By: Dustin Bagwell user 30 Sep 2017 at 3:13 p.m. CDT

3 Responses
Dustin Bagwell gravatar
So we're trying to exchange a code for an access token, and then passing that on to a resource server, where it will use introspection to find out if it is valid and what the user name is. After adding uma_protection to the response_type=code request, introspection started working, which is great. Except the username is always 'null'. I'm pretty sure this is because of this message: ``` 2017-09-30 19:53:29,139 TRACE [qtp2008017533-12] [org.xdi.oxauth.model.common.AuthorizationGrantList] (AuthorizationGrantList.java:85) - Put authorization grant in cache, code: 0dbf6b28-cd89-4dee-bc52-3262c947c485, clientId: @!CC3F.9FB4.BC39.CBDE!0001!7276.CD1D!0008!AE2A.62E9.CA14.95D6 ``` That clientId is the id of the 'client' configured in Gluu, not the Id of the user 'test123'. I can't figure out where I'm going wrong. The idea is that the user initiates the authorize bits, get's 302'd to an app on a phone, that gets the token and then forwards it to the Resource Server on the back. The Resource server then checks to see if it's a valid token using introspection, and what the user name is. If I send username and password with a grant_type of password, it totally gets a token associated with that user. But I thought the whole idea was that I wasn't sending the user/pass, that after we auth, get the code, and exchange it for a token, etc. We've been banging our head on this for a bit, and thought we had it figured out, but now I'm back to square one.

By Aliaksandr Samuseu staff 04 Oct 2017 at 12:34 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Dustin. Could you clarify it a bit? Do you try to employ UMA, or try to adapt OIDC to your needs? Perhaps, providing a more detailed and complete sequences of all involved flows would be helpful to us to understand what you are aiming at.

By Dustin Bagwell user 04 Oct 2017 at 12:40 p.m. CDT

Dustin Bagwell gravatar
Hi. Thanks for the response. I figured it out. I was not sending session_id/state/session_state to the token endpoint with my authorization_code grant request. So we'd get an access_token, but it wasn't associated to any user. It totally works now. Sorry if I missed that in the documentation somewhere.

By Aliaksandr Samuseu staff 04 Oct 2017 at 12:43 p.m. CDT

Aliaksandr Samuseu gravatar
No problem, that may help others to do it right now. Closing the ticket.