Skip to content

feat: Exclude Third-Party Clients via AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS config property #1212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+57 −0
Open

feat: Exclude Third-Party Clients via AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS config property #1212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fa18fd8
added AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS config property
mgyarmathy Nov 19, 2025
16d7dd3
add unit test
mgyarmathy Nov 19, 2025
aa2df5f
Merge branch 'master' into exclude-third-party-clients
kushalshit27 Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/configuring-the-deploy-cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,10 @@ Provides ability to exclude any unwanted properties from management.

String. Separate value from audience value while retrieving an access token for management API. Useful when default Management API endpoints are not publicly exposed.

### `AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS`

Boolean. When enabled, excludes third-party clients from being managed. Only first-party clients will be included in export and import operations. This is useful when you have Dynamic Client Registration (DCR) enabled and you have a lot of third-party clients in your tenant. Default: `false`.

### `AUTH0_EXCLUDED_RULES`

Array of strings. Excludes the management of specific rules by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).
Expand Down
12 changes: 12 additions & 0 deletions docs/excluding-from-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,18 @@ Some resource types support exclusions of individual resource by name. This is p

> ⚠️ **NOTE:** Excluding resources by ID is being considered for deprecation in future major versions. See the [resource exclusion proposal](https://github.com/auth0/auth0-deploy-cli/issues/451) for more details.

### Excluding third-party clients

You can also exclude all third-party clients at once using the `AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS` configuration option. When enabled, only first-party clients will be included in export and import operations. This is useful when you have Dynamic Client Registration (DCR) enabled and you have a lot of third-party clients in your tenant.

```json
{
"AUTH0_DOMAIN": "example-site.us.auth0.com",
"AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
"AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS": true
}
```

## Omitted vs excluded vs empty

The above sections pertain to exclusion which forcefully ignore configurations bi-directionally. It is worth noting similar but very different concepts: “omissions” and “empty” states.
Expand Down
5 changes: 5 additions & 0 deletions src/tools/auth0/handlers/clients.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -367,10 +367,15 @@ export default class ClientHandler extends DefaultAPIHandler {
async getType() {
if (this.existing) return this.existing;

const excludeThirdPartyClients =
this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;

const clients = await paginate<Client>(this.client.clients.getAll, {
paginate: true,
include_totals: true,
is_global: false,
...(excludeThirdPartyClients && { is_first_party: true }),
});

this.existing = clients;
Expand Down
2 changes: 2 additions & 0 deletions src/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ type SharedPaginationParams = {
checkpoint?: boolean;
paginate?: boolean;
is_global?: boolean;
is_first_party?: boolean;
include_totals?: boolean;
id?: string;
strategy?: GetConnectionsStrategyEnum[];
Expand Down Expand Up @@ -63,6 +64,7 @@ export type Config = {
AUTH0_INPUT_FILE: string;
AUTH0_ALLOW_DELETE: boolean;
AUTH0_EXCLUDED?: AssetTypes[];
AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS?: boolean;
AUTH0_INCLUDED_ONLY?: AssetTypes[];
AUTH0_PRESERVE_KEYWORDS: boolean;
EXTENSION_SECRET: string;
Expand Down
34 changes: 34 additions & 0 deletions test/tools/auth0/handlers/clients.tests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,6 +399,40 @@ describe('#clients handler', () => {
]);
});

it('should get clients with is_first_party when AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS is enabled', async () => {
const getAllParams = [];
const auth0 = {
clients: {
getAll: (params) => {
getAllParams.push(params);
return mockPagedData(params, 'clients', [
{ name: 'first party client', client_id: 'first-party-client-id' },
]);
},
},
pool,
};

const testConfig = function (key) {
return testConfig.data && testConfig.data[key];
};
testConfig.data = {
AUTH0_CLIENT_ID: 'client_id',
AUTH0_ALLOW_DELETE: true,
AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS: true,
};

const handler = new clients.default({ client: pageClient(auth0), config: testConfig });
await handler.getType();

expect(getAllParams.length).to.be.greaterThan(0);
const firstCallParams = getAllParams[0];
expect(firstCallParams).to.be.an('object');
expect(firstCallParams.is_first_party).to.equal(true);
expect(firstCallParams.include_totals).to.equal(true);
expect(firstCallParams.is_global).to.equal(false);
});

it('should update client', async () => {
const auth0 = {
clients: {
Expand Down