Merge pull request #294 from ory/master

[pull] master from ory:master

Author: pull[bot]

CHANGELOG.md

@@ -4,7 +4,7 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**
 
-- [0.0.0 (2025-02-21)](#000-2025-02-21)
+- [0.0.0 (2025-02-25)](#000-2025-02-25)
     - [Bug Fixes](#bug-fixes)
     - [Features](#features)
 - [2.3.0 (2025-01-17)](#230-2025-01-17)
@@ -719,11 +719,16 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [0.0.0](https://github.com/ory/hydra/compare/v2.3.0...v0.0.0) (2025-02-21)
+# [0.0.0](https://github.com/ory/hydra/compare/v2.3.0...v0.0.0) (2025-02-25)
 
 
 ### Bug Fixes
 
+* Allow updating when JWKS URI is set ([#3935](https://github.com/ory/hydra/issues/3935)) ([#3946](https://github.com/ory/hydra/issues/3946)) ([fb1655b](https://github.com/ory/hydra/commit/fb1655ba86077b10141132ed332ba8d6f8c70582)):
+
+    The client validator no longer rejects PATCH and PUT updates when `JSONWebKeysURI` is non-empty and `JSONWebKeys` is not nil.
+
+* CLI usage help examples ([#3943](https://github.com/ory/hydra/issues/3943)) ([e24f9a7](https://github.com/ory/hydra/commit/e24f9a704c22c72690bc20c498439865181d9239))
 * Correct multiple instances of 'stragegy' typo ([#3906](https://github.com/ory/hydra/issues/3906)) ([50eefbc](https://github.com/ory/hydra/commit/50eefbc21c2c43d221b6079bbd78a33ef8c754c4)):
 
     This commit addresses several occurrences where 'strategy' was

client/sdk_test.go

@@ -233,4 +233,20 @@ func TestClientSDK(t *testing.T) {
 		// secret hashes shouldn't change between these PUT calls
 		require.Equal(t, result1.ClientSecret, result2.ClientSecret)
 	})
+
+	t.Run("case=patch client that has JSONWebKeysURI", func(t *testing.T) {
+		op := "replace"
+		path := "/client_name"
+		value := "test"
+
+		client := createTestClient("")
+		client.SetJwksUri("https://example.org/.well-known/jwks.json")
+		created, _, err := c.OAuth2API.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
+		require.NoError(t, err)
+		client.ClientId = created.ClientId
+
+		result, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
+		require.NoError(t, err)
+		require.Equal(t, value, pointerx.Deref(result.ClientName))
+	})
 }

client/validator.go

@@ -54,20 +54,20 @@ func (v *Validator) Validate(ctx context.Context, c *Client) error {
 	if c.TokenEndpointAuthMethod == "" {
 		c.TokenEndpointAuthMethod = "client_secret_basic"
 	} else if c.TokenEndpointAuthMethod == "private_key_jwt" {
-		if len(c.JSONWebKeysURI) == 0 && c.JSONWebKeys == nil {
+		if len(c.JSONWebKeysURI) == 0 && c.GetJSONWebKeys() == nil {
 			return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("When token_endpoint_auth_method is 'private_key_jwt', either jwks or jwks_uri must be set."))
 		}
 		if c.TokenEndpointAuthSigningAlgorithm != "" && !isSupportedAuthTokenSigningAlg(c.TokenEndpointAuthSigningAlgorithm) {
 			return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Only RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512 are supported as algorithms for private key authentication."))
 		}
 	}
 
-	if len(c.JSONWebKeysURI) > 0 && c.JSONWebKeys != nil {
+	if len(c.JSONWebKeysURI) > 0 && c.GetJSONWebKeys() != nil {
 		return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Fields jwks and jwks_uri can not both be set, you must choose one."))
 	}
 
