https://www.ory.sh/ logo
Join Slack
Powered by
Hi! Trying to use the new APIs published here <htt...
# ory-network
m
Hi! Trying to use the new APIs published here https://www.ory.sh/docs/reference/api#operation/adminCreateOAuth2Client And with whatever request I give I either get
Copy code
{
  "error": "error",
  "error_description": "The error is unrecognizable"
}
OR
Copy code
{
  "error": "invalid_client_metadata",
  "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. Fields jwks and jwks_uri can not both be set, you must choose one."
}
Anyone can help here?
h
What’s the curl you’re using? 🙂
m
Copy code
curl --location --request POST '<https://cranky-jang-tvf411zt6j.projects.oryapis.com/admin/clients>' \
--header 'Authorization: Bearer ory_pat_hBoAu4hP4d9hbwwsV3gfnv1nGdCcv2tf' \
--header 'Content-Type: application/json' \
--data-raw '{
  "allowed_cors_origins": [
    "*"
  ],
  "audience": [
    "CustomerPBC", "ProductPBC"
  ],
  "client_name": "Frontend App 1",
  "metadata": {},
  "authorization_code_grant_access_token_lifespan": "10h",
  "authorization_code_grant_id_token_lifespan": "10h",
  "authorization_code_grant_refresh_token_lifespan": "10h",
  "client_uri": "<http://localhost:8080/>",
  "grant_types": ["code"],
  "logo_uri": "<http://localhost:8080/>",
  "owner": "Ahmed Sabaa",
  "post_logout_redirect_uris": ["<http://localhost:8080/>"],
  "redirect_uris": ["<http://localhost:8080/>"],
  "scope": "product:1 product:2 product:3 customer:1 customer:2 customer:3",
  "subject_type": "public",
  "token_endpoint_auth_method": "none",
  "backchannel_logout_session_required": true,
  "backchannel_logout_uri": "<http://localhost:8080/>",
  "client_credentials_grant_access_token_lifespan": "10h",
  "client_secret_expires_at": 0,
  "contacts": ["Ahmed Saba"],
  "frontchannel_logout_session_required": true,
  "frontchannel_logout_uri": "client_secret_expires_at",
  "implicit_grant_access_token_lifespan": "10h",
  "implicit_grant_id_token_lifespan": "10h",
  "jwks": {
    "keys": [
        {
            "use": "sig",
            "kty": "RSA",
            "kid": "bb7ed735-42f8-45c7-8b50-6c58d7dd402a",
            "alg": "RS256",
            "n": "vNh812ZP6ac0i2GzWE_aSY4A1HAtWgd8OMQfYbP_-4AvCGZQ2va2ayO9B8RDac612CxIk6_x6jrOB6As00re2CcZ1RTqF-B8ZAGy8V_U2p-LAhyn7IJCls7UBPdmoYqU33h2WxI1heh6NWQvA2NOTn0gqyavKhF9ef50wvuw6BWqxC_wyHrpSMXYWJKAM9HstKHtB39TMIuhTEymzqREsc0MI7PSeeXP_CYjR2TRPumEbcjeaFiBs4ZX4-Hbt4V5r91HXpoCHgxlFH9cJmgBSM0TOA9UH3ZDWSTYI9dZj0EZabtjHF973srvHQFPqj5i7J-2YywOWWtuyG9mVC7mSNniF21RiwnOnPLVE3aUvPdzaRmKivEms25Qvh30rfQDCwO1mbdt8Mud54aN4ALYhzQXzEO0XwaKYA69R0zszVUJXmy8-pXknnkB6kxDG66IYct49Q_TvkjJOGkKHMiOS_mk7e-0fbib04x_REXUJAbjrbyWm2HrZPFBTsDQeYmyy9rl-Yp34coEVxsKcNRdAIv8C6N4VJwCtJX6iLojxPX6Q0jECcx8JczCv_BFNJH4j9X0hrccKLGo3rOBDv2ggsXdEjlxi51Hce3XxVprahP2KOX-VdhwkhnjBLhE3hCngWEJtC3kUr6-t2y4wvIdIG_wmdiApVGpIryeEOFz5DM",
            "e": "AQAB"
        }
    ]
},
  "jwks_uri": "<https://cranky-jang-tvf411zt6j.projects.oryapis.com/.well-known/jwks.json>",
  "jwt_bearer_grant_access_token_lifespan": "10h",
  "password_grant_access_token_lifespan": "10h",
  "password_grant_refresh_token_lifespan": "10h",
  "policy_uri": "<http://localhost:8080/>",
  "refresh_token_grant_access_token_lifespan": "10h",
  "refresh_token_grant_id_token_lifespan": "10h",
  "refresh_token_grant_refresh_token_lifespan": "10h",
  "registration_access_token": "12345",
  "registration_client_uri": "<http://localhost:8080/>",
  "request_object_signing_alg": "RS256",
  "request_uris": [
    "<http://localhost:8080/>"
  ],
  "response_types": [
    "string"
  ],
  "sector_identifier_uri": "<http://localhost:8080/>",
  "token_endpoint_auth_signing_alg": "RS256",
  "tos_uri": "<http://localhost:8080/>",
  "userinfo_signed_response_alg": "RS256"
}'
h
The error says:
Copy code
"error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata. Fields jwks and jwks_uri can not both be set, you must choose one."
and in your request you’re setting both jwks and jwks_uri fields, but that is not allowed - so that is the problem 🙂
ps: please delete and recreate your personal access token as everyone can see it now on slack 🙂
m
It still does not work after fixing the errors
at some point I keep reaching
Copy code
{
  "error": "invalid_client_metadata",
  "error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata."
