Error importing client with keyword replace mappings

[ghost]

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

First of all i want make clear that i want to use the directory structure.
I'm trying to setup the auth0 deploy cli to deploy to multiple environments. For one environment i want a list of callbacks configured in my client.json and for another environment a different list with a different number of callbacks.

Reproduction

my dev.json:

{
    "AUTH0_DOMAIN": "obscured.xx.auth0.com",
    "AUTH0_CLIENT_ID": "obscured",
    "EXCLUDED_PROPS": {
        "clients": ["client_secret"],
        "connections": ["options.client_secret"]
      },
    "AUTH0_KEYWORD_REPLACE_MAPPINGS": { 
        "AUTH0_TENANT_NAME": "obscured",
        "API_AUDIENCE": "some-audience"
        "ALLOWED_CALLBACKS": ["http://somewhere-obscured.com/callback", http://localhost:xxxx/callback"]
        "ALLOWED_LOGOUT_URLS": ["http://somewhere-obscured.com/", "http://localhost:xxxx/"]
    },
    "AUTH0_ALLOW_DELETE": true
}

my client config: (My App.json)

{
...
"name": "My App",
  "description": "The application for obscured",
  "callbacks": @@ALLOWED_CALLBACKS@@,
  "allowed_logout_urls": @@ALLOWED_LOGOUT_URLS@@,
....
}

and i get:

Error parsing JSON from metadata file: clients/My App.json, because: Unexpected token @ in JSON at position 140

I have tried by enclosing @@ in quotes: "@@ALLOWED_CALLBACKS@@" the error i get then is:

Error parsing JSON from metadata file: clients/My App.json, because: Unexpected token h in JSON at position 140"

I have tride by enclosing with ## but then i get:

Bad Request: Payload validation error: 'Expected type array but found type string' on property allowed_logout_urls (URLs that are valid to redirect to after logout from Auth0).

Im out of ideas what to try, is this a bug or a feature? idk

Environment

Please provide the following:

• Version of this library used:
  7.3.7

[willvedd]

Noticing a couple things at first glance. Firstly, the config.json file needs to be valid JSON no matter what. And for that reason, you'll need to wrap all variable replacement markers with strings. Next, I'm noticing that your configuration has the variable name of CALLBACKS whereas you're using a different name during replacement,"@@ALLOWED_CALLBACKS@@". My suggestion is to wrap with quotes to make it into valid JSON and then use the correct name. Otherwise, we'll need to dig in a bit further.

[ghost]

Sorry, might have been an error when i obscured information for posting here. In my configuration there is no difference between the replacement and wrapped variable name.
With wrapped "@@" I get the error:

Error parsing JSON from metadata file: clients/My App.json, because: Unexpected token h in JSON at position 143

So it actually seems to be replacing the value but for some reason the h from "https" is an unexpected token.

Thanks

[willvedd]

@JHOmega Ah I see, thanks for clarifying that. I agree with your assessment that the h in https is the unexpected token. The variable replacement mechanism is something that needs a bit of work, see: #125 #291. And admittedly, I'll need to familiarize myself with that part of the code before I can make a more informed recommendation. However, one temporary workaround I can think of is wrapping your itemized values with single quotes:

"ALLOWED_CALLBACKS": ["'http://somewhere-obscured.com/callback'", 'http://localhost:xxxx/callback'"]

So something like that is worth a try until we can get a better solution in the coming weeks/months.

[ghost]

I'll try "ALLOWED_CALLBACKS": ["'http://somewhere-obscured.com/callback'", 'http://localhost:xxxx/callback'"] with @@-subsitution and ##-substitution.
I'll also try with the yaml format to see if that works as last resort.

Thanks.

[ghost]

I tried with @@-replacement without any wrapping "" in the My App.json and for some reason i no longer get the invalid json error and it works? The json is clearly invalid but i don't get any errors when deploying the CLI and it seems to work. Not sure why this happened, i moved the code to a different repo and used the directory structure.

[willvedd]

@JHOmega I'm actually looking into this as we speak. Do you mind providing a working example?

[ghost]

Sure. Here you go:

config.json:

{
"AUTH0_DOMAIN": "xx.auth0.com",
"AUTH0_CLIENT_ID": "",
"EXCLUDED_PROPS": {
"clients": ["client_secret"],
"connections": ["options.client_secret"]
},
"AUTH0_KEYWORD_REPLACE_MAPPINGS": {
"AUTH0_TENANT_NAME": "tenant-name",
"ALLOWED_CALLBACKS": ["https://allowed-callback-domain.com/api/auth/callback"],
"ALLOWED_LOGOUT_URLS": ["https://allowed-logout.com"],
"API_AUDIENCE": "https://audience.com/api/",
"EMAIL_VERIFICATION_RESULT_URL": "https://email-verification.com/email-verification"
},
"AUTH0_ALLOW_DELETE": true
}

My App.json:

{
"is_token_endpoint_ip_header_trusted": false,
"name": "My App",
"description": "The Auth0 application for xx",
"callbacks": @@ALLOWED_CALLBACKS@@,
"allowed_logout_urls": @@ALLOWED_LOGOUT_URLS@@,
"is_first_party": true,
"sso_disabled": false,
"cross_origin_auth": false,
"oidc_conformant": true,
"refresh_token": {
"expiration_type": "expiring",
"leeway": 0,
"infinite_token_lifetime": false,
"infinite_idle_token_lifetime": false,
"token_lifetime": 2419200,
"idle_token_lifetime": 604800,
"rotation_type": "non-rotating"
},
"sso": false,
"allowed_clients": [],
"native_social_login": {
"apple": {
"enabled": false
},
"facebook": {
"enabled": false
}
},
"jwt_configuration": {
"alg": "RS256",
"lifetime_in_seconds": 3600,
"secret_encoded": false
},
"client_aliases": [],
"token_endpoint_auth_method": "client_secret_post",
"app_type": "regular_web",
"grant_types": [
"authorization_code",
"refresh_token"
],
"custom_login_page_on": true
}

[willvedd]

@JHOmega After looking into this a bit further, what you've discovered is the intended usage of the @@ variable replacement functionality. That is, by creating invalid JSON. I think you'll agree with me that this isn't ideal so I went ahead and modified this behavior to also work when wrapped in quotes, so something like this will now work. See #421 for the specific code change.

{
"allowed_hosts": "@@ALLOWED_HOSTS@@"
}

This new behavior can be used with v7.4.0.

[ghost]

@JHOmega After looking into this a bit further, what you've discovered is the intended usage of the @@ variable replacement functionality. That is, by creating invalid JSON. I think you'll agree with me that this isn't ideal so I went ahead and modified this behavior to also work when wrapped in quotes, so something like this will now work. See #421 for the specific code change.

{
"allowed_hosts": "@@ALLOWED_HOSTS@@"
}

This new behavior can be used with v7.4.0.

Cool! Thanks alot.