By: Sakit Atakishiyev user 22 Apr 2017 at 4:39 a.m. CDT

23 Responses
Sakit Atakishiyev gravatar
What is the best place to start UMA with Gluu? Any documentation, examples?

By Aliaksandr Samuseu staff 22 Apr 2017 at 7:28 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Sakit. From your other ticket I see you already use our **oxd-server**. It is UMA-capable solution, and you can refer to [corresponding doc page's section](https://gluu.org/docs/oxd/protocol/#uma-authorization) for the list of APIs. It seems we don't have examples of how to use oxd with UMA on our doc portals yet. But you can refer to [UMA specs](https://docs.kantarainitiative.org/uma/rec-uma-core.html) for general picture, and to our own UMA pages [here](https://gluu.org/docs/ce/latest/api-guide/uma-api/) and [here](https://gluu.org/docs/ce/latest/admin-guide/uma/). [This video](https://www.youtube.com/watch?v=zVdUFcEAwPU) may also be helpful, though please note it's a bit outdated. Feel free to ask questions here if you'll find this documentation incomplete/misleading.

By Michael Schwartz Account Admin 22 Apr 2017 at 10:09 a.m. CDT

Michael Schwartz gravatar
I see you're using oxd with UMA--that's a good idea because UMA 2.0 is about to go final, and using oxd will protect you. If you want to express central policies about which people can get to which web resources, you may want to use UMA. If you don't care about central policy management, then you don't need it.

By Sakit Atakishiyev user 22 Apr 2017 at 10:13 a.m. CDT

Sakit Atakishiyev gravatar
Hi agaian Aliaksandr, We read all these and watched the video. Problem is all of these documentation is good for theoretically. But when you try to apply these on practically there lots of problems. For example you give the [link](https://gluu.org/docs/ce/latest/admin-guide/uma/) creating resources and scopes,manage scripts and etc. But when we enter Gluu admin panel we could not see 'Add Resources' button when you creating a new resource set. Only has 'Add Scope' button. On the api tells that we can add condition to scope but we also could not find how we can do all these with Gluu admin panel. We also try oxd library to registering our source. We used example code snippet on the documentation but when we send request on the oxd-server side we got 406 error code. Is there any thing we did wrong?

By Michael Schwartz Account Admin 22 Apr 2017 at 10:43 a.m. CDT

Michael Schwartz gravatar
If you are using oxd, the RS registers the resource. You don't have to do anything in the admin UI except create scopes and map them to policies (custom scripts / authorization policies). If you can provide more background to your use case, perhaps we could be of assistance.

By Sakit Atakishiyev user 22 Apr 2017 at 12:15 p.m. CDT

Sakit Atakishiyev gravatar
Hi Michael, Yes we want use UMA. Firstly we try to create protected resources with admin UI, but we could not do so we decide to use oxd-server. we do the same thing what explained on the documentation. The code which we used ``` final RsCheckAccessParams params = new RsCheckAccessParams(); params.setOxdId(site.getOxdId()); params.setHttpMethod("GET"); params.setPath("/rest/photo"); params.setRpt(rpt); final Command command = new Command(CommandType.RS_CHECK_ACCESS).setParamsObject(commandParams); final RsCheckAccessResponse resp = client.send(command).dataAsResponse(RsCheckAccessResponse.class); ``` When we send request on the oxd-server side we got ``` http 406 ``` error response. I will provide more information about errors and example code about this.

By Michael Schwartz Account Admin 22 Apr 2017 at 1:15 p.m. CDT

Michael Schwartz gravatar
The right flow is for the RS to register resources. You don't need to create the resources in the Admin UI. oxd will handle the resource registration for you. In 3.1, we're going to remove the ability to add resources from the admin UI, because there is no use case for it. I added Yuriy Z to this thread in case he has anything to add.

