By: Sakit Atakishiyev user 06 Nov 2017 at 6:43 a.m. CST

18 Responses
Sakit Atakishiyev gravatar
Hi. Today I am testing `UMA2` on `gluu server 3.1.1`. First I registered 2 resources with scopes. **Resource 1** ``` POST /oxauth/restv1/host/rsrc/resource_set HTTP/1.1 Host: login.cybernet.az Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Content-Type: application/json Cache-Control: no-cache { "resource_scopes":[ "read-public", "post-updates", "read-private" ], "icon_uri":"http://www.example.com/icons/sharesocial.png", "name":"Resource 1" } ``` resource id is `f9a5ddae-dd58-4845-8963-816cb5df9901`. Then I registered my second resource. **Resource 2** ``` POST /oxauth/restv1/host/rsrc/resource_set HTTP/1.1 Host: login.cybernet.az Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Content-Type: application/json Cache-Control: no-cache { "resource_scopes":[ "test-public", "test-updates", "test-private" ], "icon_uri":"http://www.example.com/icons/sharesocial.png", "name":"Resource 2" } ``` resource id is `86071ee8-dd21-4620-b466-e578cdcc2995`. I registered the above resources and got `resource id` for each of them. Now to get the permission ticket I called the end point like below ``` POST /oxauth/restv1/host/rsrc_pr HTTP/1.1 Host: login.cybernet.az Content-Type: application/json Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Cache-Control: no-cache {"resource_id":"86071ee8-dd21-4620-b466-e578cdcc2995","resource_scopes":["read-private"]} ``` As you see the above code I tried to register `read-private` which is not `pre-registered` with resource `86071ee8-dd21-4620-b466-e578cdcc2995` so that I got the below error. ``` { "error": "invalid_scope", "error_description": "At least one of the scopes included in the request was not registered previously by this host." } ``` Until now everything is normal. Then I tried to again register permission ticket for my resource with its scopes. ``` POST /oxauth/restv1/host/rsrc_pr HTTP/1.1 Host: login.cybernet.az Content-Type: application/json Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Cache-Control: no-cache {"resource_id":"86071ee8-dd21-4620-b466-e578cdcc2995","resource_scopes":["test-private"]} ``` And got my ticket successfully. After getting a ticket I called the `token` end point to get `RPT` ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ= Cache-Control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d ``` And the result likes below ``` { "pct": "b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5", "upgraded": false, "access_token": "1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87", "token_type": "Bearer" } ``` When I checked my `RPT` status ``` POST /oxauth/restv1/rpt/status HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Cache-Control: no-cache token=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87 ``` and got below response ``` { "active": true, "exp": 1509973534714, "iat": 1509970534714, "nbf": null, "permissions": [ { "resource_id": "86071ee8-dd21-4620-b466-e578cdcc2995", "resource_scopes": [ "test-private" ], "exp": 1509972410290 } ], "client_id": null, "sub": null, "aud": null, "iss": null, "jti": null } ``` After this I called again obtain `token` end point with my `rpt` and `pct` with the `test-public` scope ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ= Cache-Control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d&pct=b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5&scope=test-public&rpt=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87 ``` When I called this endpoint my `AS` execute my policy to check that the user has access or not for scope `test-public`. My policy granted the requested resources with `test-public`. Now I checked my token status again and got the below response ``` { "active": true, "exp": 1509973534714, "iat": 1509970534714, "nbf": null, "permissions": [ { "resource_id": "86071ee8-dd21-4620-b466-e578cdcc2995", "resource_scopes": [ "test-private" ], "exp": 1509972410290 } ], "client_id": null, "sub": null, "aud": null, "iss": null, "jti": null } ``` My question is until here I checked my 2 scopes `test-private` and `test-public` but as you can from the above response my `rpt` token shows me only `test-private`. is it normal? should not I see both scopes in `permissions` section? <br/>**And second question** For testing I called again the `token` end point but this time I passed scope `read-public` which is not `pre-registered` with resource `86071ee8-dd21-4620-b466-e578cdcc2995`. `read-public` is `pre-registered` with resource `f9a5ddae-dd58-4845-8963-816cb5df9901`. my request ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ= Cache-Control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d&pct=b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5&scope=read-public&rpt=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87 ``` and my response ``` { "pct": "b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5", "upgraded": true, "access_token": "1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87", "token_type": "Bearer" } ``` And I checked the `oxauth.log` and `oxauth_script.log` and see that my AS check execute my policy which I set to scope `read-public`. Is it normal? Should not `AS` return me `invalid_scope` error? or I misunderstand whole concept?

By Yuriy Zabrovarnyy staff 09 Nov 2017 at 12:33 p.m. CST

Yuriy Zabrovarnyy gravatar
I created tickets for both cases ``` https://github.com/GluuFederation/oxAuth/issues/689 https://github.com/GluuFederation/oxAuth/issues/690 ``` It will be fixed in next release.

