91,7 @@ module.exports = [
       'no-useless-escape': 'off',
       'no-redeclare': 'off',
       'no-unused-vars': 'off',
+      'no-console': 'warn',
       '@typescript-eslint/no-unused-vars': [
         'error',
         {

examples/directory/clients/My App with Express Config.json

@@ -0,0 +1,13 @@
+{
+  "name": "My App with Express Config",
+  "app_type": "regular_web",
+  "express_configuration": {
+    "initiate_login_uri_template": "https://myapp.com/sso/start?org={organization_name}&conn={connection_name}",
+    "user_attribute_profile_id": "My User Attribute Profile",
+    "connection_profile_id": "Enterprise SSO Profile",
+    "enable_client": true,
+    "enable_organization": true,
+    "okta_oin_client_id": "My Okta OIN Client",
+    "admin_login_domain": "login.myapp.com"
+  }
+}

examples/directory/connection-profiles/Basic Connection Profile.json

@@ -0,0 +1,10 @@
+{
+  "name": "Basic Connection Profile",
+  "organization": {
+    "show_as_button": "optional",
+    "assign_membership_on_login": "optional"
+  },
+  "enabled_features": [
+    "scim"
+  ]
+}

examples/directory/connection-profiles/Enterprise SSO Profile.json

@@ -0,0 +1,27 @@
+{
+  "name": "Enterprise SSO Profile",
+  "organization": {
+    "show_as_button": "required",
+    "assign_membership_on_login": "required"
+  },
+  "connection_name_prefix_template": "org-{org_name}",
+  "enabled_features": [
+    "scim",
+    "universal_logout"
+  ],
+  "strategy_overrides": {
+    "samlp": {
+      "enabled_features": [
+        "universal_logout"
+      ],
+      "connection_config": {}
+    },
+    "oidc": {
+      "enabled_features": [
+        "scim",
+        "universal_logout"
+      ],
+      "connection_config": {}
+    }
+  }
+}

examples/directory/user-attribute-profiles/My User Attribute Profile.json

@@ -0,0 +1,12 @@
+{
+  "name": "My User Attribute Profile",
+  "description": "My User Attribute Profile Description",
+  "user_attributes": [
+    {
+      "name": "email",
+      "description": "Email",
+      "type": "email",
+      "required": true
+    }
+  ]
+}

examples/yaml/tenant.yaml

@@ -42,6 +42,20 @@ clients:
     name: "My Resource Server Client"
     app_type: "resource_server"
     resource_server_identifier: "https://##ENV##.myapp.com/api/v1"
+  -
+    name: "My Okta OIN Client"
+    app_type: "regular_web"
+  -
+    name: "My Express App"
+    app_type: "regular_web"
+    express_configuration:
+      initiate_login_uri_template: "https://myapp.com/sso/start?org={organization_name}&conn={connection_name}"
+      user_attribute_profile_id: "My User Attribute Profile"
+      connection_profile_id: "Enterprise SSO Profile"
+      enable_client: true
+      enable_organization: true
+      okta_oin_client_id: "My Okta OIN Client"
+      admin_login_domain: "login.myapp.com"
   -
     name: "My Token Exchange App"
     app_type: "regular_web"
@@ -404,3 +418,36 @@ attackProtection:
         max_attempts: 50
         rate: 1200
 
+connectionProfiles:
+  - name: "Enterprise SSO Profile"
+    organization:
+      show_as_button: "required"
+      assign_membership_on_login: "required"
+    connection_name_prefix_template: "org-{org_name}"
+    enabled_features:
+      - scim
+      - universal_logout
+    strategy_overrides:
+      samlp:
+        enabled_features:
+          - universal_logout
+      oidc:
+        enabled_features:
+          - scim
+          - universal_logout
+  - name: "Basic Connection Profile"
+    organization:
+      show_as_button: "optional"
+      assign_membership_on_login: "optional"
+    enabled_features:
+      - scim
+
+userAttributeProfiles:
+  - name: "My User Attribute Profile"
+    description: "My User Attribute Profile Description"
+    user_attributes:
+      - name: "email"
+        description: "Email"
+        type: "email"
+        required: true
+