Sakit, Which exactly version of oxauth do you use ? Is it 3.0.2 ? Thanks, Yuriy

No it is 3.0.1. Version 3.0.2 does not exists in repository for ubuntu 16.10

Yuriy, I think that I misunderstood `grant_type`. As I explained my question, for authorization I used `client_credentials` type. If my client(app or site) authorize itself with this `grant_type`, `gluu_server` only validate `client_id` and `client_secret` before generate `access_token`, does not consider `code` in this case even if I send with the request. The `access_token` which is server gives me is for only check my `client` privileges. With this `grant_type` OP does not consider who is signed. I think that because of this when I used this `grant_type` I can not call `user_info` endpoint. So that OP should return me `invalid_grant` instead of `internal_error`. Am I right or?

Right, in this use case we definitely need to have `grant_type` `authorization_code` to make it work. In case of misused `grant_type` in token request it has to return valid error if possible. Does it work for you with `grant_type=authorization_code` ?

Yes it works with `authorization_code`. In my opinion we should check token `grant_type` in which operation we try to do not in `token` request

Indeed, actually we should do it in both places, if OP identifies that grant is misused than error should be returned as soon as possible to avoid wrong workflow.

Yes you are right.

Hi everyone! I using Gluu 4.0.Final ! Please, help me! Thank you so much! I get access_token: Ok! But, i use access_token then Gluu always respone: ``` { "reason": "Missed openid scope.", "error_description": "The request requires higher privileges than provided by the access token.", "error": "insufficient_scope" } ``` **1. Images:** - My Gluu client + scopes configurations: https://drive.google.com/open?id=1Rqomk4zb2cmvdNgz3HrY0MZkLeCqZE9J - requestAccessToken: https://drive.google.com/open?id=1KNV-gVUXVevflL3pRCZ4quIKNoeDy7PD - requestUserInfoPost: https://drive.google.com/open?id=1PUIM2OMfJkNeh7bVTys526Ud-PTkH6ng **2. Demo page:** My domain: https://gluu.agileviet.vn/ user: `admin` pass: `%tE857FwvWO&` **3. Below is PostMan sessions:** 3.1.requestAccessToken ``` POST /oxauth/restv1/token HTTP/1.1 Host: gluu.agileviet.vn Content-Type: application/x-www-form-urlencoded Authorization: Basic NjU3NDIwNjktMzdlOC00YWMzLWI4ZWItNzY1MWE2NWNlNWZhOnJPY21qTlEyMFF2VHRmRDlZcXEzcjVJSg== User-Agent: PostmanRuntime/7.20.1 Accept: */* Cache-Control: no-cache Postman-Token: 7a5e6dfe-aefa-47e2-aa95-d38dbc7c97b8,3c7d616a-6912-4c63-a8e7-968f62318cd4 Host: gluu.agileviet.vn Accept-Encoding: gzip, deflate Content-Length: 60 Connection: keep-alive cache-control: no-cache grant_type=password&username=admin&password=%25tE857FwvWO%26 ``` 3.2. requestUserInfoPost ``` GET /oxauth/restv1/userinfo?access_token=277b866a-af98-4edb-8295-be1136fdbd41 HTTP/1.1 Host: gluu.agileviet.vn Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: PostmanRuntime/7.20.1 Accept: */* Cache-Control: no-cache Postman-Token: b917e6c3-8750-4fed-b024-c0f717fc876a,c20529bd-2670-43c5-997f-009537804870 Host: gluu.agileviet.vn Accept-Encoding: gzip, deflate Content-Length: 0 Connection: keep-alive cache-control: no-cache ```