auth0-deploy-cli icon indicating copy to clipboard operation
auth0-deploy-cli copied to clipboard
verified publisher icon auth0

Managed connection inclusion

Open jgustie opened this issue 4 months ago • 3 comments

Checklist

Describe the problem you'd like to have solved

We are looking to incorporate self-service SSO into our application which means we will have a mix of managed connections (e.g. social connections, our own employee connection, etc.) and self-service connections (e.g. those created via the self-service SSO feature or manually created on behalf of a customer).

We won't necessarily know the names of the self-service connections being created (nor is there a naming convention or attribute of the data we can rely on to differentiate between the two).

Describe the ideal solution

Ideally, we would add "connections" to AUTH0_EXCLUDED, indicating that connections are not managed using a0deploy by default. We would then specify another configuration, e.g. "AUTH0_MANAGED_CONNECTIONS":{"github", "acme-inc"} to indicate that some connections are managed.

Alternatives and current workarounds

Currently we make sure we add the "self-service" connection names to AUTH0_EXCLUDED_CONNECTIONS in Git ahead of time (we do not have "connections" listed in AUTH0_EXCLUDED), however this requires extra synchronization and has proven to be error prone.

An alternative might be to implement something like AUTH0_USE_GITIGNORE=true. Because we use a directory layout and export into a Git repository, our .gitignore file also contains the relevant exclusion rules, e.g.:

/connections/*
!/connections/github.json
!/connections/acme-inc.json

Additional context

We use AUTH0_ALLOW_DELETE=true to ensure that the tenant state in Git matches what is running.

jgustie avatar Sep 15 '25 14:09 jgustie

Hi, @jgustie Thanks for the feature request!

Could you please provide more details or context for this? Your additional input will help us review it more effectively.

  • Are you trying to manage self-service-SSO ref link ? If yes, example link
  • Is it possible to use AUTH0_EXCLUDED_CONNECTIONS: [.......] to add connection names, indicating that connections are not managed using a0deploy ? (AUTH0_EXCLUDED_CONNECTIONS can be useful to Multi-environment Workflows )

kushalshit27 avatar Sep 16 '25 03:09 kushalshit27

Yes, that is the self-service feature I am referring to, but the issue isn't as much with the profiles themselves as it is the connections created from them. As I mentioned, we are already working around the issue with AUTH0_EXCLUDED_CONNECTIONS, but because we also use AUTH0_ALLOW_DELETE=true, if we forget to add the name to the excluded list when we create the self-service SSO (SSSSO?) ticket, it will end up getting deleted on the next import run after the connection is actually created.

The issue is that we have a small, fixed number of connections we do want managed and a potentially larger, but variable number of connections we want excluded.

I guess a third option would be if AUTH0_ALLOW_DELETE could be disabled just for connections: that way things like the social connections could still by managed and the self-service created connections would just not get deleted.

jgustie avatar Sep 16 '25 13:09 jgustie

Thank you for your input. We'll review it and follow up if we need more details. 🤝

kushalshit27 avatar Sep 17 '25 09:09 kushalshit27