By: Eckhard Lehmann user 16 Oct 2019 at 4:56 a.m. CDT

12 Responses
Eckhard Lehmann gravatar
#### Expected behaviour When I register a client **dynamically** via a POST request to https://<my_gluu_address>/oxauth/restv1/register, I want to set the scope field to a string list with scopes that my client should support. Furthermore I want to set the grant_types and include "password". The corresponding JSON request body includes something like ``` { ... "grant_types": [ ..., "password" ], "scope":"openid profile user_name", ... } ``` The resulting client should have the scope values set to the list "openid", "profile", "user_name" (all are predefined). The Grant Types section should include the "password" item. #### Actual behaviour The resulting client has its sope set to the list of following items: "openid", "permission", "oxd", "uma_protection". The Grant Types section does not include the "password" item. This is reflected in the response like: ``` { ... "grant_types": [ ..., (no "password") ], "scope":"openid permission oxd uma_protection", ... } ```

By Mohib Zico staff 18 Oct 2019 at 9:28 a.m. CDT

Mohib Zico gravatar
I will test it as soon as I can manage some time. Thanks for your report!

By Eckhard Lehmann user 21 Oct 2019 at 3:09 a.m. CDT

Eckhard Lehmann gravatar
Thanks. Here is a Json that I used, for your convenience: ``` { "redirect_uris": ["http://ocalhost:8080/login/oauth2/code/gluu"], "post_logout_redirect_uris": ["http://localhost:8080/logout"], "rpt_as_jwt": false, "access_token_as_jwt": true, "access_token_signing_alg": "RS256", "response_types": [ "code", "token", "id_token" ], "grant_types": [ "authorization_code", "refresh_token", "client_credentials", "password" ], "application_type": "web", "client_name": "Dynamically registered test client", "subject_type": "public", "token_endpoint_auth_method": "client_secret_basic", "id_token_signed_response_alg": "none", "default_max_age": "300", "require_auth_time": false, "frontchannel_logout_session_required": "false", "scope": "openid user_name profile email" } ``` I used curl to perform the request, like so: ``` curl -v -X POST https://gluu-local/oxauth/restv1/register -H "Content-Type: application/json" -H "Accept: application/json" -d @/path/to/the/above/data.json ```

By Dzouato Djeumen Rolain Bonaventure staff 30 Oct 2019 at 2:37 p.m. CDT

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Eckard, Please go to `Configuration` > `JSON Configuration` > `oxAuth Configuration` and make sure that the option `dynamicGrantTypeDefault` has `password` selected. By default, the `password` grant type is disabled for dynamic client registration. Thanks.

By Eckhard Lehmann user 06 Nov 2019 at 2:22 a.m. CST

Eckhard Lehmann gravatar
Hello, > Please go to Configuration > JSON Configuration > oxAuth Configuration and make sure that the option dynamicGrantTypeDefault has password selected. By default, the password grant type is disabled for dynamic client registration. Thanks, that worked :). But the other issue wit the scope is still open... or is it possible to configure that as well?

By Dzouato Djeumen Rolain Bonaventure staff 06 Nov 2019 at 5:25 a.m. CST

Dzouato Djeumen Rolain Bonaventure gravatar
Hello, Let me look into the scope issue.

By Dzouato Djeumen Rolain Bonaventure staff 06 Nov 2019 at 10:02 a.m. CST

Dzouato Djeumen Rolain Bonaventure gravatar
I have looked into the scope issue. Let's start with the why. Scopes in Gluu Server have a flag which indicates if they are a default scope. Default scopes are added (by default) during dynamic scope creation. Right now , we do not have an option on the oxTrust UI to change that , but I'll surely ask around. That said , the flag can be turned off. 1. Use an LDAP client of your choice (I use jXplorer) and connect to the LDAP server on your Gluu Server Instance. 2. Identify the `scopes` leaf under the `gluu` leaf 3. Search for scopes with `defaultScope` set to `true` and then change the `defaultScope` to `false`. Thanks for your patience.

