We’ve determined that the Okta SDK creates malformed API requests in the Java SDK when updating an Okta app. We’ve been able to reproduce this issue with the following code:
Application app = OIDCApplicationBuilder.instance()
.setSignOnMode(ApplicationSignOnMode.OPENID_CONNECT)
.setLabel(getLabel(appClient.getCompanyName()))
.setApplicationType(OpenIdConnectApplicationType.SERVICE)
.setGrantTypes(Collections.singletonList(OAuthGrantType.CLIENT_CREDENTIALS))
.setResponseTypes(Collections.singletonList(OAuthResponseType.TOKEN))
.setClientId(appClient.getClientId())
.setClientSecret(appClient.getClientSecret())
.setAutoKeyRotation(true)
.setTokenEndpointAuthMethod(OAuthEndpointAuthenticationMethod.CLIENT_SECRET_BASIC)
.buildAndCreate(client);
app.update();
This causes the following error:
Caused by: com.okta.sdk.resource.ResourceException: HTTP 400, Okta E0000003 (The request body was not well-formed.), ErrorId oae3NJ8vguWR0GwDLhIXanFfw
We observed this failure on SDK versions 5.0.0, 6.0.0, 8.0.0, and 8.1.0.
Observing the API Calls that being caused by the SDK, we were able to reproduce this error in Postman as well.
Here’s the Update API call that was failing
{
"settings": {
"app": [],
"notes": {
"admin": null,
"enduser": null
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"oauthClient": {
"client_uri": null,
"logo_uri": null,
"redirect_uris": [],
"response_types": [
"token"
],
"grant_types": [
"client_credentials"
],
"application_type": "service",
"consent_method": "TRUSTED",
"issuer_mode": "DYNAMIC",
"idp_initiated_login": {
"mode": "DISABLED",
"default_scope": []
},
"wildcard_redirect": "DISABLED"
}
},
"visibility": {
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
},
"autoSubmitToolbar": false,
"autoLaunch": false
},
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"credentials": {
"signing": {
"kid": "REDACTED"
},
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "REDACTED",
"client_secret": "REDACTED",
"token_endpoint_auth_method": "client_secret_basic"
}
},
"_links": {
"uploadLogo": {
"href": "https://dev-45571687.okta.com/api/v1/apps/0oa40qwna2JDU1ura5d7/logo",
"hints": {
"allow": [
"POST"
]
}
},
"appLinks": [
{
"name": "oidc_client_link",
"href": "https://dev-45571687.okta.com/home/oidc_client/0oa40qwna2JDU1ura5d7/aln177a159h7Zf52X0g8",
"type": "text/html"
}
],
"groups": {
"href": "https://dev-45571687.okta.com/api/v1/apps/0oa40qwna2JDU1ura5d7/groups"
},
"logo": [
{
"name": "medium",
"href": "https://ok12static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
"type": "image/png"
}
],
"users": {
"href": "https://dev-45571687.okta.com/api/v1/apps/0oa40qwna2JDU1ura5d7/users"
},
"deactivate": {
"href": "https://dev-45571687.okta.com/api/v1/apps/0oa40qwna2JDU1ura5d7/lifecycle/deactivate"
}
},
"created": "2022-03-01T22:23:58.000Z",
"signOnMode": "OPENID_CONNECT",
"label": "pb-test-acme-inc",
"lastUpdated": "2022-03-01T22:23:59.000Z",
"features": [],
"name": "oidc_client",
"id": "0oa40qwna2JDU1ura5d7",
"status": "ACTIVE"
}
We were able to isolate the issue to the serialized array that is being used in
"settings": {
"app": [],
Where using "app": [] seemed to be the root cause of the error.
Using "app": {} works, as well as "app": null.