Hello, I am experimenting with SCIM on Gluu 3.1.4 and implementing a client in Python. Going by your documentation at https://gluu.org/docs/ce/user-management/scim2/, I have looked at your Java implementation of SCIM to try to glean some knowledge from it. I have tried using the test mode for SCIM which worked as intended, but as Gluu recommends not using that in production I started looking at UMA. However, my Java is a bit rusty and I have some trouble following what happens at various parts of the implementation and was hoping you could give some insights. I'm having some trouble understanding how to correctly obtain the RPT/access token (is there a difference between RPT and access token, or is it two names for the same thing?). I'll step through *my* understanding of how it works below. ## Settings In Gluu, I have enabled the ``SCIM Support`` setting under ``Configuration -> Organization Configuration -> System Configuration`` and the ``scim_access_policy`` script under ``Configuration -> Manage Custom Scripts -> UMA RPT Policies``. ## Get a ticket Initially, we are unauthorized, so get a ticket through requesting an SCIM endpoint, e.g. ``/identity/restv1/scim/v2/Users``, which returns a ticket and the UMA metadata URI in the ``WWW-Authenticate`` header. ## Get a token With the ticket in hand we need to get an access token. This is where I believe I get stuck on some of the values. So, to my understanding, we need to create a request that looks like the following ``` POST /oxauth/restv1/token <No headers> grant_type=client_credentials &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=<JWT as described below> &client_id=<SCIM Requesting Party Client OIDC client inum> &ticket=<UUID Ticket from the response above> ``` Where the client_assertion parameter is a JWT that looks like the following ``` 'iss': <SCIM Requesting Party Client OIDC client inum>, 'sub': <SCIM Requesting Party Client OIDC client inum>, 'aud': https://example.com/oxauth/restv1/token, 'jti': <Generated UUID4>, 'exp': now + datetime.timedelta(minutes=5), 'iat': now ``` And headers on the JWT like the following ``` 'kid': <Alias of a key from scim-rp.jks>, 'alg': 'HS256' ``` This should return a token that can be used for sending requests to the SCIM endpoints, right? I see that you sign the JWT and I'm not sure I follow what is used to sign it. I signed it with the key that the alias above points to. Performing the request above I receive a 401 Unauthorized HTTP response back from the Gluu server with the following message ``` { "error": "invalid_client", "error_description": "Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client." } ``` I'm wondering if I am mixing together some concepts in this issue. I hope it's possible for you to share some knowledge/help in this regard.