fix:(jans-config) getting error while create openid client

[manojs1978]

Describe the bug
getting error while create openid client

To Reproduce
Steps to reproduce the behavior:

1. download schema /opt/jans/jans-cli/config-cli.py --operation-id post-oauth-openid-clients --data /tmp/Client.json
2. modify Client.json add
   "customAttributes": null,
   "customObjectClasses": null,
   4.run
   /opt/jans/jans-cli/config-cli.py --operation-id post-oauth-openid-clients --data /tmp/Client.json
3. See error

Expected behavior
should able to create openid client

Screenshots

Desktop (please complete the following information):

• OS: [ubuntu
• Browser [e.g. chrome, safari]
• Version 20.0
• DB openDJ

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.
openidlog.zip

[manojs1978]

Client.json.txt

[yurem]

You need to update your client.json

  "clientName": {
    "values": null,
    "value": null,
    "languageTags": []
  },
  "logoUri": {
    "values": null,
    "value": null,
    "languageTags": []
  },
  "clientUri": {
    "values": null,
    "value": null,
    "languageTags": []
  },
  "policyUri": {
    "values": null,
    "value": null,
    "languageTags": []
  },
  "tosUri": {
    "values": null,
    "value": null,
    "languageTags": []
  },

Now we store in clientName/logoUri/clientUri/policyUri/tosUri values as before in plain text values
While for localized we added additional attributes where we store values in JSON

The localized attributes has same names + Localized at the end

[pujavs]

@manojs1978 were you able to test the fix?

[pujavs]

Assigning to @qbert2k for inputs.
@qbert2k, we are not able to pass LocalizedString in json it is giving error. If we pass it as empty string it gives no error.
Can you please share how LocalizedString can be passed
Details:
DBType: LDAP

Error: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.lang.String` from Object value (token `JsonToken.START_OBJECT`) at [Source: (org.eclipse.jetty.server.HttpInput); line: 25, column: 23] (through reference chain: io.jans.as.common.model.registration.Client["logoUriLocalized"])

Screenshot:

Json:

{
  "dn": null,
  "expirationDate": null,
  "deletable": true,
  "clientSecret": "password",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": true,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": ["http://myserver.com"],
  "claimRedirectUris": [],
  "responseTypes": [],
  "grantTypes": [],
  "applicationType": "native",
  "contacts": [],
  "idTokenTokenBindingCnf": null,
  "clientName": "Puja_Test_1",
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "clientNameLocalized": "",
  "logoUriLocalized": {  },
  "clientUriLocalized": {  },
  "policyUriLocalized": {  },
  "tosUriLocalized": {
    "values": null,
    "value": null,
    "languageTags": []
  },
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": null,
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "defaultAcrValues": [],
  "initiateLoginUri": null,
  "postLogoutRedirectUris": [],
  "requestUris": [],
  "scopes": [],
  "claims": [],
  "trustedClient": true,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": true,
  "includeClaimsInIdToken": true,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes":null,
  "customObjectClasses": null,
  "rptAsJwt": true,
  "accessTokenAsJwt": false,
  "accessTokenSigningAlg": null,
  "disabled": true,
  "authorizedOrigins": [],
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": {
    "tlsClientAuthSubjectDn": null,
    "runIntrospectionScriptBeforeJwtCreation": true,
    "keepClientAuthorizationAfterExpiration": false,
    "allowSpontaneousScopes": true,
    "spontaneousScopes": [],
    "spontaneousScopeScriptDns": [],
    "updateTokenScriptDns": [],
    "backchannelLogoutUri": [],
    "backchannelLogoutSessionRequired": true,
    "additionalAudience": [],
    "postAuthnScripts": [],
    "consentGatheringScripts": [],
    "introspectionScripts": [],
    "rptClaimsScripts": [],
    "ropcScripts": [],
    "parLifetime": null,
    "requirePar": false,
    "jansAuthSignedRespAlg": null,
    "jansAuthEncRespAlg": null,
    "jansAuthEncRespEnc": null,
    "jansSubAttr": null,
    "redirectUrisRegex": null,
    "jansAuthorizedAcr": [],
    "jansDefaultPromptLogin": false,
    "idTokenLifetime": null
  },
  "backchannelTokenDeliveryMode": "poll",
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": "ES384",
  "backchannelUserCodeParameter": false,
  "description": null,
  "organization": null,
  "groups": [],
  "ttl": null,
  "displayName": null,
  "tokenBindingSupported": true,
  "authenticationMethod": "self_signed_tls_client_auth",
  "baseDn": null,
  "inum": null
}```