By Michael Schwartz Account Admin 22 Apr 2017 at 2:22 p.m. CDT

Michael Schwartz gravatar
See [section 1.4.1](https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html) in the 2.0 draft: ``` The resource server is responsible for managing the process and timing of registering resources, maintaining the registration of resources, and deregistering resources at the authorization server. ``` This is the direction things are going... which is why adding resource registration directly in the AS is being removed.

By Yuriy Zabrovarnyy staff 22 Apr 2017 at 2:32 p.m. CDT

Yuriy Zabrovarnyy gravatar
By default UMA scopes 'uma_protection' and 'uma_authorization' are disabled in standard CE. Please make sure both these scopes have 'Default Scope' set to true as described in documentation [here](https://gluu.org/docs/ce/latest/admin-guide/openid-connect/#scopes) because oxd uses dynamic client registration. ``` Specifying a scope as "Default" means that a client can request it during dynamic client registration. The only default scope is openid, which is required by the OpenID Connect specification. You can always explicitly release a scope to a certain client later on, but this will require some manual intervention by the Gluu Server admin. ``` Also please provide full `oxd-server.log` (attach it to this ticket), so we can investigate in detail.

By Sakit Atakishiyev user 24 Apr 2017 at 10:29 a.m. CDT

Sakit Atakishiyev gravatar
Hello everyone, Today I repeat everything from the beginning. But result the same. When I try to protect my resource I got 406 error from oxd server. this is the oxd-server.log ``` 2017-04-24 18:25:20,884 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 18:25:20,895 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:25:20,896 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:25:21,916 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0149, commandSize: 149 2017-04-24 18:25:21,916 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_authorization_url","params":{"prompt":null,"scope":null,"oxd_id":"191b3b1e-2a85-4c62-bf26-743162ae92dc","acr_values":null,"hd":null}}', m_leftString=''} 2017-04-24 18:25:21,916 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_authorization_url","params":{"prompt":null,"scope":null,"oxd_id":"191b3b1e-2a85-4c62-bf26-743162ae92dc","acr_values":null,"hd":null}} 2017-04-24 18:25:32,400 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"authorization_url":"https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!6BA6.95BD.03BE.9775&redirect_uri=https://google.com&scope=openid+uma_protection+uma_authorization&state=u80jjnaul06r98cgho8scvqc8p&nonce=pmsfab1cu3l4aita6tiiurgl4u"}} 2017-04-24 18:25:32,401 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:25:32,401 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:25:32,579 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 18:25:32,580 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 18:32:55,925 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 18:32:55,988 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:32:56,000 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:32:56,370 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0660, commandSize: 660 2017-04-24 18:32:56,415 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"register_site","params":{"scope":["openid","uma_protection","uma_authorization"],"contacts":null,"op_host":"https://cyber.gluu.info","authorization_redirect_uri":"https://cyber.oxd.info:8443/GluuServerTest/user/profile/","post_logout_redirect_uri":"https://cyber.oxd.info:8443/GluuServerTest/","redirect_uris":null,"response_types":null,"client_id":null,"client_secret":null,"client_name":null,"client_jwks_uri":null,"client_token_endpoint_auth_method":null,"client_request_uris":null,"client_logout_uris":null,"client_sector_identifier_uri":null,"ui_locales":null,"claims_locales":null,"acr_values":null,"grant_types":null,"trusted_client":false}}', m_leftString=''} 2017-04-24 18:32:56,416 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"register_site","params":{"scope":["openid","uma_protection","uma_authorization"],"contacts":null,"op_host":"https://cyber.gluu.info","authorization_redirect_uri":"https://cyber.oxd.info:8443/GluuServerTest/user/profile/","post_logout_redirect_uri":"https://cyber.oxd.info:8443/GluuServerTest/","redirect_uris":null,"response_types":null,"client_id":null,"client_secret":null,"client_name":null,"client_jwks_uri":null,"client_token_endpoint_auth_method":null,"client_request_uris":null,"client_logout_uris":null,"client_sector_identifier_uri":null,"ui_locales":null,"claims_locales":null,"acr_values":null,"grant_types":null,"trusted_client":false}} 2017-04-24 18:32:56,417 INFO [org.xdi.oxd.server.op.RegisterSiteOperation] Creating site configuration ... 