search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

Missing Fields in DCR Rest API #19571

Open senthuran16 opened 9 months ago

senthuran16 commented 9 months ago

Describe the issue: Some fields are missing in the response body of DCR Rest API [1] GET https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/:client_id.

For example,

The following fields (requested in https://github.com/wso2/product-is/issues/14959) are not present. 

application_type
ext_display_name
ext_application_token_lifetime
ext_user_token_lifetime
ext_refresh_token_lifetime
ext_id_token_lifetime
ext_public_client

Also observed that PKCE related info are not available as well. Eg:

pkce_mandatory
pkce_support_plain

The response body that is shown now is as follows:

{
    "client_id": "xTyk2usLKfGDSG4J2n9J0apHafYa",
    "client_secret": "LNbnnfl_qo04zQDvGxU97wcY3UQhhY4LpWFtHIcFyX4a",
    "client_secret_expires_at": 0,
    "redirect_uris": [
        "http://localhost:5678"
    ],
    "grant_types": [
        "urn:ietf:params:oauth:grant-type:saml2-bearer",
        "client_credentials",
        "iwa:ntlm",
        "urn:ietf:params:oauth:grant-type:device_code",
        "refresh_token",
        "password",
        "authorization_code",
        "urn:ietf:params:oauth:grant-type:token-exchange",
        "urn:ietf:params:oauth:grant-type:jwt-bearer"
    ],
    "client_name": "ApplicationCreatedFromDCRCall_Mod",
    "jwks_uri": null,
    "token_endpoint_auth_method": null,
    "token_endpoint_auth_signing_alg": null,
    "sector_identifier_uri": null,
    "id_token_signed_response_alg": null,
    "id_token_encrypted_response_alg": "null",
    "id_token_encrypted_response_enc": "null",
    "request_object_signing_alg": null,
    "tls_client_auth_subject_dn": null,
    "require_pushed_authorization_requests": false,
    "require_signed_request_object": false,
    "tls_client_certificate_bound_access_tokens": false,
    "subject_type": "public",
    "request_object_encryption_alg": null,
    "request_object_encryption_enc": null,
    "software_statement": null
}

How to reproduce: Below are the steps I have gone through

  1. Created an application via POST https://localhost:9443/api/identity/oauth2/dcr/v1.1/register, with the following payload: 
    {
"client_name": "ApplicationCreatedFromDCRCall",
"redirect_uris": [
"http://localhost:1234"
]
}
  2. Edited the above application via PUT https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/:client_id, with the following payload: 
    {
"redirect_uris": [
"http://localhost:5678"
],
"client_name": "ApplicationCreatedFromDCRCall_Mod",
"client_id": "xTyk2usLKfGDSG4J2n9J0apHafYa",
"client_secret": "LNbnnfl_qo04zQDvGxU97wcY3UQhhY4LpWFtHIcFyX4a",
"grant_types": [
"password",
"client_credentials",
"refresh_token",
"urn:ietf:params:oauth:grant-type:saml2-bearer",
"iwa:ntlm",
"urn:ietf:params:oauth:grant-type:device_code",
"authorization_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"urn:ietf:params:oauth:grant-type:token-exchange"
],
"ext_application_token_lifetime": "3600",
"ext_user_token_lifetime": "3600",
"ext_refresh_token_lifetime": "3600",
"ext_id_token_lifetime": "3600",
"ext_pkce_mandatory": "true",
"ext_pkce_support_plain": "true",
"ext_public_client": "true"
}
  3. Performed GET https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/:client_id

Expected behavior:

Environment information (Please complete the following information; remove any unnecessary fields) :

Optional Fields

Related issues:

Suggested labels:

[1] https://is.docs.wso2.com/en/next/apis/use-the-openid-connect-dynamic-client-registration-rest-apis/

senthuran16 commented 9 months ago

Hi Team,

I checked the same with the RC1 pack, and still noticed that some of the fields are not present. For example:

The following from my original request at this issue's description:

application_type
ext_display_name

Some fields like token_type_extension.

Ideally, all the fields we can send in the payload of the POST /register, should be present in the response payload of the GET as well.

Can we get this fixed pleae?

DMHP commented 9 months ago

As agreed in the following comment [1], the parameter token_type_extension is not added to both 'POST' or 'GET'. The yaml file contains few stale data and we will add a task to improve the yaml file. If you have a requirement to add those parameters to the IS core (Both POST and GET) please initiate a request for it, so we can evaluate.

[1] https://github.com/wso2/product-is/issues/14959#issuecomment-1554456852

senthuran16 commented 9 months ago

@DMHP I could use token_type_extension in POST.

I sent the following body payload to POST https://{{serverUrl}}/api/identity/oauth2/dcr/v1.1/register:

{
  "client_name": "ApplicationCreatedFromDCRCall2",
  "redirect_uris": [
    "http://localhost:1234"
  ],
  "token_type_extension": "JWT"
}

This creates an application, and when I view that application in the console, I can see that JWT has been selected under Access Token -> Token Type.

Screenshot 2024-02-20 at 23 52 36

But when I execute GET https://{{serverUrl}}/api/identity/oauth2/dcr/v1.1/register/:client_id, I get the following payload, in which, no information about this token_type_extension is present (although it's available in the UI):

{
    "client_id": "uq_zXhSOHfwdNWrSfb44so0KRTga",
    "client_secret": "e4SF53S6pFSdSoPr8I9b6AZjTWrrO6CI91bDrMRHiUMa",
    "client_secret_expires_at": 0,
    "redirect_uris": [
        "http://localhost:5678"
    ],
    "grant_types": [
        "password",
        "client_credentials",
        "refresh_token",
        "urn:ietf:params:oauth:grant-type:saml2-bearer",
        "iwa:ntlm",
        "urn:ietf:params:oauth:grant-type:device_code",
        "authorization_code",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "urn:ietf:params:oauth:grant-type:token-exchange"
    ],
    "client_name": "ApplicationCreatedFromDCRCall_Mod",
    "ext_application_display_name": null,
    "ext_application_owner": "admin@carbon.super",
    "ext_application_token_lifetime": 3600,
    "ext_user_token_lifetime": 3600,
    "ext_refresh_token_lifetime": 3600,
    "ext_id_token_lifetime": 3600,
    "ext_pkce_mandatory": true,
    "ext_pkce_support_plain": true,
    "ext_public_client": true,
    "jwks_uri": null,
    "token_endpoint_auth_method": null,
    "token_endpoint_auth_signing_alg": null,
    "sector_identifier_uri": null,
    "id_token_signed_response_alg": null,
    "id_token_encrypted_response_alg": "null",
    "id_token_encrypted_response_enc": "null",
    "request_object_signing_alg": null,
    "tls_client_auth_subject_dn": null,
    "require_pushed_authorization_requests": false,
    "require_signed_request_object": false,
    "tls_client_certificate_bound_access_tokens": false,
    "subject_type": "public",
    "request_object_encryption_alg": null,
    "request_object_encryption_enc": null,
    "software_statement": null
}

Basically, all the attributes we already support sending in the POST request payload, should be returned in the GET response payload as well. Is it possible to add the exhaustive list of attributes in the GET response payload?