By Sakit Atakishiyev user 09 Nov 2017 at 11:28 p.m. CST

Sakit Atakishiyev gravatar
Thanks Yuriy for you information. So we need just waiting version `3.2.0` or trying to help you to fixing issues

By Master Kumar user 05 Oct 2018 at 8:44 a.m. CDT

Master Kumar gravatar
Do we need to register the SCIM API using this API oxauth/restv1/host/rsrc/resource_set ? If yes how do we get the Authorization header value which needs to be passed for creating a resource in gluu 3.1.3? How do we get the Authorization header value which needs to be passed to the permission registration API /oxauth/restv1/host/rsrc_pr?

By Master Kumar user 05 Oct 2018 at 1 p.m. CDT

Master Kumar gravatar
Can some one provide information on the above queries

By Sakit Atakishiyev user 08 Oct 2018 at 10:04 a.m. CDT

Sakit Atakishiyev gravatar
Hi Kumar, no you don't need to register SCIM API it has already registered.

By Master Kumar user 10 Oct 2018 at 12:42 p.m. CDT

Master Kumar gravatar
Sakit, thank you for confirming that SCIM are by default registered. For getting the SCIM resource information using the API /oxauth/restv1/host/rsrc/resource_set , in authorization header what value should be given? How do i get the RPT for the registered resources using this API /oxauth/restv1/host/rsrc_pr and whats i passed as authorization header? For getting th PCT and access_token using the API /oxauth/restv1/token need to pass ticket parameter and authorization header. How do we get these values? Looking forward for the required information.

By Master Kumar user 20 Oct 2018 at 9:55 a.m. CDT

Master Kumar gravatar
Hi Sakit, can you please provide info on the steps including configuration.

By Sakit Atakishiyev user 22 Oct 2018 at 12:56 a.m. CDT

Sakit Atakishiyev gravatar
Hi Kumar, the API documentation is enough to start. You can read whole prosses. Header input it depends on which end point you call. At the first time you can use basic authentication. Just add you open id client inum as username and your secret as password. When you get token then you can continue other process with using that access token with Bearer type.

By Master Kumar user 25 Oct 2018 at 8:09 p.m. CDT

Master Kumar gravatar
Hi Sakit, i did follow the documentation, sent request to the token url with grant_type as client credentials with scope as token curl -X POST \ https://mygluserv.com/oxauth/restv1/token \ -H 'authorization: Basic QCFGMTU3LjBBNUIuOUE3Ni42QTdEITAwMDEhMjA2My44MjQ5ITAwMDghQkQ2MS40ODczLkJCRjcuMEUyQzpwYXNzd29yZA==' \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded' \ -H 'postman-token: d91e2f5e-c092-0a6d-4c6f-7a5e4cf2fa64' \ -d 'grant_type=client_credentials&nonce=123456789' and tried the below 1. Called the /oxauth/restv1/host/rsrc/resource_set API with get method by passing access token in the header to get all the protected resources list. This is giving below response { "error": "invalid_client_scope", "error_description": "The requested scope is invalid, unknown, or malformed." } 2. Called the /oxauth/restv1/host/rsrc/resource_set API with post method by passing the access token in the header to register resource. This is giving 2018-10-25 22:31:58,081 ERROR [qtp1007309018-22] [org.xdi.oxauth.exception.UncaughtException] (UncaughtException.java:41) - Jersey error. javax.ws.rs.NotSupportedException: RESTEASY003065: Cannot consume content type at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:387) As i see in this ticket you were able to do all this so need your help, can you please provide steps for register resource, get registered resources, get permission ticket,...

By Sakit Atakishiyev user 26 Oct 2018 at 12:35 a.m. CDT

Sakit Atakishiyev gravatar
Hi Kumar. Just check that you client can use `client_credentials` grant_type. If not just this grant type to your openid client

By Master Kumar user 26 Oct 2018 at 11:51 a.m. CDT

Master Kumar gravatar
Yes in the openid client details the grant_type client_credentials is added

By Sakit Atakishiyev user 29 Oct 2018 at 12:14 a.m. CDT

Sakit Atakishiyev gravatar
If grant_type is allowed and you got error then please share the oxauth.log then I can say something