2017-04-24 18:32:56,436 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-04-24 18:32:59,561 TRACE [org.xdi.oxd.server.op.RegisterSiteOperation] Registered client for site - client_id: @!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E 2017-04-24 18:32:59,578 INFO [org.xdi.oxd.server.op.RegisterSiteOperation] Site configuration created: SiteConfiguration{acrValues=[], oxdId='1035f095-1374-4924-a6b6-448af24f7027', opHost='https://cyber.gluu.info', authorizationRedirectUri='https://cyber.oxd.info:8443/GluuServerTest/user/profile/', applicationType='web', sectorIdentifierUri='null', redirectUris=[https://cyber.oxd.info:8443/GluuServerTest/user/profile/], responseTypes=[code], clientId='@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E', clientSecret='4ee7c60f-df28-4e10-85d4-578cf529f65b', clientJwksUri='', scope=[openid, uma_protection, uma_authorization], uiLocales=[en], claimsLocales=[en], grantType=[authorization_code], contacts=[], aat=null, aatCreatedAt=null, aatExpiresIn=0, pat=null, patCreatedAt=null, patExpiresIn=0, umaProtectedResources=[], rpt=null, rptCreatedAt=null, rptExpiresIn=null, gat=null, gatCreatedAt=null, gatExpiresIn=null} 2017-04-24 18:32:59,580 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","op_host":"https://cyber.gluu.info"}} 2017-04-24 18:32:59,580 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:32:59,581 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:32:59,660 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 18:32:59,670 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 18:36:30,335 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 18:36:30,399 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:36:30,407 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:36:30,878 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0149, commandSize: 149 2017-04-24 18:36:30,890 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_authorization_url","params":{"prompt":null,"scope":null,"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","acr_values":null,"hd":null}}', m_leftString=''} 2017-04-24 18:36:30,890 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_authorization_url","params":{"prompt":null,"scope":null,"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","acr_values":null,"hd":null}} 2017-04-24 18:36:30,891 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"authorization_url":"https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E&redirect_uri=https://cyber.oxd.info:8443/GluuServerTest/user/profile/&scope=openid+uma_protection+uma_authorization&state=8ikeco8j5ttkeiafim1vpmc0t&nonce=1s50ggio8as8ojubdn1bjc6f1n"}} 2017-04-24 18:36:30,892 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:36:30,912 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:36:30,955 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 18:36:30,955 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 18:37:35,367 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 18:37:35,396 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:37:35,396 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:37:35,397 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0173, commandSize: 173 2017-04-24 18:37:35,397 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_tokens_by_code","params":{"code":"5b9e464c-962a-44bd-9215-e6108ffd403a","state":"8ikeco8j5ttkeiafim1vpmc0t","oxd_id":"1035f095-1374-4924-a6b6-448af24f7027"}}', m_leftString=''} 2017-04-24 18:37:35,397 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_tokens_by_code","params":{"code":"5b9e464c-962a-44bd-9215-e6108ffd403a","state":"8ikeco8j5ttkeiafim1vpmc0t","oxd_id":"1035f095-1374-4924-a6b6-448af24f7027"}} 2017-04-24 18:37:35,481 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-04-24 18:37:47,693 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"access_token":"5dde273b-ea47-4f7e-b34b-743304b9cec4","expires_in":299,"id_token":"eyJraWQiOiI0N2Y1NWY4Ni05OTgzLTQ2ZWItODhlNy04MzU4ZjhiMGYwZTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mbyIsImF1ZCI6IkAhNkQ3NC5FNkUxLjRBRkIuNUY3OSEwMDAxIUNEREYuNDQ4QSEwMDA4IUUxMUQuMkNDQi43ODUzLjZGOEUiLCJleHAiOjE0OTMwNDgyNTgsImlhdCI6MTQ5MzA0NDY1OCwibm9uY2UiOiIxczUwZ2dpbzhhczhvanViZG4xYmpjNmYxbiIsImF1dGhfdGltZSI6MTQ5MzA0NDYyOCwiYXRfaGFzaCI6IkFTQzdYd3dkeVVLenBkSi1YekpWalEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mby9veGF1dGgvb3BpZnJhbWUiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJ0VTJVcXctTnA0V2JFUHA3R3FXOENZSWQzOG50OFNpWVMtN0JZcDdOY0RVIn0.OMt1IPUtso6J0tTqEWbRssLOPPqdraKPz4bszfYzOmGs-VyX6j6ZoANbl3vfFJJ57xEzum0KkNfIYV6Ea3oKldA1nyaXyCsnD_rUHuWJ4RxOn8TaoJFjAWIYugf2K2ZV4T11MKZHm8uGGz17GEJLo44Rh8PbS8Iusq-1lBcWAZEyjA04GF3hc13Fl0Fa3zLLLuTPvegp5o7nPJpOl86T9UV5hsBPNYQci49yYdGqAcfcoV2bHHWk4j9sYlGwpoYR6Db-AZPVD2M3GuNlYPjES_lzV13Ah9dw26GfdXXbJz-0e7Kh7YFTBzOd21Q2rceea2RqYF-yfdnY9qmlibaaew","refresh_token":"4f4430dc-62c6-497d-b23a-481048bad227","id_token_claims":{"at_hash":["ASC7XwwdyUKzpdJ-XzJVjQ"],"aud":["@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E"],"sub":["tU2Uqw-Np4WbEPp7GqW8CYId38nt8SiYS-7BYp7NcDU"],"auth_time":["1493044628"],"iss":["https://cyber.gluu.info"],"exp":["1493048258"],"iat":["1493044658"],"nonce":["1s50ggio8as8ojubdn1bjc6f1n"],"oxValidationURI":["https://cyber.gluu.info/oxauth/opiframe"],"oxOpenIDConnectVersion":["openidconnect-1.0"]}}} 2017-04-24 18:37:47,694 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:37:47,694 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:37:47,862 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 18:37:47,862 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 18:38:00,729 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 18:38:00,752 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:38:00,753 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:38:00,753 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0140, commandSize: 140 2017-04-24 18:38:00,754 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_user_info","params":{"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","access_token":"5dde273b-ea47-4f7e-b34b-743304b9cec4"}}', m_leftString=''} 2017-04-24 18:38:00,754 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_user_info","params":{"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","access_token":"5dde273b-ea47-4f7e-b34b-743304b9cec4"}} 2017-04-24 18:38:00,778 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-04-24 18:38:03,539 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"claims":{"sub":["tU2Uqw-Np4WbEPp7GqW8CYId38nt8SiYS-7BYp7NcDU"]}}} 2017-04-24 18:38:03,540 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:38:03,542 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:38:03,685 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 18:38:03,686 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 18:38:42,141 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 18:38:42,152 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:38:42,152 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:38:42,166 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0292, commandSize: 292 2017-04-24 18:38:42,166 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_logout_uri","params":{"state":"5e8c3406-6953-4524-acf7-206cc2bb3634","oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","id_token_hint":"4a573b1a-b3cb-453e-be31-bd6324efe5fe","post_logout_redirect_uri":"https://google.com","session_state":"3efe3648-9978-439e-8912-9c2cac5708e0"}}', m_leftString=''} 2017-04-24 18:38:42,166 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_logout_uri","params":{"state":"5e8c3406-6953-4524-acf7-206cc2bb3634","oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","id_token_hint":"4a573b1a-b3cb-453e-be31-bd6324efe5fe","post_logout_redirect_uri":"https://google.com","session_state":"3efe3648-9978-439e-8912-9c2cac5708e0"}} 2017-04-24 18:38:42,173 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"uri":"https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=4a573b1a-b3cb-453e-be31-bd6324efe5fe&post_logout_redirect_uri=https%3A%2F%2Fgoogle.com&state=5e8c3406-6953-4524-acf7-206cc2bb3634&session_state=3efe3648-9978-439e-8912-9c2cac5708e0"}} 2017-04-24 18:38:42,173 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 18:38:42,173 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 18:38:42,176 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 18:38:42,176 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 19:10:06,339 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 19:10:13,854 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:10:14,018 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:10:16,125 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0149, commandSize: 149 2017-04-24 19:10:16,136 