fix(client): add omitempty to optional URI fields in JSON serialization

Optional fields (policy_uri, tos_uri, client_uri, logo_uri, contacts)
were serialized as empty strings or null when not set. This breaks
strict JSON validators like Zod that expect these fields to either
be present with valid values or omitted entirely.

RFC 7591 specifies these fields as optional, so omitting them when
empty is the correct behavior for DCR responses.

Author: panbanda

client/client.go

@@ -110,7 +110,7 @@ type Client struct {
 	// PolicyURI is a URL string that points to a human-readable privacy policy document
 	// that describes how the deployment organization collects, uses,
 	// retains, and discloses personal data.
-	PolicyURI string `json:"policy_uri" db:"policy_uri"`
+	PolicyURI string `json:"policy_uri,omitempty" db:"policy_uri"`
 
 	// OAuth 2.0 Client Allowed CORS Origins
 	//
@@ -126,27 +126,27 @@ type Client struct {
 	// document for the client that describes a contractual relationship
 	// between the end-user and the client that the end-user accepts when
 	// authorizing the client.
-	TermsOfServiceURI string `json:"tos_uri" db:"tos_uri"`
+	TermsOfServiceURI string `json:"tos_uri,omitempty" db:"tos_uri"`
 
 	// OAuth 2.0 Client URI
 	//
 	// ClientURI is a URL string of a web page providing information about the client.
 	// If present, the server SHOULD display this URL to the end-user in
 	// a clickable fashion.
-	ClientURI string `json:"client_uri" db:"client_uri"`
+	ClientURI string `json:"client_uri,omitempty" db:"client_uri"`
 
 	// OAuth 2.0 Client Logo URI
 	//
 	// A URL string referencing the client's logo.
-	LogoURI string `json:"logo_uri" db:"logo_uri"`
+	LogoURI string `json:"logo_uri,omitempty" db:"logo_uri"`
 
 	// OAuth 2.0 Client Contact
 	//
 	// An array of strings representing ways to contact people responsible
 	// for this client, typically email addresses.
 	//
 	// Example: help@example.org
-	Contacts sqlxx.StringSliceJSONFormat `json:"contacts" db:"contacts"`
+	Contacts sqlxx.StringSliceJSONFormat `json:"contacts,omitempty" db:"contacts"`
 
 	// OAuth 2.0 Client Secret Expires At
 	//

client/client_test.go

@@ -4,9 +4,11 @@
 package client
 
 import (
+	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/ory/hydra/v2/fosite"
 )
@@ -31,3 +33,34 @@ func TestClient(t *testing.T) {
 	assert.Len(t, c.GetScopes(), 2)
 	assert.EqualValues(t, c.RedirectURIs, c.GetRedirectURIs())
 }
+
+func TestClientJSONOmitsEmptyOptionalURIFields(t *testing.T) {
+	c := &Client{
+		ID:           "test-client",
+		RedirectURIs: []string{"http://localhost/callback"},
+	}
+
+	data, err := json.Marshal(c)
+	require.NoError(t, err)
+
+	var result map[string]interface{}
+	err = json.Unmarshal(data, &result)
+	require.NoError(t, err)
+
+	// These optional URI fields should be omitted when empty, not serialized as ""
+	_, hasLogoURI := result["logo_uri"]
+	assert.False(t, hasLogoURI, "logo_uri should be omitted when empty")
+
+	_, hasTosURI := result["tos_uri"]
+	assert.False(t, hasTosURI, "tos_uri should be omitted when empty")
+
+	_, hasPolicyURI := result["policy_uri"]
+	assert.False(t, hasPolicyURI, "policy_uri should be omitted when empty")
+
+	_, hasClientURI := result["client_uri"]
+	assert.False(t, hasClientURI, "client_uri should be omitted when empty")
+
+	// contacts should be omitted when nil, not serialized as null
+	_, hasContacts := result["contacts"]
+	assert.False(t, hasContacts, "contacts should be omitted when nil")
+}