By Dzouato Djeumen Rolain Bonaventure staff 15 Nov 2019 at 7:50 a.m. CST

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Eckard, I will now mark this ticket as closed. Please feel free to re-open it if you face any issues. Thanks.

By Eckhard Lehmann user 15 Nov 2019 at 1 p.m. CST

Eckhard Lehmann gravatar
Hello Djeumen, Ok. Sorry for not getting back to you sooner, I had it on my list but was busy. So when I understand correctly, there is no way to assign the scopes during client registration at the moment... the only way would be to mark the scopes, that I want to assign, as `defaultScope` in the LDAP, which results in them being always set during dynamic client registration. This works for some time, but it is not really satisfactory. A better solution would be if it was possible to allow (select) which scopes *can* be assigned during dynamic client registration, so that it can be controlled. And clients can register dynamically with the scopes that they want to use, as long as they are allowed. Could this be something on your roadmap?

By Dzouato Djeumen Rolain Bonaventure staff 15 Nov 2019 at 11:14 p.m. CST

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Eckard, I think I may not have been explaining it well. 1. You can assign **any** scopes during client registration with Gluu Server. 2. The problem you were facing is that scopes such as `oxd` and `uma_protection' were **always** added during dynamic client registration. These scopes have a `defaultScope` flag in LDAP set to `true`. You need to set the flag to `false` **only** for these scopes. I have a team member adding a way to change this from the oxTrust UI. Also , you need to perform this step only *once*. 3. For any scope except the scopes I just mentionned in point #2 , you can actually add them during dynamic registration , as long as in the scope configuration it is marked as allowed for use during dynamic registration. I hope this clears it up for you. Please , if you have questions on this , or other questions, feel free to ask.

By Eckhard Lehmann user 18 Nov 2019 at 2:11 a.m. CST

Eckhard Lehmann gravatar
Hello Djeumen, Ok, I had a look into the LDAP scopes leaf and figured out some things about the `defaultScope` flag. My findings: * in jxplorer I was not able to change the value of that flag. This is of course not Gluu related... * In the oxtrust UI I can mark a scope as "allowed for dynamic registration", by clicking on "OpenID Connect"->"Scopes", then selecting the scope and set the corresponding dropdown in the middle right to "true". * When I do that, the value of `defaultScope` in the LDAP changes to true for that scope. That means, by setting the "allowed for dynamic registration" flag, I effectively set the scope as `defaultScope`. * Then, when I perform a dynamic client registration, the scope is *always* added to my client, no matter if I set it in the "scopes" parameter of my request, or not. This is not exactly the behaviour I would expect. Seems we are back to old kent road ;-). My initial report was about the fact that scopes cannot be assigned through the request parameter "scopes" (see the JSON above), which would be my expectation. But at least I learned a way to work around that bug by enabling the scopes that I want to have assigned to dynamically created clients as `defaultScope`.* Thanks for that. * The whole purpose of dynamic client registration *for me* is to do a fully automated deployment of a gluu instance and an application that uses it. As part of that I create a client with certain scopes dynamically, just to avoid the manual "click-around-and-copy-paste" that would be otherwise involved. So I can change the defaultScope parameters of the templates/scopes.ldif files accordingly and deploy the Gluu instance with a setup that has the scopes marked as defaultScope, which I later want to use for dynamic client registration for my application. This is not very flexible, but would work for me so far.. nevertheless I hope the above mentioned bug may be fixed.

By Dzouato Djeumen Rolain Bonaventure staff 18 Nov 2019 at 9:28 a.m. CST

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Eckard, Thanks for your thorough report. The issue you reported in your third bullet is actually a bug if it's it's true. defaultScope should **not** be set to `true` after setting a scope for dynamic registration. I'll have someone look into it. Once the bug(s) are fixed , would you be interested in using the new fix ? Thanks again once more for your patience

By Eckhard Lehmann user 19 Nov 2019 at 8:37 a.m. CST

Eckhard Lehmann gravatar
Hello Djeumen, > Once the bug(s) are fixed , would you be interested in using the new fix ? Yes definitely :). But I think we have time to wait for that fix to be in an official Gluu release, since we will probably update Gluu a few more times, until we release to production.