Skip to content

Commit fb1655b

Browse files
authored
fix: allow updating when JWKS URI is set (#3935) (#3946)
The client validator no longer rejects PATCH and PUT updates when `JSONWebKeysURI` is non-empty and `JSONWebKeys` is not nil. Closes #3935
1 parent e24f9a7 commit fb1655b

File tree

3 files changed

+26
-4
lines changed

3 files changed

+26
-4
lines changed

client/sdk_test.go

+16
Original file line numberDiff line numberDiff line change
@@ -233,4 +233,20 @@ func TestClientSDK(t *testing.T) {
233233
// secret hashes shouldn't change between these PUT calls
234234
require.Equal(t, result1.ClientSecret, result2.ClientSecret)
235235
})
236+
237+
t.Run("case=patch client that has JSONWebKeysURI", func(t *testing.T) {
238+
op := "replace"
239+
path := "/client_name"
240+
value := "test"
241+
242+
client := createTestClient("")
243+
client.SetJwksUri("https://example.org/.well-known/jwks.json")
244+
created, _, err := c.OAuth2API.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
245+
require.NoError(t, err)
246+
client.ClientId = created.ClientId
247+
248+
result, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
249+
require.NoError(t, err)
250+
require.Equal(t, value, pointerx.Deref(result.ClientName))
251+
})
236252
}

client/validator.go

+4-4
Original file line numberDiff line numberDiff line change
@@ -54,20 +54,20 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
5454
if c.TokenEndpointAuthMethod == "" {
5555
c.TokenEndpointAuthMethod = "client_secret_basic"
5656
} else if c.TokenEndpointAuthMethod == "private_key_jwt" {
57-
if len(c.JSONWebKeysURI) == 0 && c.JSONWebKeys == nil {
57+
if len(c.JSONWebKeysURI) == 0 && c.GetJSONWebKeys() == nil {
5858
return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("When token_endpoint_auth_method is 'private_key_jwt', either jwks or jwks_uri must be set."))
5959
}
6060
if c.TokenEndpointAuthSigningAlgorithm != "" && !isSupportedAuthTokenSigningAlg(c.TokenEndpointAuthSigningAlgorithm) {
6161
return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Only RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512 are supported as algorithms for private key authentication."))
6262
}
6363
}
6464

65-
if len(c.JSONWebKeysURI) > 0 && c.JSONWebKeys != nil {
65+
if len(c.JSONWebKeysURI) > 0 && c.GetJSONWebKeys() != nil {
6666
return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Fields jwks and jwks_uri can not both be set, you must choose one."))
6767
}
6868

69-
if c.JSONWebKeys != nil && c.JSONWebKeys.JSONWebKeySet != nil {
70-
for _, k := range c.JSONWebKeys.Keys {
69+
if jsonWebKeys := c.GetJSONWebKeys(); jsonWebKeys != nil {
70+
for _, k := range jsonWebKeys.Keys {
7171
if !k.Valid() {
7272
return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Invalid JSON web key in set."))
7373
}

client/validator_test.go

+6
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,12 @@ func TestValidate(t *testing.T) {
110110
return true
111111
},
112112
},
113+
{
114+
in: &Client{ID: "foo", JSONWebKeys: new(x.JoseJSONWebKeySet), JSONWebKeysURI: "https://example.org/jwks.json"},
115+
check: func(t *testing.T, c *Client) {
116+
assert.Nil(t, c.GetJSONWebKeys())
117+
},
118+
},
113119
{
114120
in: &Client{ID: "foo", PostLogoutRedirectURIs: []string{"https://bar/"}, RedirectURIs: []string{"https://foo/"}},
115121
assertErr: assert.Error,

0 commit comments

Comments
 (0)