[qbert2k]

Hi @pujavs

I can see the problem is deserializing the Localized String in Client class:

I can suggest using a ClientDto instead and a mapper.

[qbert2k]

Why jans-config-api-server is not consuming the dynamic client registration endpoint from jans-auth-server?

[pujavs]

@qbert2k ,
1. Client class: config-api has been using Client.class since beginning and was working without any issue.
Which i understand you were aware because when the LocalizedString changes happened and related issues starting cropping up and being reported, you were assigned these issues;

• config-api does not populate displayName if backend MySQL #1482 (comment)
• fix(jans-config-api): OpenID Connect Client displayName update issue #1724
• fix (jans-config-api) : some url fields have object value for oidc clients GET response #1765

Request you to please rectify the issue in https://github.com/JanssenProject/jans/blob/main/jans-auth-server/common/src/main/java/io/jans/as/common/model/registration/Client.java rather than introducing another DTO and Mapper?

2. Why jans-config-api-server is not consuming the dynamic client registration endpoint from jans-auth-server?
Wrt to directly using client registration endpoint it was decided that config-api should have direct access to ensure full control.
AS register API might restrict some fields and feature it in future.

cc @yuriyz for suggestion and advice for both points

[qbert2k]

1. The way LocalizedString is being persisted was changed as requested. Let me explain in more detail why I think we need to introduce a DTO and mapper:

• Let's consider the example in the specs: https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest

{
// ...
"client_name": "My Example",
"client_name#ja-Jpan-JP":  "クライアント名"
// ...
}

• As we can see in the example, the format of the param is special and cannot be deserialized directly, that's why I am purposing to use another mechanism. So instead of trying to receive a Client object directly at the rest controller level, I suggest using a DTO and mapping the values to the Client object.

2. I was just curious about why not use Dynamic Client Registration because it could be another option to solve the problem.

[pujavs]

@qbert2k, we need to close the LocalizedString issue, issues reported wrt to them are still open and consumes lot of time and efforts to keep on analysing and reporting to the user that is LocalizedString issue and WIP

Following are my queries;

1. I am also just as curious that would the DTO and mapper resolved the issue long back rather than waiting for changes to the Client.class
   Was this possible earlier when the issue was first reported?

2. Are you suggesting the config-api endpoints do not take attributes of LocalizedString type at-all in its payload? That means that new DTO will not have any attribute of LocalizedString type and hence never will part of request and response for config-api OpenID Client endpoints...
   Is this confirmed requirement ?
   I would rather have a solution wherein config-api use Client object in request and response rather than restricting something due to deserializing issue.
   Also if we introduce DTO, how do you suggest keeping it always in sync with changes in Client.class
   Thus i think its best that we resolve the problem of deserializing the Localized String in Client class
   Request you to please have a look

3. Once you fix the issue, request you to please share a sample json as to how to pass these in request. I have tried following
   and nothing works...
   3.1 "clientNameLocalized": { }
   3.2 "clientNameLocalized": { "value": "My_name" }
   3.3"clientNameLocalized": { "value": "My_name", "values":{ "Client name 1": "Locale.UK", "Client name 2":"Locale.CANADA" } }

[yuriyz]

@qbert2k @pujavs jans-config-api has access to internal AS structure which is not exposed outside by AS via dynamic registration endpoint. There reason is that jans-config-api must have ability to change any data (e.g. client secret or expiration). We of course can solve Client serialization/deserialization problem by introducing DTO and mapping but it introduce another point of maintaining in code and as result another point of failure.

