Importing `branding` without `colors` resets Authentication Profile to "Identifier + Password"

[anubhav06]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this tool and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Running a0deploy import with a branding section that contains logo_url but no colors silently resets the tenant's Authentication Profile (Dashboard → Authentication → Authentication Profile) from "Identifier First" to "Identifier + Password".

The Authentication Profile is not managed in our tenant.yaml (there is no prompts section), it was configured via the dashboard. The import exits successfully with no warning or error, so the change goes unnoticed until login behavior breaks (in our case, it broke smoke tests that assert on the /u/login/identifier flow).

This reproduces the reset with this branding config:

branding:
  logo_url: https://images.abc.xyz/static/images/my-image.svg
  templates: []

However, the same import with colors present does NOT reset the profile:

branding:
  colors:
    page_background: '#444f5f'
    primary: '#444f5f'
  logo_url: https://images.abc.xyz/static/images/my-image.svg
  templates: []

This appears closely related to:

• Authentication profile is not set correctly #842 (same symptom, v7.x, closed)
• Fix: Universal Login Authentication Profile reverts to Identifier+Password after import  #1333 / the 8.29.3 fix "Fix Universal Login Authentication Profile reverting to Identifier+Password after import when branding is included" — the issue still reproduces on 8.36.0 in the case where prompts is not managed in the yaml
• auth0_branding with only logo_url silently resets authentication profile settings terraform-provider-auth0#1510, which independently demonstrates that a PATCH /api/v2/branding containing only logo_url triggers the profile reset server-side

Given auth0/terraform-provider-auth0#1510, the root cause may be Management API behavior rather than the CLI itself, but the CLI is where users hit it: when prompts.identifier_first is not present in the yaml, nothing restores the profile after the branding call, and the deploy reports success. At minimum the CLI should avoid emitting the branding payload shape that triggers the reset (the colors-present payload evidently does not), or warn that an unmanaged Authentication Profile may be mutated.

cc/ @gdsoumya @kencochrane

Expectation

Importing branding settings should never mutate the Authentication Profile (identifier_first), especially when prompts is not part of the managed configuration. If that is unavoidable, the CLI should emit a warning or error instead of succeeding silently.

Reproduction

1. On a tenant, set Authentication Profile to "Identifier First" via the dashboard.
2. Create a tenant.yaml containing only:

   branding:
     logo_url: https://images.akuity.io/static/images/logo-color.svg
     templates: []

3. Run a0deploy import -i tenant.yaml -c config.json.
4. Check Dashboard → Authentication → Authentication Profile: it is now "Identifier + Password". Login UI at /u/login shows username + password on one screen instead of the identifier-first flow.
5. Repeat steps 1–4 with colors added to the branding block — the profile is left untouched.

Deploy CLI version

8.36.0

Node version

24.16.0

[harshithRai]

Hello @anubhav06, thank you for reporting this and for the detailed information!
I'll investigate this further and come back with an update.