-	if c.JSONWebKeys != nil && c.JSONWebKeys.JSONWebKeySet != nil {
-		for _, k := range c.JSONWebKeys.Keys {
+	if jsonWebKeys := c.GetJSONWebKeys(); jsonWebKeys != nil {
+		for _, k := range jsonWebKeys.Keys {
 			if !k.Valid() {
 				return errorsx.WithStack(ErrInvalidClientMetadata.WithHint("Invalid JSON web key in set."))
 			}

client/validator_test.go

@@ -110,6 +110,12 @@ func TestValidate(t *testing.T) {
 				return true
 			},
 		},
+		{
+			in: &Client{ID: "foo", JSONWebKeys: new(x.JoseJSONWebKeySet), JSONWebKeysURI: "https://example.org/jwks.json"},
+			check: func(t *testing.T, c *Client) {
+				assert.Nil(t, c.GetJSONWebKeys())
+			},
+		},
 		{
 			in:        &Client{ID: "foo", PostLogoutRedirectURIs: []string{"https://bar/"}, RedirectURIs: []string{"https://foo/"}},
 			assertErr: assert.Error,

cmd/cmd_create_client.go

@@ -57,7 +57,7 @@ func NewCreateClientsCommand() *cobra.Command {
 		Short:   "Create an OAuth 2.0 Client",
 		Aliases: []string{"client"},
 		Args:    cobra.NoArgs,
-		Example: `{{ .CommandPath }} -n "my app" -c http://localhost/cb -g authorization_code -r code -a core,foobar
+		Example: `{{ .CommandPath }} --name "my app" --redirect-uri http://localhost/cb --grant-type authorization_code --response-type code --scope core,foobar
 
 Use the tool jq (or any other JSON tool) to get the OAuth2 Client ID and Secret:
 
@@ -74,7 +74,7 @@ the Authorize Code, Implicit, Refresh flow. This command allows settings all fie
 
 To encrypt an auto-generated OAuth2 Client Secret, use flags ` + "`--pgp-key`" + `, ` + "`--pgp-key-url`" + ` or ` + "`--keybase`" + ` flag, for example:
 
-  {{ .CommandPath }} -n "my app" -g client_credentials -r token -a core,foobar --keybase keybase_username
+  {{ .CommandPath }} --name "my app" --grant-type client_credentials --response-type token --scope core,foobar --keybase keybase_username
 `,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			m, _, err := cliclient.NewClient(cmd)

cmd/cmd_import_client.go

@@ -47,7 +47,7 @@ Alternatively:
 
 To encrypt an auto-generated OAuth2 Client Secret, use flags ` + "`--pgp-key`" + `, ` + "`--pgp-key-url`" + ` or ` + "`--keybase`" + ` flag, for example:
 
-  {{ .CommandPath }} -n "my app" -g client_credentials -r token -a core,foobar --keybase keybase_username
+  {{ .CommandPath }} --name "my app" --grant-type client_credentials --response-type token --scope core,foobar --keybase keybase_username
 `,
 		Long: `This command reads in each listed JSON file and imports their contents as a list of OAuth 2.0 Clients.
 

cmd/cmd_update_client.go

@@ -22,11 +22,11 @@ func NewUpdateClientCmd() *cobra.Command {
 		Aliases: []string{"client"},
 		Short:   "Update an OAuth 2.0 Client",
 		Args:    cobra.ExactArgs(1),
-		Example: `{{ .CommandPath }} <client-id-here> -c http://localhost/cb -g authorization_code -r code -a core,foobar
+		Example: `{{ .CommandPath }} <client-id-here> --redirect-uri http://localhost/cb --grant-type authorization_code --response-type code --scope core,foobar
 
 To encrypt an auto-generated OAuth2 Client Secret, use flags ` + "`--pgp-key`" + `, ` + "`--pgp-key-url`" + ` or ` + "`--keybase`" + ` flag, for example:
 
-  {{ .CommandPath }} e6e96aa5-9cd2-4a70-bf56-ad6434c8aaa2 -n "my app" -g client_credentials -r token -a core,foobar --keybase keybase_username
+  {{ .CommandPath }} e6e96aa5-9cd2-4a70-bf56-ad6434c8aaa2 --name "my app" --grant-type client_credentials --response-type token --scope core,foobar --keybase keybase_username
 `,
 		Long: `This command replaces an OAuth 2.0 Client by its ID. Please be aware that this command replaces the entire client. If only the name flag (-n "my updated app") is provided, the all other fields are updated to their default values.`,
 		RunE: func(cmd *cobra.Command, args []string) error {