Fix: client grants incorrectly matched when multiple grants share the same client_id + audience

[ankita10119]

🔧 Changes

Root cause

The identifier set used to match local grants to their remote counterparts was missing subject_type as a distinguishing field:

Before

identifiers: ['id', ['client_id', 'audience']]

When two grants share the same client_id + audience but differ by subject_type, the matching algorithm couldn't tell them apart and paired them based on iteration order, causing the wrong grant to be updated on every deploy.

Fix

After

identifiers: ['id', ['client_id', 'audience', 'subject_type'], ['client_id', 'audience']]

1. id - unambiguous match when grant ID is present
2. [client_id, audience, subject_type] - correctly distinguishes grants with same client_id + audience but different subject_type
3. [client_id, audience] - fallback for grants where subject_type is null, preserving backward compatibility

📚 References

Closes #1329

Backward compatibility

No breaking changes. The ['client_id', 'audience'] fallback preserves existing behavior for tenants not using subject_type. Only tenants with multiple grants sharing the same client_id + audience are affected.

🔬 Testing

Added a unit test reproducing the exact failure scenario - two grants with the same client_id + audience but reversed order relative to the API response.
Without the fix the test fails; with the fix both grants are matched and updated correctly.

📝 Checklist

• All new/changed/fixed functionality is covered by tests (or N/A)
• I have added documentation for all new/changed functionality (or N/A)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 85.71429% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.06%. Comparing base (c00e852) to head (ed62c21).

Files with missing lines	Patch %	Lines
src/tools/auth0/handlers/clientGrants.ts	85.71%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1341      +/-   ##
==========================================
+ Coverage   80.03%   80.06%   +0.02%     
==========================================
  Files         152      152              
  Lines        6182     6196      +14     
  Branches     1282     1286       +4     
==========================================
+ Hits         4948     4961      +13     
  Misses        701      701              
- Partials      533      534       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[karlm-v2]

Hi @kushalshit27 - Can you advise when this fix will be merged and in what version?

[kushalshit27]

Hi, @karlm-v2,
This is merged and will be included in our upcoming release.