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_authorization_url","params":{"prompt":null,"scope":null,"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","acr_values":null,"hd":null}}', m_leftString=''} 2017-04-24 19:10:16,239 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_authorization_url","params":{"prompt":null,"scope":null,"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","acr_values":null,"hd":null}} 2017-04-24 19:10:20,284 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"authorization_url":"https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E&redirect_uri=https://cyber.oxd.info:8443/GluuServerTest/user/profile/&scope=openid+uma_protection+uma_authorization&state=6bceg6j3m5qfc2q8mve24ubnpu&nonce=iu2et07hdl8jojjqfkon7cp54f"}} 2017-04-24 19:10:20,284 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:10:20,284 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:10:20,463 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 19:10:20,464 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 19:10:42,988 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 19:10:43,073 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:10:43,074 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:10:43,075 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0174, commandSize: 174 2017-04-24 19:10:43,076 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_tokens_by_code","params":{"code":"472979bd-9f58-4221-a7e9-2e62f5e52404","state":"6bceg6j3m5qfc2q8mve24ubnpu","oxd_id":"1035f095-1374-4924-a6b6-448af24f7027"}}', m_leftString=''} 2017-04-24 19:10:43,076 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_tokens_by_code","params":{"code":"472979bd-9f58-4221-a7e9-2e62f5e52404","state":"6bceg6j3m5qfc2q8mve24ubnpu","oxd_id":"1035f095-1374-4924-a6b6-448af24f7027"}} 2017-04-24 19:10:43,414 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-04-24 19:11:01,879 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"access_token":"310471c6-fd3f-4d97-82c9-a313825a3c0a","expires_in":299,"id_token":"eyJraWQiOiI0N2Y1NWY4Ni05OTgzLTQ2ZWItODhlNy04MzU4ZjhiMGYwZTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mbyIsImF1ZCI6IkAhNkQ3NC5FNkUxLjRBRkIuNUY3OSEwMDAxIUNEREYuNDQ4QSEwMDA4IUUxMUQuMkNDQi43ODUzLjZGOEUiLCJleHAiOjE0OTMwNTAzMDgsImlhdCI6MTQ5MzA0NjcwOCwibm9uY2UiOiJpdTJldDA3aGRsOGpvampxZmtvbjdjcDU0ZiIsImF1dGhfdGltZSI6MTQ5MzA0NjY4NiwiYXRfaGFzaCI6IlJFZnYxSWhrRmotSzhFTGRnNlJubFEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mby9veGF1dGgvb3BpZnJhbWUiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJ0VTJVcXctTnA0V2JFUHA3R3FXOENZSWQzOG50OFNpWVMtN0JZcDdOY0RVIn0.WyPUwCfqpcRVbEn1ZqCSYO4yej3eE5lUJ50x_ALP-sRE6fqtDc1yKpQYV2kBG1CO-DpvT2JF9UMwzF5VbdrTluVMaFN6PB6gnveZ3KsclPUjT_mdtCNphDpPF5wAwkVV9xNWYyiPVzK83eRXeQ8fpGCbqv5188j0sYSsJogaJ57XQNKwjkjJxt0fZvodbRIYcAs7MO_Clj6gf6BpaEpzI7bHUEL-0FQOfexAuwpys55y6eL8b9GeAD09-gqNlU2B7zfXtcvA_ayQ8kD-vOdyIQCZJ1JvL0JlVRT1KRPnaKPn2WCFj7sjeXoouobgEUWwkC5iqZfc4K-KHBCtlDzfzw","refresh_token":"aedf4cd1-43d3-47b8-b24c-b51c5e823774","id_token_claims":{"at_hash":["REfv1IhkFj-K8ELdg6RnlQ"],"aud":["@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E"],"sub":["tU2Uqw-Np4WbEPp7GqW8CYId38nt8SiYS-7BYp7NcDU"],"auth_time":["1493046686"],"iss":["https://cyber.gluu.info"],"exp":["1493050308"],"iat":["1493046708"],"nonce":["iu2et07hdl8jojjqfkon7cp54f"],"oxValidationURI":["https://cyber.gluu.info/oxauth/opiframe"],"oxOpenIDConnectVersion":["openidconnect-1.0"]}}} 2017-04-24 19:11:01,880 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:11:01,880 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:11:02,126 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 19:11:02,126 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 19:11:02,335 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 19:11:02,532 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:11:02,532 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:11:02,533 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0140, commandSize: 140 2017-04-24 19:11:02,533 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_user_info","params":{"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","access_token":"310471c6-fd3f-4d97-82c9-a313825a3c0a"}}', m_leftString=''} 2017-04-24 19:11:02,534 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_user_info","params":{"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027","access_token":"310471c6-fd3f-4d97-82c9-a313825a3c0a"}} 2017-04-24 19:11:02,830 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-04-24 19:11:03,063 