I'm going to investigate and fix deserialization problem.

Error: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.lang.String` from Object value (token `JsonToken.START_OBJECT`) at [Source: (org.eclipse.jetty.server.HttpInput); line: 25, column: 23] (through reference chain: io.jans.as.common.model.registration.Client["logoUriLocalized"])

[yuriyz]

Fixed serialization and deserialization in #3064

Look to ClientSerializationTest.java for sample.

Sample json used by test

{
  "frontChannelLogoutSessionRequired" : false,
  "grantTypes" : [ ],
  "applicationType" : "web",
  "clientName" : "myLocalized",
  "clientNameLocalized" : {
    "values" : {
      "" : "myLocalized",
      "en-CA" : "myLocalized_canada",
      "fr-CA" : "myLocalized_canadaFR"
    }
  },
  "logoUriLocalized" : {
    "values" : { }
  },
  "clientUriLocalized" : {
    "values" : { }
  },
  "policyUriLocalized" : {
    "values" : { }
  },
  "tosUriLocalized" : {
    "values" : { }
  },
  "subjectType" : "public",
  "trustedClient" : false,
  "persistClientAuthorizations" : false,
  "includeClaimsInIdToken" : false,
  "customAttributes" : [ ],
  "rptAsJwt" : false,
  "accessTokenAsJwt" : false,
  "disabled" : false,
  "attributes" : {
    "tlsClientAuthSubjectDn" : null,
    "runIntrospectionScriptBeforeJwtCreation" : false,
    "keepClientAuthorizationAfterExpiration" : false,
    "allowSpontaneousScopes" : false,
    "spontaneousScopes" : [ ],
    "spontaneousScopeScriptDns" : [ ],
    "updateTokenScriptDns" : [ ],
    "backchannelLogoutUri" : [ ],
    "backchannelLogoutSessionRequired" : false,
    "additionalAudience" : [ ],
    "postAuthnScripts" : [ ],
    "consentGatheringScripts" : [ ],
    "introspectionScripts" : [ ],
    "rptClaimsScripts" : [ ],
    "ropcScripts" : [ ],
    "parLifetime" : 600,
    "requirePar" : false,
    "jansAuthSignedRespAlg" : null,
    "jansAuthEncRespAlg" : null,
    "jansAuthEncRespEnc" : null,
    "jansSubAttr" : null,
    "redirectUrisRegex" : null,
    "jansAuthorizedAcr" : [ ],
    "jansDefaultPromptLogin" : false,
    "idTokenLifetime" : null,
    "allowOfflineAccessWithoutConsent" : null
  }
}

@pujavs Re-opening ticket for validation. Please try with newest AS and confirm it works.

[pujavs]

Confirmed the fix is working, @yuriyz thankyou
Testing: tested with json shared by @yuriyz as well as others

[pujavs]

@manojs1978 to test and confirm

[manojs1978]

checking

[manojs1978]

Hi @pujavs ,
please check below error, getting while running post method ,

/opt/jans/jans-cli/config-cli.py --operation-id post-oauth-openid-client --data /tmp/client.json com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "string": not a valid representation (error: Failed to parse Date value 'string': Unparseable date: "string") at [Source: (org.eclipse.jetty.server.HttpInput); line: 1, column: 36] (through reference chain: io.jans.as.common.model.registration.Client["expirationDate"])

[pujavs]

@manojs1978 i am not getting this error, request you to please re-test and post exact request json in-case of error or else close the issue

[pujavs]

assigning to @manojs1978 for testing and closure

[manojs1978]

with modfied client.json able to create open id client using API