`loginRequest.requested_access_token_audience` is setting to `null` instead of `[]`

Question

`loginRequest.requested_access_token_audience` is setting to `null` instead of `[]`

JoMC98 opened this issue 8 months ago · 2 comments

JoMC98 commented 8 months ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Hi,

We are using Hydra v2.2.0rc3 that is on Pre-Release and in our login service, we are using Python client library ory-hydra-client==2.2.0rc3.

When we try to obtain the login request with the library function:
hydra_login_request = hydra.get_o_auth2_login_request(login_challenge=login_challenge), we receive the following error:

ory_hydra_client.exceptions.ApiTypeError: Invalid type for variable 'requested_access_token_audience'. Required value type is StringSliceJSONFormat and passed type was NoneType at ['received_data']['requested_access_token_audience']

The problem is that this api call: http://<HYDRA_HOST>:4445/admin/oauth2/auth/requests/login?challenge=<LOGIN_CHALLENGE> is returning "requested_access_token_audience": null as can be seen here:

The python client library expect an Array instead of null, throws an error and the login flow breaks.

I think this can be a bug on the pre-release hydra version and should be fixed before releasing the stable version.

I have read the following issue that is similar: #2039, but we are not using in-memory database, we are using MySQL database.

Thanks in advance

Reproducing the bug

Start hydra with v2.2.0rc3
GET http://<HYDRA_HOST>:4445/admin/oauth2/auth/requests/login?challenge=<CHALLENGE>
You can see that requested_access_token_audience is null instead of empty list

Relevant log output

No response

Relevant configuration

No response

Version

v2.2.0rc3

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

Answer 1 · 2024-02-04T21:43:31.000Z

It seems v2.2 got released on docker hub (and v2 now points to v2.2) without this issue being fixed. So most clients are now broken. (At least hydra-client-rust has the same problem. The API violation seems to be on the hydra server side.)

Answer 2 · 2024-02-05T11:04:24.000Z

@aeneasr this issue should have been a release blocker. Are there any plans on fixing this and creating a new release with the fix?