fix: allow updating when JWKS URI is set (#3935) (#3946)

The client validator no longer rejects PATCH and PUT updates when `JSONWebKeysURI` is non-empty and `JSONWebKeys` is not nil.

Closes #3935

Author: phooijenga

client/sdk_test.go

@@ -233,4 +233,20 @@ func TestClientSDK(t *testing.T) {
 		// secret hashes shouldn't change between these PUT calls
 		require.Equal(t, result1.ClientSecret, result2.ClientSecret)
 	})
+
+	t.Run("case=patch client that has JSONWebKeysURI", func(t *testing.T) {
+		op := "replace"
+		path := "/client_name"
+		value := "test"
+
+		client := createTestClient("")
+		client.SetJwksUri("https://example.org/.well-known/jwks.json")
+		created, _, err := c.OAuth2API.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
+		require.NoError(t, err)
+		client.ClientId = created.ClientId
+
+		result, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
+		require.NoError(t, err)
+		require.Equal(t, value, pointerx.Deref(result.ClientName))
+	})
 }

client/validator.go

@@ -54,20 +54,20 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
 	if c.TokenEndpointAuthMethod == "" {
 		c.TokenEndpointAuthMethod = "client_secret_basic"
 	} else if c.TokenEndpointAuthMethod == "private_key_jwt" {
-		if len(c.JSONWebKeysURI) == 0 && c.JSONWebKeys == nil {
+		if len(c.JSONWebKeysURI) == 0 && c.GetJSONWebKeys() == nil {
 			return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("When token_endpoint_auth_method is 'private_key_jwt', either jwks or jwks_uri must be set."))
 		}
 		if c.TokenEndpointAuthSigningAlgorithm != "" && !isSupportedAuthTokenSigningAlg(c.TokenEndpointAuthSigningAlgorithm) {
 			return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Only RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512 are supported as algorithms for private key authentication."))
 		}
 	}
 
-	if len(c.JSONWebKeysURI) > 0 && c.JSONWebKeys != nil {
+	if len(c.JSONWebKeysURI) > 0 && c.GetJSONWebKeys() != nil {
 		return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Fields jwks and jwks_uri can not both be set, you must choose one."))
 	}
 
-	if c.JSONWebKeys != nil && c.JSONWebKeys.JSONWebKeySet != nil {
-		for _, k := range c.JSONWebKeys.Keys {
+	if jsonWebKeys := c.GetJSONWebKeys(); jsonWebKeys != nil {
+		for _, k := range jsonWebKeys.Keys {
 			if !k.Valid() {
 				return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Invalid JSON web key in set."))
 			}

client/validator_test.go

@@ -110,6 +110,12 @@ func TestValidate(t *testing.T) {
 				return true
 			},
 		},
+		{
+			in: &Client{ID: "foo", JSONWebKeys: new(x.JoseJSONWebKeySet), JSONWebKeysURI: "https://example.org/jwks.json"},
+			check: func(t *testing.T, c *Client) {
+				assert.Nil(t, c.GetJSONWebKeys())
+			},
+		},
 		{
 			in:        &Client{ID: "foo", PostLogoutRedirectURIs: []string{"https://bar/"}, RedirectURIs: []string{"https://foo/"}},
 			assertErr: assert.Error,