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"claims":{"sub":["tU2Uqw-Np4WbEPp7GqW8CYId38nt8SiYS-7BYp7NcDU"]}}} 2017-04-24 19:11:03,063 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:11:03,064 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:11:04,948 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-04-24 19:11:04,949 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2017-04-24 19:11:24,937 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-04-24 19:11:25,130 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-04-24 19:11:25,130 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-04-24 19:11:25,131 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0224, commandSize: 224 2017-04-24 19:11:25,131 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"uma_rs_protect","params":{"resources":[{"path":"/movie","conditions":[{"httpMethods":["GET"],"scopes":["https://cyber.oxd.info:8443/GluuServerTest/getAll"],"ticketScopes":["https://cyber.oxd.info:8443/GluuServerTest/getAll"]}]}],"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027"}}', m_leftString=''} 2017-04-24 19:11:25,180 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"uma_rs_protect","params":{"resources":[{"path":"/movie","conditions":[{"httpMethods":["GET"],"scopes":["https://cyber.oxd.info:8443/GluuServerTest/getAll"],"ticketScopes":["https://cyber.oxd.info:8443/GluuServerTest/getAll"]}]}],"oxd_id":"1035f095-1374-4924-a6b6-448af24f7027"}} 2017-04-24 19:11:33,296 WARN [org.apache.http.client.protocol.ResponseProcessCookies] Cookie rejected: "[version: 0][name: JSESSIONID][value: 1nw8da5lvutjnamlagmmy2rc1][domain: cyber.gluu.info][path: /oxauth][expiry: null]". Illegal path attribute "/oxauth". Path of origin: "/.well-known/uma-configuration" 2017-04-24 19:11:36,587 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-04-24 19:11:36,924 TRACE [org.xdi.oxd.server.service.UmaTokenService] Obtained token with client authentication: UmaToken{token='a022f142-0a37-4f83-ae36-366fdf539bd6', refreshToken='null', expiresIn=299} 2017-04-24 19:11:38,804 ERROR [org.xdi.oxd.rs.protect.resteasy.ResourceRegistrar] Error status 406 Not Acceptable returned org.jboss.resteasy.client.ClientResponseFailure: Error status 406 Not Acceptable returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:523) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:514) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:508) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:38) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:126) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy46.addResourceSet(Unknown Source) at org.xdi.oxd.rs.protect.resteasy.ResourceRegistrar.register(ResourceRegistrar.java:89) at org.xdi.oxd.rs.protect.resteasy.ResourceRegistrar.register(ResourceRegistrar.java:50) at org.xdi.oxd.server.op.RsProtectOperation.execute(RsProtectOperation.java:58) at org.xdi.oxd.server.op.RsProtectOperation.execute(RsProtectOperation.java:31) at org.xdi.oxd.server.Processor.process(Processor.java:80) at org.xdi.oxd.server.Processor.process(Processor.java:55) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:60) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-04-24 19:11:38,832 ERROR [org.xdi.oxd.server.Processor] Error status 406 Not Acceptable returned org.jboss.resteasy.client.ClientResponseFailure: Error status 406 Not Acceptable returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:523) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:514) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:508) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:38) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:126) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy46.addResourceSet(Unknown Source) at org.xdi.oxd.rs.protect.resteasy.ResourceRegistrar.register(ResourceRegistrar.java:89) at org.xdi.oxd.rs.protect.resteasy.ResourceRegistrar.register(ResourceRegistrar.java:50) at org.xdi.oxd.server.op.RsProtectOperation.execute(RsProtectOperation.java:58) at org.xdi.oxd.server.op.RsProtectOperation.execute(RsProtectOperation.java:31) at org.xdi.oxd.server.Processor.process(Processor.java:80) at org.xdi.oxd.server.Processor.process(Processor.java:55) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:60) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-04-24 19:11:38,832 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","error_description":"Unknown internal server error occurs."}} 2017-04-24 19:11:38,857 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command. ```

