Add client_secret_expires_at to Dynamic Client Registration response

55728 · 55728 · commit 74642776ece2 · 2026-06-15T21:28:54.000+09:00
RFC 7591 §3.2.1 and OIDC Dynamic Client Registration 1.0 §3.2 require
client_secret_expires_at whenever a client_secret is issued. Doorkeeper
secrets never expire, so emit 0 (no expiration) for confidential clients.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 - [#304] allow handle auth_time per grant
 - [#305] Document the `auth_time_from_access_token` config option in the README (per-grant `auth_time`), clarifying that it only affects the ID Token `auth_time` claim and not `max_age` enforcement
 - [#307] Fix `bundle exec rake server` for the test application
+- [#311] Include the REQUIRED `client_secret_expires_at` member (value `0`, never expires) in the Dynamic Client Registration response whenever a `client_secret` is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)
 
 ## v1.10.1 (2026-06-03)
 
diff --git a/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb b/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb
@@ -72,6 +72,10 @@ def registration_response(doorkeeper_application, registration)
         if registration.confidential_client?
           response[:client_secret] =
             doorkeeper_application.plaintext_secret || doorkeeper_application.secret
+          # RFC 7591 §3.2.1 / OIDC Dynamic Client Registration 1.0 §3.2:
+          # client_secret_expires_at is REQUIRED when a client_secret is issued.
+          # Doorkeeper secrets never expire, so the value is 0 (no expiration).
+          response[:client_secret_expires_at] = 0
         end
 
         response
diff --git a/spec/controllers/dynamic_client_registration_controller_spec.rb b/spec/controllers/dynamic_client_registration_controller_spec.rb
@@ -37,6 +37,7 @@
         body = JSON.parse(response.body)
         expect(body).to eq({
           "client_secret" => doorkeeper_application.plaintext_secret || doorkeeper_application.secret,
+          "client_secret_expires_at" => 0,
           "client_id" => doorkeeper_application.uid,
           "client_id_issued_at" => doorkeeper_application.created_at.to_i,
           "redirect_uris" => redirect_uris,
@@ -67,6 +68,7 @@
         body = JSON.parse(response.body)
         expect(body["token_endpoint_auth_method"]).to eq("client_secret_basic")
         expect(body["client_secret"]).to be_present
+        expect(body["client_secret_expires_at"]).to eq(0)
       end
     end
 
@@ -87,6 +89,7 @@
         body = JSON.parse(response.body)
         expect(body["token_endpoint_auth_method"]).to eq("client_secret_post")
         expect(body["client_secret"]).to be_present
+        expect(body["client_secret_expires_at"]).to eq(0)
       end
     end
 
@@ -107,6 +110,7 @@
         body = JSON.parse(response.body)
         expect(body["token_endpoint_auth_method"]).to eq("none")
         expect(body).not_to have_key("client_secret")
+        expect(body).not_to have_key("client_secret_expires_at")
       end
     end
 