}
with no description
h
ok let me try it
m
Copy code
curl --location --request POST '<https://cranky-jang-tvf411zt6j.projects.oryapis.com/admin/clients>' \
--header 'Authorization: Bearer ory_pat_frhGbZO07WKT0VTA2oF6GkABqIiaylKJ' \
--header 'Content-Type: application/json' \
--header 'Cookie: __cflb=0pg1SUunEP6HAjLw4v9UD9i8RNr8ZWXRac1VCogP' \
--data-raw '{
  "allowed_cors_origins": [
    "<http://localhost:8080/>"
  ],
  "audience": [
    "CustomerPBC", "ProductPBC"
  ],
  "client_name": "Frontend App 1",
  "metadata": {},
  "authorization_code_grant_access_token_lifespan": "10h",
  "authorization_code_grant_id_token_lifespan": "10h",
  "authorization_code_grant_refresh_token_lifespan": "10h",
  "client_uri": "<http://localhost:8080/>",
  "grant_types": ["code"],
  "logo_uri": "<http://localhost:8080/>",
  "owner": "Ahmed Sabaa",
  "post_logout_redirect_uris": ["<http://localhost:8080/>"],
  "redirect_uris": ["<http://localhost:8080/>"],
  "scope": "product:1 product:2 product:3 customer:1 customer:2 customer:3",
  "subject_type": "public",
  "token_endpoint_auth_method": "none",
  "backchannel_logout_session_required": false,
  "client_credentials_grant_access_token_lifespan": "10h",
  "client_secret_expires_at": 0,
  "contacts": ["Ahmed Saba"],
  "frontchannel_logout_session_required": true,
  "frontchannel_logout_uri": "client_secret_expires_at",
  "implicit_grant_access_token_lifespan": "10h",
  "implicit_grant_id_token_lifespan": "10h",
  "jwks_uri": "<https://cranky-jang-tvf411zt6j.projects.oryapis.com/.well-known/jwks.json>",
  "jwt_bearer_grant_access_token_lifespan": "10h",
  "password_grant_access_token_lifespan": "10h",
  "password_grant_refresh_token_lifespan": "10h",
  "policy_uri": "<http://localhost:8080/>",
  "refresh_token_grant_access_token_lifespan": "10h",
  "refresh_token_grant_id_token_lifespan": "10h",
  "refresh_token_grant_refresh_token_lifespan": "10h",
  "registration_access_token": "12345",
  "registration_client_uri": "<http://localhost:8080/>",
  "request_object_signing_alg": "RS256",
  "response_types": [
    "string"
  ],
  "sector_identifier_uri": "<http://localhost:8080/>",
  "token_endpoint_auth_signing_alg": "RS256",
  "tos_uri": "<http://localhost:8080/>",
  "userinfo_signed_response_alg": "RS256"
}'
New cURL, I’ll also replace the new token
h
ok
i will take a lok
did you check all the parameters and set them, or just copy paste them from the api spec?
m
I checked all parameters and set them, documentation does not explain everything that is required in the API spec
h
Yeah the API spec needs some work
m
Is there anywhere else I can see?
Only data I have is in the API spec 😕
h
so if you remove all of the “deafult” values that you don’t actually want to set, here is a minimal exammple:
Copy code
curl --location --request POST '<https://cranky-jang-tvf411zt6j.projects.oryapis.com/admin/clients>' \
--header 'Authorization: Bearer ory_pat_frhGbZO07WKT0VTA2oF6GkABqIiaylKJ' \
--header 'Content-Type: application/json' \
--header 'Cookie: __cflb=0pg1SUunEP6HAjLw4v9UD9i8RNr8ZWXRac1VCogP' \
--data-raw '{
  "allowed_cors_origins": [
    "<http://localhost:8080/>"
  ],
  "audience": [
    "CustomerPBC", "ProductPBC"
  ],
  "client_name": "Frontend App 1",
  "grant_types": ["code"],
  "owner": "Ahmed Sabaa",
  "scope": "product:1 product:2 product:3 customer:1 customer:2 customer:3",
  "token_endpoint_auth_method": "none",
  "contacts": ["Ahmed Saba"]
}'
m
Ok that worked
Where did you get those required data points from? Anywhere else other than API spec yet?
h
m
Now I am getting
Copy code
The request could not be executed because a mandatory configuration key is missing or malformed
You are seeing this page because configuration key urls.login is not set.

If you are an administrator, please read the guide to understand what you need to do. If you are a user, please contact the administrator.
After getting the correct Client setup. This happens when I redirect to 
<http://localhost:4000/oauth2/auth/?client_id=client-id&response_type=code&scope=product:1> product:2 product:3 customer:1 customer:2 customer:3 openid&state=stateparametervalueplease&redirect_uri=<http://localhost:8080/>'
This seems like a cloud setup problem of Hydra, or am I missing something?
h
We currently don’t ship a UI / login-consent app for Hydra, we’re working on a native integration between kratos and hydra, once that is available, this will automatically work. For now, you’ll need to set up your own consent app - you can use this example: https://github.com/ory/hydra-login-consent-node
And then set login & consent URL to the location where this app is running. In dev mode, localhost should work here
m
so I do need to personally host something in any case to get the code flow to work, correct?
10 Views
Open in Slack
PreviousNext
Powered by