By Yuriy Zabrovarnyy staff 24 Apr 2017 at 10:55 a.m. CDT

Yuriy Zabrovarnyy gravatar
Would you please provide: 1. ldif of `@!6D74.E6E1.4AFB.5F79!0001!CDDF.448A!0008!E11D.2CCB.7853.6F8E` client 2. ldif of `uma_protection` and `uma_authorization` scopes 3. `oxauth.log` file. Thanks, Yuriy

By Sakit Atakishiyev user 24 Apr 2017 at 11:09 a.m. CDT

Sakit Atakishiyev gravatar
I checked. On admin UI there is no `uma_protection `and `uma_authorization `scopes but I add these scopes when I registering my site. I used the below code ``` final RegisterSiteParams commandParams = new RegisterSiteParams(); commandParams.setOpHost("https://cyber.gluu.info"); commandParams.setAuthorizationRedirectUri("https://cyber.oxd.info:8443/GluuServerTest/user/profile/"); commandParams.setPostLogoutRedirectUri("https://cyber.oxd.info:8443/GluuServerTest/"); //commandParams.setClientLogoutUri(Lists.newArrayList(logoutUri)); commandParams.setScope(Lists.newArrayList("openid", "uma_protection", "uma_authorization")); final Command command = new Command(CommandType.REGISTER_SITE); command.setParamsObject(commandParams); final RegisterSiteResponse site = executeCommand(command, RegisterSiteResponse.class); return site; ``` but on ui side i did not see these scopes. I added manually and check again

By Sakit Atakishiyev user 24 Apr 2017 at 11:23 a.m. CDT

Sakit Atakishiyev gravatar
you are right Yuriy Zabrovarnyy, I got this error because of my client has not `uma_protection `and `uma_authorization`. Reason is when I register my site system register my client with only `openid` and `permission` scope only and does not add my scopes which I send with request. After successfully registration I add these two scopes manually and then protect my resource and everything is ok now. But I don't understand why oxd-server does not return to me correct error such you have no access or something like this instead of return 406 error?And most important why gluu doesn't consider my scops?

By Yuriy Zabrovarnyy staff 24 Apr 2017 at 11:47 a.m. CDT

Yuriy Zabrovarnyy gravatar
I agree, we need more clear message instead of 406. Ticket opened `https://github.com/GluuFederation/oxd/issues/63` If under gluu you mean OP then it rejects scopes that are not registered. Once you registered them manually it starts to work. Are there anything else we can help you with ? Thanks, Yuriy

By Sakit Atakishiyev user 24 Apr 2017 at 11:49 a.m. CDT

Sakit Atakishiyev gravatar
No thanks everything no is ok. Thank you very much

By Yuriy Zabrovarnyy staff 24 Apr 2017 at 11:51 a.m. CDT

Yuriy Zabrovarnyy gravatar
Great, closing this ticket then.

