tokenExchangeProfiles: Promise.all causes race condition between delete and create

[shahvicky]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this tool and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Hi team,

I added tokenExchangeProfiles with name, type, subject_token_type, and action.
This profile already exists in my tenant (previously created via Management API). I want to check the configuration into code.

The CLI detects it should delete the existing profile and create from config (delete:1, create:1), and the create fails with a 409 conflict:

2025-12-18T00:48:08.874Z - debug: Start processChanges for tokenExchangeProfiles [delete:1] [update:0], [create:1], [conflicts:0]
2025-12-18T00:48:08.875Z - warn: Detected the following tokenExchangeProfile should be deleted. Doing so may be destructive.
You can enable deletes by setting 'AUTH0_ALLOW_DELETE' to true in the config

{}      
2025-12-18T00:48:08.961Z - error: Problem running command import during stage processChanges when processing type tokenExchangeProfiles
2025-12-18T00:48:08.961Z - error: Problem creating tokenExchangeProfiles {}
ConflictError: ConflictError
Status code: 409
Body: {
  "statusCode": 409,
  "error": "Conflict",
  "message": "Token exchange profile with the same subject_token_type already exists"
}
2025-12-18T00:48:08.961Z - debug: Error: Problem creating tokenExchangeProfiles {}
ConflictError: ConflictError
Status code: 409
Body: {
  "statusCode": 409,
  "error": "Conflict",
  "message": "Token exchange profile with the same subject_token_type already exists"
}
    at /usr/local/lib/node_modules/auth0-deploy-cli/lib/tools/auth0/handlers/tokenExchangeProfiles.js:212:23
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

Even with AUTH0_ALLOW_DELETE=true, the code uses Promise.all which doesn't guarantee execution order. The comment says "Process changes in order: delete, create, update" but Promise.all runs them concurrently, so create could still race ahead of delete.
See: https://github.com/auth0/auth0-deploy-cli/blob/master/src/tools/auth0/handlers/tokenExchangeProfiles.ts#L174-L194

Expectation

Existing token exchange profiles remain as it is, and new profiles to be created

Reproduction

1. Create a custom token exchange profile using the Management API explained here
2. Use the same subject_token_type and the action in the tenant.yaml file in the tokenExchangeProfiles configuration

Deploy CLI version

Latest

Node version

v22.11.0

[kushalshit27]

Hi, @shahvicky,
Thank you for bringing this issue to our attention. The fix is ready and available here: #1240, and it will be merged and released as soon as it completes the review process

[shahvicky]

Hi @kushalshit27 , I tried this again, this time with version 8.24.0, and I see the same error.
I have 3 custom token exchange profiles and actions in my tenant.yaml, of which 1 is already deployed to my test tenant using Management API. After testing here, I want to run this in my sync this with my tenant which has all 3 custom token exchange profiles created with management API.
I don't want to set AUTH0_ALLOW_DELETE to true because of it destructive nature.
I am still getting the following error (changed names and ids):

2025-12-31T19:20:46.123Z - debug: Start processChanges for tokenExchangeProfiles [delete:1] [update:2], [create:1], [conflicts:0]
2025-12-31T19:20:46.123Z - warn: Detected the following tokenExchangeProfile should be deleted. Doing so may be destructive.
You can enable deletes by setting 'AUTH0_ALLOW_DELETE' to true in the config
      
{"id":"...","name":"....","type":"custom_authentication","subject_token_type":"custm-token-type","created_at":"2025-11-27T03:22:36.521Z","updated_at":"2025-12-16T23:04:50.159Z","action":"cusm-actn"}
2025-12-31T19:20:46.270Z - error: Problem running command import during stage processChanges when processing type tokenExchangeProfiles
2025-12-31T19:20:46.271Z - error: Problem creating tokenExchangeProfiles {"name":"cusm-actn-profile","type":"custom_authentication","subject_token_type":"custm-token-type","action_id":"12345"}
ConflictError: ConflictError
Status code: 409
Body: {
  "statusCode": 409,
  "error": "Conflict",
  "message": "Token exchange profile with the same subject_token_type already exists"
}
2025-12-31T19:20:46.272Z - debug: Error: Problem creating tokenExchangeProfiles {"name":"cusm-actn.-profile","type":"custom_authentication","subject_token_type":"custm-token-type","action_id":"12345"}
ConflictError: ConflictError
Status code: 409
Body: {
  "statusCode": 409,
  "error": "Conflict",
  "message": "Token exchange profile with the same subject_token_type already exists"
}
 at /usr/local/lib/node_modules/auth0-deploy-cli/lib/tools/auth0/handlers/tokenExchangeProfiles.js:204:23
 at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

Is there something else I am missing.

[kushalshit27]

Hi, @shahvicky
Thank you for reporting this issue! Our team is currently investigating the issue.

[kushalshit27]

The fix for this issue is merged and will be included in our upcoming release.