Deploy CLI re-imports generated connection secret placeholders as literal client_secret values

[bradfloodx]

Summary

auth0-deploy-cli can export an enterprise connection client_secret as a generated placeholder like ##CONNECTIONS_OIDC_SECRET##, and then later re-import that same placeholder as the literal live secret value on the tenant.

That breaks enterprise logins with invalid_client and makes a normal export/import round-trip unsafe for Auth0 connections that use client_secret.

Versions

• Older working workflow on this machine: a0deploy 8.7.1
• Reproduced broken behavior with: auth0-deploy-cli 8.29.3

Expected behavior

If Deploy CLI generates a masked placeholder on export, import should not write that placeholder back into the live tenant as the actual client_secret value.

Import should do one of these instead:

• strip that field from the update payload
• fail fast with a validation error
• or otherwise treat the generated placeholder as non-deployable

Actual behavior

Import writes the generated placeholder string back into the live Auth0 enterprise connection secret field.

Example resulting live value after import:

"client_secret": "##CONNECTIONS_OIDC_SECRET##"

After that, upstream IdP auth fails with:

invalid_request: server responded with an error in the response body: The client secret supplied for a confidential client is invalid. (invalid_client)

Reproduction

1. Use a tenant with an enterprise OIDC connection that has a valid working client_secret.
2. Export the tenant with a newer Deploy CLI version that masks connection secrets.
3. Confirm the exported connection file contains a generated placeholder, for example:

   "client_secret": "##CONNECTIONS_OIDC_SECRET##"

4. Re-import that exported directory without providing a replacement environment variable for that placeholder.
5. Observe that the import updates the connection successfully.
6. Inspect the live Auth0 connection via the Management API.
7. Observe that the live client_secret is now the literal placeholder string.
8. Attempt login through that enterprise connection and observe invalid_client.

Concrete repro observed

We verified this against a live enterprise OIDC connection:

1. The live Auth0 connection had a real secret value before import.
2. An import was run using config exported from the same tenant.
3. The import explicitly updated that OIDC connection during the connections phase.
4. Immediately after import, the live connection value became:

   "client_secret": "##CONNECTIONS_OIDC_SECRET##"

5. Login failed again with invalid_client.

Additional context

This seems related to the connection secret masking change introduced in the 8.9.0 release / PR #1103.

From local package inspection:

• older 8.7.1 workflow did not expose this behavior for us
• newer versions export masked connection placeholders
• import-side handling appears to strip only Auth0's _VALUE_NOT_SHOWN_ sentinel, not generated ##...## placeholders

That makes the export/import contract for connection secrets unsafe.

Suggested fix

When importing connections, generated masked placeholder values like ##CONNECTIONS_*_SECRET## should never be written into live client_secret fields.

Links

• Secret masking change: feat: add secret masking functionality for connections and log streams #1103
• Latest release tested: https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.29.3

[ankita10119]

Hi @bradfloodx
Thanks for the detailed report! I'll look into it and provide an update as soon as I have one.