Unable to update client with jwks_uri set #3935
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
After creating a client with token_endpoint_auth_method set to private_key_jwt and a jwks_uri, any attempt to update it results in an invalid_client_metadata error:
The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. Fields jwks and jwks_uri can not both be set, you must choose one.
The only way to update it, is by including a replace op for the jwks field without a value.
Reproducing the bug
$ http post http://hydra-admin.auth.svc.cluster.local:4445/admin/clients token_endpoint_auth_method=private_key_jwt jwks_uri=https://example.org/.well-known/jwks.json
HTTP/1.1 201 Created
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 1374
Content-Type: application/json; charset=utf-8
Date: Wed, 05 Feb 2025 12:19:10 GMT
Location: /admin/clients/8025e45b-08fc-44fd-948f-231438bba5c4
Vary: Origin
{
"allowed_cors_origins": [],
"audience": [],
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
"client_credentials_grant_access_token_lifespan": null,
"client_id": "8025e45b-08fc-44fd-948f-231438bba5c4",
"client_name": "",
"client_secret": "G..yLcp2JHB1rjVrlOwfMdiEOA",
"client_secret_expires_at": 0,
"client_uri": "",
"contacts": null,
"created_at": "2025-02-05T12:19:10Z",
"grant_types": null,
"implicit_grant_access_token_lifespan": null,
"implicit_grant_id_token_lifespan": null,
"jwks": {},
"jwks_uri": "https://example.org/.well-known/jwks.json",
"jwt_bearer_grant_access_token_lifespan": null,
"logo_uri": "",
"metadata": {},
"owner": "",
"policy_uri": "",
"redirect_uris": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null,
"registration_access_token": "ory_at_P3RU_pYBkpPmu3671Yx0VorvKM1w3-vb1gqcQdn-p1A.MM6Nlg-4mG8IKZ8bF3KJe014xBtRdlhQ2bYvnFdSDhE",
"registration_client_uri": "https://auth.local.founda.dev/oauth2/register/",
"response_types": null,
"scope": "offline_access offline openid",
"skip_consent": false,
"skip_logout_consent": null,
"subject_type": "public",
"token_endpoint_auth_method": "private_key_jwt",
"tos_uri": "",
"updated_at": "2025-02-05T12:19:10.158128Z",
"userinfo_signed_response_alg": "none"
}
$ echo '[]' | http patch http://hydra-admin.auth.svc.cluster.local:4445/admin/clients/8025e45b-08fc-44fd-948f-231438bba5c4
HTTP/1.1 400 Bad Request
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 350
Content-Type: application/json
Date: Wed, 05 Feb 2025 12:19:37 GMT
Vary: Origin
{
"error": "invalid_client_metadata",
"error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. Fields jwks and jwks_uri can not both be set, you must choose one."
}
$ echo '[{"op":"replace","path":"/client_name","value":"Test"}]' | http patch http://hydra-admin.auth.svc.cluster.local:4445/admin/clients/8025e45b-08fc-44fd-948f-231438bba5c4
HTTP/1.1 400 Bad Request
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 350
Content-Type: application/json
Date: Wed, 05 Feb 2025 12:24:21 GMT
Vary: Origin
{
"error": "invalid_client_metadata",
"error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. Fields jwks and jwks_uri can not both be set, you must choose one."
}
$ echo '[{"op":"replace","path":"/jwks"},{"op":"replace","path":"/client_name","value":"Test"}]' | http patch http://hydra-admin.auth.svc.cluster.local:4445/admin/clients/8025e45b-08fc-44fd-948f-231438bba5c4
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 1125
Content-Type: application/json; charset=utf-8
Date: Wed, 05 Feb 2025 12:24:12 GMT
Vary: Origin
{
"allowed_cors_origins": [],
"audience": [],
"authorization_code_grant_access_token_lifespan": null,
"authorization_code_grant_id_token_lifespan": null,
"authorization_code_grant_refresh_token_lifespan": null,
"client_credentials_grant_access_token_lifespan": null,
"client_id": "8025e45b-08fc-44fd-948f-231438bba5c4",
"client_name": "Test",
"client_secret_expires_at": 0,
"client_uri": "",
"contacts": [],
"created_at": "2025-02-05T12:19:10Z",
"grant_types": [],
"implicit_grant_access_token_lifespan": null,
"implicit_grant_id_token_lifespan": null,
"jwks": {},
"jwks_uri": "https://example.org/.well-known/jwks.json",
"jwt_bearer_grant_access_token_lifespan": null,
"logo_uri": "",
"metadata": {},
"owner": "",
"policy_uri": "",
"redirect_uris": [],
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null,
"response_types": [],
"scope": "offline_access offline openid",
"skip_consent": false,
"skip_logout_consent": null,
"subject_type": "public",
"token_endpoint_auth_method": "private_key_jwt",
"tos_uri": "",
"updated_at": "2025-02-05T12:24:12.009971Z",
"userinfo_signed_response_alg": "none"
}
Relevant log output
Relevant configuration
Version
v2.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response