By Sakit Atakishiyev user 25 Apr 2017 at 10:33 a.m. CDT

Sakit Atakishiyev gravatar
Hi Michael, you said that: > You don't have to do anything in the admin UI except create scopes and map them to policies (custom scripts / authorization policies). Now my question. On admin UI when I want to add a new scope I can not add reference url, also can not choose scope type(internal or external). Is it a bug or something else?

By Yuriy Zabrovarnyy staff 25 Apr 2017 at 11:19 a.m. CDT

Yuriy Zabrovarnyy gravatar
Via GUI it is possible to add only `internal` scopes (hosted by OP). More information about UMA scopes can be found here (as well as what type means): `https://gluu.org/docs/ce/3.0.1/admin-guide/uma/#scopes` Note that if auto addition of UMA scopes is enabled you don't need to add it manually, OP will do it automatically. Thanks, Yuriy

By Sakit Atakishiyev user 26 Apr 2017 at 3 a.m. CDT

Sakit Atakishiyev gravatar
Thanks Yuriy, In this case there are some problems. For example when I create scope on admin UI OP create internal scopes but I can not assign these scopes during protect my resources with oxd. Because when I protect my resources with oxd server create these scopes again as external scopes. Is there any way use existing scopes with oxd when protected resources?

By Yuriy Zabrovarnyy staff 26 Apr 2017 at 8:46 a.m. CDT

Yuriy Zabrovarnyy gravatar
What is the exact problem with internal scopes ? Did you get any error or something? For example if register `view` scope via GUI then you should see URI on the GUI which you has to send via oxd, something like this: ``` https://<host>/oxauth/seam/resource/restv1/uma/scopes/view ``` It means that OP hosts `scope_description` by that URI. You can check `scope_endpoint` on `https://<op>/.well-known/uma-configuration` document. As alternative you may wish to use scopes declared somewhere else, then simply provide uri of the scope (e.g. `https://myserver.com/scopes/view`) and OP will automatically register it. For this make sure `umaAddScopesAutomatically` configuration is set to true in `oxauth` (OP) configuration. If umaAddScopesAutomatically=false and scope is hosted somewhere else then such request will fail. Thanks, Yuriy

By Sakit Atakishiyev user 26 Apr 2017 at 9 a.m. CDT

Sakit Atakishiyev gravatar
Hi Yuriy, I have no any problem creating scope. I can create internal scope via admin UI and external scope via oxd-server. My question is how can I use my internal scopes when protected my resources? Because I can not protected my resources with admin UI so that I use oxd-server to protected resources. In this case I can not use my internal scopes

By Yuriy Zabrovarnyy staff 26 Apr 2017 at 11:08 a.m. CDT

Yuriy Zabrovarnyy gravatar
It works in the same way as with external scope, if send internal scope uri like I described above then it should work, e.g. ``` https://<host>/oxauth/seam/resource/restv1/uma/scopes/view ``` Please check uri of your internal scope. If it does not work then it's bug, please provide full `oxd-server.log` and `oxauth.log` files, so I can check it. Thanks, Yuriy

By Sakit Atakishiyev user 27 Apr 2017 at 1:06 a.m. CDT

Sakit Atakishiyev gravatar
I tried this. I used internal scope when I protected my resources. After protecting process I saw that the same scope created with external type. But there is no any error on `oxd-server.log` or `oxauth.log`. But I will try again.

By Sakit Atakishiyev user 27 Apr 2017 at 8:09 p.m. CDT

Sakit Atakishiyev gravatar
Hi Yuriy, I checked again. First I created a internal scope via admin UI. It was created successfully. And then I used this scope when I protect my resources. After send command to gluu, the same resource uri was created as external scope. These my [oxd-server.log](https://drive.google.com/open?id=0B0k0w2ZRcqm_NUJFNEF1Qlc5NXc) and [oxauth.log](https://drive.google.com/open?id=0B0k0w2ZRcqm_TE1Ud19lb2NtZEk) I don't know this is a bug or not. May be I did wrong on protect resource phase