Payload validation error : date-time ISO 8601 : client_authentication_methods.private_key_jwt.credentials[0].expires_at

tgreenwood · July 6, 2023, 9:58pm

The payload validation fails for a variety of ISO 8601 formats:

2024-07-06 00:00:00
2024-07-06T00:00:00
20240706T000000.000000Z

full errors

Auth0Error: 400: Payload validation error: 'Object didn't pass validation for format date-time: 2024-07-06T00:00:00' on property client_authentication_methods.private_key_jwt.credentials[0].expires_at (The ISO 8601 formatted date representing the 
expiration of the credential. If not specified (not recommended), the credential never expires).

Auth0Error: 400: Payload validation error: 'Object didn't pass validation for format date-time: 2024-07-06 00:00:00' on property client_authentication_methods.private_key_jwt.credentials[0].expires_at (The ISO 8601 formatted date representing the 
expiration of the credential. If not specified (not recommended), the credential never expires).

Auth0Error: 400: Payload validation error: 'Object didn't pass validation for format date-time: 20240706T000000.000000Z' on property client_authentication_methods.private_key_jwt.credentials[0].expires_at (The ISO 8601 formatted date representing the 
expiration of the credential. If not specified (not recommended), the credential never expires).

workaround

removing the expires_at line works, but is obviously not recommended.

code

    today = dateutil.utils.today()
    next_year = today + relativedelta(years=1)
    next_year_iso8601_formatted = next_year.isoformat()
    payload = {
        "is_token_endpoint_ip_header_trusted": False,
        "name": name,
        "description": description,
        "app_type": "non_interactive",
        "is_first_party": True,
        "oidc_conformant": False,
        "jwt_configuration": {
            "lifetime_in_seconds": 36000,
            "scopes": {},
            "alg": "RS256",
        },
        "sso": True,
        "cross_origin_authentication": True,
        "sso_disabled": True,
        "custom_login_page_on": True,
        "client_metadata": {},
        "native_social_login": {
            "apple": {
                "enabled": False
            },
            "facebook": {
                "enabled": False
            }
        },
        "refresh_token": {
            "rotation_type": "non-rotating",
            "expiration_type": "non-expiring",
            "leeway": 0,
            "token_lifetime": 2592000,
            "infinite_token_lifetime": True,
            "idle_token_lifetime": 1296000,
            "infinite_idle_token_lifetime": True
        },
        "organization_usage": "deny",
        "organization_require_behavior": "no_prompt",
        "client_authentication_methods": {
            "private_key_jwt": {
                "credentials": [
                    {
                        "credential_type": "public_key",
                        "name": f"{name}.pem.pub",
                        "pem": pub_key,
                        "alg": "RS256",
                        "parse_expiry_from_cert": False,
                        "expires_at": next_year_iso8601_formatted
                    }
                ]
            }
        },
        "grant_types": [
            "client_credentials"
        ],
    }
    with open(mgmt_access_token_file, 'r') as f:
        auth0_management_token = f.read()
        m_auth0 = Auth0(f"{domain}.us.auth0.com", auth0_management_token)
        r = m_auth0.clients.create(payload)
        print(json.dumps(r, indent=4))

Ask: what is an example of a correct ISO 8601 format that this endpoint will accept?

dan.woda · July 10, 2023, 2:11pm

Hi @tgreenwood,

Welcome to the Auth0 Community!

Can you please share the endpoint uri so I can test it out? Thank you!

tgreenwood · July 10, 2023, 3:16pm

Hi Dan,

Thank you!

I’m using the clients create endpoint:

https://auth0.com/docs/api/management/v2#!/Clients/post_clients

It seems the docs have been recently updated and I see that there is now an example of the accepted ISO 8601 timestamp:

         "name": "My credential 1",
          "credential_type": "public_key",
          "alg": "RS256",
          "expires_at": "2023-03-15T10:21:35.922Z",
          "pem": "-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBg...\r\n-----END PUBLIC KEY-----\r\n"
        },

Looking at my test cases, I see that I don’t have an example that looks quite like

2023-03-15T10:21:35.922Z

I’ll try that later today and report back

Code

@app.command(help="generate auth0 m2m client application")
def create_client(domain: str, name: str, description: str, client_pub_key_file: str,
                  mgmt_access_token_file: str = "mgmt_access_token.token", ) -> typing.Dict[str, typing.Any]:
    with open(client_pub_key_file, 'r') as f:
        pub_key = f.read()
    today = dateutil.utils.today()
    next_year = today + relativedelta(years=1)
    # next_year_iso8601_formatted = next_year.isoformat()
    # next_year_iso8601_formatted = next_year.isoformat()
    # next_year_iso8601_formatted = next_year.strftime("%Y%m%dT%H%M%S.%fZ")
    payload = {
        "is_token_endpoint_ip_header_trusted": False,
        "name": name,
        "description": description,
        "app_type": "non_interactive",
        "is_first_party": True,
        "oidc_conformant": False,
        "jwt_configuration": {
            "lifetime_in_seconds": 36000,
            "scopes": {},
            "alg": RS256,
        },
        "sso": True,
        "cross_origin_authentication": True,
        "sso_disabled": True,
        "custom_login_page_on": True,
        "client_metadata": {},
        "native_social_login": {
            "apple": {
                "enabled": False
            },
            "facebook": {
                "enabled": False
            }
        },
        "refresh_token": {
            "rotation_type": "non-rotating",
            "expiration_type": "non-expiring",
            "leeway": 0,
            "token_lifetime": 2592000,
            "infinite_token_lifetime": True,
            "idle_token_lifetime": 1296000,
            "infinite_idle_token_lifetime": True
        },
        "organization_usage": "deny",
        "organization_require_behavior": "no_prompt",
        "client_authentication_methods": {
            "private_key_jwt": {
                "credentials": [
                    {
                        "credential_type": "public_key",
                        "name": f"{name}.pem.pub",
                        "pem": pub_key,
                        "alg": RS256,
                        "parse_expiry_from_cert": False,
                    }
                ]
            }
        },
        "grant_types": [
            "client_credentials"
        ],
    }
    # TODO : fix this when this is resolved:
    # https://community.auth0.com/t/payload-validation-error-date-time-iso-8601-client-authentication-methods-private-key-jwt-credentials-0-expires-at/110727
    # "expires_at": next_year_iso8601_formatted

    with open(mgmt_access_token_file, 'r') as f:
        auth0_management_token = f.read()
    m_auth0 = Auth0(f"{domain}.us.auth0.com", auth0_management_token)
    create_response = m_auth0.clients.create(payload)
    print(json.dumps(create_response, indent=4))
    return create_response

dan.woda · July 11, 2023, 6:35pm

Sounds good! I’ll hold tight for now. Let us know if that works for you. Thank you!

system · August 14, 2023, 3:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.