By Master Kumar user 30 Oct 2018 at 12:58 a.m. CDT

Master Kumar gravatar
Hi Sakit, thank for looking into my issue and responding. Here is the error that i see in oxauth.log when trying to get the resources (oxauth/restv1/host/rsrc/resource_set) using http method GET 2018-10-30 03:21:28,087 ERROR [qtp1007309018-72] [xdi.oxauth.uma.ws.rs.UmaResourceRegistrationWS] (UmaResourceRegistrationWS.java:239) - Exception happened on getResourceList() javax.ws.rs.WebApplicationException: HTTP 406 Not Acceptable at org.xdi.oxauth.model.error.ErrorResponseFactory.throwUmaWebApplicationException(ErrorResponseFactory.java:112) ~[classes/:?] at org.xdi.oxauth.model.error.ErrorResponseFactory$Proxy$_$$_WeldClientProxy.throwUmaWebApplicationException(Unknown Source) ~[classes/:?] at org.xdi.oxauth.uma.service.UmaValidationService.validateAuthorization(UmaValidationService.java:130) ~[classes/:?] at org.xdi.oxauth.uma.service.UmaValidationService.assertHasProtectionScope(UmaValidationService.java:104) ~[classes/:?] at org.xdi.oxauth.uma.ws.rs.UmaResourceRegistrationWS.getResourceList(UmaResourceRegistrationWS.java:216) [classes/:?] at org.xdi.oxauth.uma.ws.rs.UmaResourceRegistrationWS$Proxy$_$$_WeldClientProxy.getResourceList(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_162] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_162] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_162] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:864) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215) [websocket-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:226) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.gluu.oxserver.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:344) [oxcore-server-3.1.3.Final.jar:?] at org.gluu.oxserver.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:121) [oxcore-server-3.1.3.Final.jar:?] at org.xdi.oxauth.filter.CorsFilter.doFilter(CorsFilter.java:132) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.xdi.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:73) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) [jetty-servlet-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.Server.handle(Server.java:531) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) [jetty-server-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) [jetty-io-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) [jetty-io-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) [jetty-io-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:319) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:175) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:133) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

By Master Kumar user 06 Nov 2018 at 7:34 a.m. CST

Master Kumar gravatar
Sakit, by any chance if you got time to look into this please do let me know how to proceed as things are not moving forward at my end.

By Sakit Atakishiyev user 06 Nov 2018 at 7:48 a.m. CST

Sakit Atakishiyev gravatar
oxauth/restv1/host/rsrc/resource_set is POST method not GET

By Master Kumar user 11 Nov 2018 at 8:18 a.m. CST

Master Kumar gravatar
I did try with post and still it was failing. Looks like steps used are wrong so please let me know the steps in detail. 1. I have created new client as per the documentation and set the testmode=true for SCIM. 2. Used the SCIM-Client (Java Library) and tried to run the sample given in that and its not working. 3. Later i tried invoiking the SCIM APIs with testmode=true by passing the access_token obtained from token url using grant_type=client_credentials and scope=openid 4. Now changed the testmode=false and tried to call the api oxauth/restv1/host/rsrc_pr as you did, with this value in the body { "resource_id":"0f13ae5a-135e-4b01-a290-7bbe62e7d40f", "resource_scopes": [ "SCIM Access" ] } 5. Response status is 406 Not Acceptable and {"error":"invalid_client_scope","error_description":"The requested scope is invalid, unknown, or malformed."} Appreciate if i can get any help

By Sakit Atakishiyev user 12 Nov 2018 at 12:02 a.m. CST

Sakit Atakishiyev gravatar
Kumar, I could not say why you got this error. But I think that you miss some instruction from the documentation. 1. First you need to get access token with `grant_type=client_credentials` 2. After you got your access token you should call ` https://mygluserv.com/oxauth/restv1/token` end point with this access token on `authorization_header` and must use `grant_type=urn:ietf:params:oauth:grant-type:uma-ticket` 3. After step 2 you got RPT token then you should use this token to get access the resource you want.

By Master Kumar user 13 Nov 2018 at 10:02 a.m. CST

Master Kumar gravatar
Thank you Sakit for the reply. I did try the same thing as you said also, but was failing at step 2 only. Its giving 401 unauthorized with below response { "error": "invalid_client", "error_description": "Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client." } FYI here are the curl request sent in step 1 and step 2 Step 1: curl -X POST \ https://mygluserv.com/oxauth/restv1/token \ -H 'authorization: Basic QCFGMTU3LjBBNUIuOUE3Ni42QTdEITAwMDEhMjA2My44MjQ5ITAwMDghQkQ2MS40ODczLkJCRjcuMEUyQzpwYXNzd29yZA==' \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded' \ -H 'postman-token: aae243ac-dd05-ebb2-d260-e72e6e0e5392' \ -d grant_type=client_credentials Step 2: curl -X POST \ https://mygluserv.com/oxauth/restv1/token \ -H 'authorization: Bearer 8e81ef9a-b017-4b11-bb95-02e1b6af4626' \ -H 'cache-control: no-cache' \ -H 'content-type: application/x-www-form-urlencoded' \ -H 'postman-token: bf9a564b-dcbe-ea7c-094b-32cdf3e2eb0c' \ -d grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket