By: Eric Sans user 05 Dec 2017 at 4:37 a.m. CST

29 Responses

Hi I'm trying to integrate a Guest web portal from Extreme Networks with a gluu server OP using OpenID. In have register my Web application but it seems that the client never receive the ID Token. I elevated the logs for Oxauth.log to debug and found this java error. I tried a lot of configuration without any success 2017-12-05 10:28:37,236 INFO [qtp2008017533-11] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:152) - Authentication failed for 'admin' 2017-12-05 10:28:37,249 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,250 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,250 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,250 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,251 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,251 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,252 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,253 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,256 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:37,256 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:28:57,614 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:28:57,615 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifier s [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:28:57,616 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:28:57,765 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:28:57,766 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] wit h qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:28:57,767 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:28:58,041 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:28:58,041 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.UpdateScriptEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:28:58,064 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:02,120 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:137) - Authenticating user with LDAP: username: 'admin', credenti als: '1812265913' 2017-12-05 10:29:02,121 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:261) - Attempting to find userDN by primary key: 'uid' and key va lue: 'admin', credentials: '1812265913' 2017-12-05 10:29:02,121 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:350) - Getting user information from LDAP: attributeName = 'uid', attributeValue = 'admin' 2017-12-05 10:29:02,121 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:364) - Searching user by attributes: '[Attribute [name=uid, value s=[admin]]]', baseDn: 'o=gluu' 2017-12-05 10:29:02,130 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:366) - Found '1' entries 2017-12-05 10:29:02,137 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:283) - Attempting to authenticate userDN: inum=@!78FE.F41A.51C9.4 B96!0001!2051.CA02!0000!A8F2.DE1E.D7FB,ou=people,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu 2017-12-05 10:29:02,139 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:285) - User authenticated: inum=@!78FE.F41A.51C9.4B96!0001!2051.C A02!0000!A8F2.DE1E.D7FB,ou=people,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu 2017-12-05 10:29:02,140 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:287) - Attempting to find userDN by local primary key: uid 2017-12-05 10:29:02,140 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.UserService] (UserService.java:182) - Getting user information from LDAP: attributeName = 'uid', attributeValue = 'a dmin' 2017-12-05 10:29:02,149 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.UserService] (UserService.java:193) - Found '1' entries 2017-12-05 10:29:02,152 ERROR [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:409) - Failed to update oxLastLogonTime of user 'admin' 2017-12-05 10:29:02,153 DEBUG [qtp2008017533-12] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:250) - Authentication result for user 'admin'. auth_step: '1', result: 'true', crede ntials: '1812265913' 2017-12-05 10:29:02,154 DEBUG [qtp2008017533-12] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:339) - Sending event to trigger user redirection: 'admin' 2017-12-05 10:29:02,154 INFO [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:514) - Attempting to redirect user: SessionUser: SessionState {dn ='oxAuthSessionId=3e8c80ca-ecf8-4629-9336-bc744bbabefb,ou=session,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu', id='3e8c80ca-ecf8-4629-9336-bc744bbabefb', lastUsedAt=Tue Dec 05 10:29:02 U TC 2017, userDn='inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0000!A8F2.DE1E.D7FB,ou=people,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu', authenticationTime=Tue Dec 05 10:29:02 UTC 2017, sta te=authenticated, sessionState='ed0f1aa2-3e78-4215-801f-58ef7c30d932', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@6ef eff4c, involvedClients=null, sessionAttributes={auth_step=1, acr=auth_ldap_server, remote_ip=192.168.30.32, scope=openid, response_type=code, redirect_uri=https://engine1.showroom.fr/genpro vider_oauth1, nonce=[B@60416727, client_id=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!F1EA.F032.E587.BDF2}, persisted=true} 2017-12-05 10:29:02,171 INFO [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:522) - Attempting to redirect user: User: org.xdi.oxauth.model.co mmon.User@2b62335c 2017-12-05 10:29:02,174 INFO [qtp2008017533-12] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:342) - Authentication success for User: 'admin' 2017-12-05 10:29:02,216 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,225 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,225 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:76) - Validating redirection URI: clientIdentifier = @!78FE.F41A. 51C9.4B96!0001!2051.CA02!0008!F1EA.F032.E587.BDF2, redirectionUri = https://engine1.showroom.fr/genprovider_oauth1, found = 1 2017-12-05 10:29:02,225 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:82) - Comparing https://engine1.showroom.fr/genprovider_oauth1 == https://engine1.showroom.fr/genprovider_oauth1 2017-12-05 10:29:02,242 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,291 DEBUG [qtp2008017533-16] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:159) - Attempting to request authorization: respo nseType = code, clientId = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!F1EA.F032.E587.BDF2, scope = openid, redirectUri = https://engine1.showroom.fr/genprovider_oauth1, nonce = [B@60416727, state = null, request = null, isSecure = true, requestSessionId = null, sessionId = 3e8c80ca-ecf8-4629-9336-bc744bbabefb 2017-12-05 10:29:02,292 DEBUG [qtp2008017533-16] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:165) - Attempting to request authorization: acrVa lues = null, amrValues = null, originHeaders = null, codeChallenge = null, codeChallengeMethod = null, customRespHeaders = null, claims = null 2017-12-05 10:29:02,298 DEBUG [qtp2008017533-16] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,299 DEBUG [qtp2008017533-16] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:39) - Checking scopes policy for: openid 2017-12-05 10:29:02,301 DEBUG [qtp2008017533-16] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:59) - Granted scopes: [openid] 2017-12-05 10:29:02,301 DEBUG [qtp2008017533-16] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,301 DEBUG [qtp2008017533-16] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:76) - Validating redirection URI: clientIdentifier = @!78FE.F41A. 51C9.4B96!0001!2051.CA02!0008!F1EA.F032.E587.BDF2, redirectionUri = https://engine1.showroom.fr/genprovider_oauth1, found = 1 2017-12-05 10:29:02,301 DEBUG [qtp2008017533-16] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:82) - Comparing https://engine1.showroom.fr/genprovider_oauth1 == https://engine1.showroom.fr/genprovider_oauth1 2017-12-05 10:29:02,305 DEBUG [qtp2008017533-16] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:39) - Checking scopes policy for: openid 2017-12-05 10:29:02,305 DEBUG [qtp2008017533-16] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:59) - Granted scopes: [openid] 2017-12-05 10:29:02,962 DEBUG [qtp2008017533-12] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:94) - Starting token endpoint authentication 2017-12-05 10:29:02,963 DEBUG [qtp2008017533-12] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:104) - Starting POST Auth token endpoint authentication 2017-12-05 10:29:02,964 DEBUG [qtp2008017533-12] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:270) - requireAuth: 'true' 2017-12-05 10:29:02,971 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,972 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.ClientService] (ClientService.java:100) - Authenticating Client with LDAP: clientId = @!78FE.F41A.51C9.4B96!0001!205 1.CA02!0008!F1EA.F032.E587.BDF2 2017-12-05 10:29:02,972 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,973 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:496) - ConfigureSessionClient: username: '@!78FE.F41A.51C9.4B96!0 001!2051.CA02!0008!F1EA.F032.E587.BDF2', credentials: '1812265913' 2017-12-05 10:29:02,973 DEBUG [qtp2008017533-12] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008! F1EA.F032.E587.BDF2 2017-12-05 10:29:02,983 INFO [qtp2008017533-12] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:205) - Authentication success for Client: '@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008 !F1EA.F032.E587.BDF2' 2017-12-05 10:29:02,989 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:98) - Attempting to request access token: grantType = authori zation_code, code = 064f6a10-5099-44e2-ad22-5523922d3869, redirectUri = https://engine1.showroom.fr/genprovider_oauth1, username = null, refreshToken = null, clientId = @!78FE.F41A.51C9.4B9 6!0001!2051.CA02!0008!F1EA.F032.E587.BDF2, ExtraParams = {code=[064f6a10-5099-44e2-ad22-5523922d3869], redirect_uri=[https://engine1.showroom.fr/genprovider_oauth1], client_secret=[bf955545 -dcd3-41b9-b23d-06c24bbdca00], grant_type=[authorization_code], client_id=[@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!F1EA.F032.E587.BDF2]}, isSecure = true, codeVerifier = null, ticket = nu ll 2017-12-05 10:29:02,990 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:118) - Starting to validate request parameters 2017-12-05 10:29:02,990 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:126) - Grant type: 'authorization_code' 2017-12-05 10:29:02,990 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:132) - Get sessionClient: 'org.xdi.oxauth.model.session.Sessi onClient@71ae81b6' 2017-12-05 10:29:02,991 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:136) - Get client from session: '@!78FE.F41A.51C9.4B96!0001!2 051.CA02!0008!F1EA.F032.E587.BDF2' 2017-12-05 10:29:02,991 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:149) - Attempting to find authorizationCodeGrant by clinetId: '@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!F1EA.F032.E587.BDF2', code: '064f6a10-5099-44e2-ad22-5523922d3869' 2017-12-05 10:29:03,000 DEBUG [qtp2008017533-12] [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:160) - Issuing access token: 360bdcbb-17f5-4caf-bb93-041a519c b66c 2017-12-05 10:29:03,024 DEBUG [qtp2008017533-12] [**org.xdi.oxauth.model.util.JwtUtil] (JwtUtil.java:204) - Retrieving jwks... 2017-12-05 10:29:03,025 ERROR [qtp2008017533-12] [org.xdi.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:174) - null java.lang.NullPointerException: null at org.xdi.oxauth.model.jwk.JSONWebKeySet.fromJSONObject(JSONWebKeySet.java:104) ~[oxauth-model-3.1.1.Final.jar:?] at org.xdi.oxauth.model.token.IdTokenFactory.generateEncryptedIdToken(IdTokenFactory.java:428) ~[classes/:?] at org.xdi.oxauth.model.token.IdTokenFactory.createJwr(IdTokenFactory.java:462) ~[classes/:?] at org.xdi.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:67) ~[classes/:?] at org.xdi.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:157) [classes/:?] at org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.requestAccessToken(TokenRestWebServiceImpl.java:178) [classes/:?] at org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAccessToken(Unknown Source) [classes/:?] at sun.reflect.GeneratedMethodAccessor367.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:193) [websocket-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:226) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.gluu.oxserver.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:343) [oxcore-server-3.1.1.Final.jar:?] at org.gluu.oxserver.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:120) [oxcore-server-3.1.1.Final.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.xdi.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:55) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.xdi.oxauth.auth.AuthenticationFilter.processPostAuth(AuthenticationFilter.java:316) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:105) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] 2017-12-05 10:29:27,613 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:27,614 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifier s [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:27,614 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:27,643 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:27,643 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LdapStatusEvent] with qualifiers [ @org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:27,644 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:27,765 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:27,766 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] wit h qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:27,766 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:28,041 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:28,041 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.UpdateScriptEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:28,064 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:57,613 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:57,614 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifier s [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:57,615 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:57,765 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:57,766 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] wit h qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:57,766 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-12-05 10:29:58,041 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-12-05 10:29:58,041 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.UpdateScriptEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-12-05 10:29:58,064 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended ubuntu@gluuserver:/opt/gluu-server-3.1.1/opt/gluu/jetty/oxauth/logs$**

Ubuntu 14.04

closed

By Michael Schwartz Account Admin 05 Dec 2017 at 11:17 a.m. CST

Copy

What openid connect client software are you using? Can you show your code, and also show the request and response?

By Aliaksandr Samuseu staff 05 Dec 2017 at 12:43 p.m. CST

Copy

Hi, Sans. As Michael already has said, we need more data on this particular context. If you try to follow some guide from Gluu docs portal, please provide a link to it. Otherwise, please describe your setup in more details. You also need to create and share a HTTP traffic capture for the whole failing flow. I would suggest using Chrome dev console to create a HAR file of all requests. Check [this page](https://help.salesforce.com/articleView?id=000187144&language=en_US&type=1) for more details.

By Eric Sans user 06 Dec 2017 at 4:23 a.m. CST

Copy

Hi The context : We test our captive Portal integrated with our NAC solution with Gluu solution. The captive portal is Extreme Networks development and does not use any integrated code from other party. Our implementation works with google , Facebook , Yahoo , Salesforce Okta but unfortunately not with Gluu. I had information from Extreme Engineering regarding the token request and got this I am sending an http post request with 5 query string parameters sent in the message body: 1. • code=<access code returned from prior authorization request> 1. • client_id=<client application id configured at the provider> 1. • redirect_uri=<FQDN of NAC>/genprovider_oauthX) 1. • client_secret=<client application secret configured at the provider> 1. • grant_type=authorization_code **I got a trace request/response on the gluu server :** ``` gluuserver:443 192.168.20.84 - - [06/Dec/2017:10:02:50 +0000] "GET /index.html HTTP/1.1" 200 13425 "-" "Java/1.8.0_112" gluuserver:443 192.168.20.84 - - [06/Dec/2017:10:03:49 +0000] "GET /index.html HTTP/1.1" 200 13425 "-" "Java/1.8.0_112" gluuserver:443 192.168.20.154 - - [06/Dec/2017:10:04:48 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 7554 "-" "Java/1.8.0_144" gluuserver:443 192.168.20.84 - - [06/Dec/2017:10:04:49 +0000] "GET /index.html HTTP/1.1" 200 13425 "-" "Java/1.8.0_112" gluuserver:443 192.168.30.32 - - [06/Dec/2017:10:05:03 +0000] "GET /oxauth/restv1/authorize?response_type=code&client_id=%40%2178FE.F41A.51C9.4B96%210001%212051.CA02%210008%217356.E502.A6D1.EA4A&redirect_uri=https%3A%2F%2Fengine1.showroom.fr%2Fgenprovider_oauth1&scope=openid&https%3A%2F%2Fengine1.showroom.fr%2Fgenprovider_oauth1=6ftyJfSr%3BDFF67D8C9E41CB62F18ECD7295960DD2&nonce=%5BB@a06bdcc HTTP/1.1" 302 2166 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" gluuserver:443 192.168.30.32 - - [06/Dec/2017:10:05:04 +0000] "GET /oxauth/authorize?scope=openid&response_type=code&redirect_uri=https%3A%2F%2Fengine1.showroom.fr%2Fgenprovider_oauth1&nonce=%5BB%40a06bdcc&client_id=%40%2178FE.F41A.51C9.4B96%210001%212051.CA02%210008%217356.E502.A6D1.EA4A HTTP/1.1" 302 759 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" gluuserver:443 192.168.30.32 - - [06/Dec/2017:10:05:04 +0000] "GET /oxauth/login HTTP/1.1" 200 2066 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" gluuserver:443 192.168.30.32 - - [06/Dec/2017:10:05:46 +0000] "POST /oxauth/login HTTP/1.1" 302 846 "https://gluuserver/oxauth/login" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" gluuserver:443 192.168.30.32 - - [06/Dec/2017:10:05:46 +0000] "GET /oxauth/authorize?scope=openid&response_type=code&redirect_uri=https%3A%2F%2Fengine1.showroom.fr%2Fgenprovider_oauth1&nonce=%5BB%40a06bdcc&client_id=%40%2178FE.F41A.51C9.4B96%210001%212051.CA02%210008%217356.E502.A6D1.EA4A HTTP/1.1" 302 1023 "https://gluuserver/oxauth/login" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" gluuserver:443 192.168.30.32 - - [06/Dec/2017:10:05:46 +0000] "GET /oxauth/restv1/authorize?scope=openid&response_type=code&session_id=af7c6cf3-50a8-4566-b56e-b3c6e34e6fd4&redirect_uri=https%3A%2F%2Fengine1.showroom.fr%2Fgenprovider_oauth1&nonce=%5BB%40a06bdcc&client_id=%40%2178FE.F41A.51C9.4B96%210001%212051.CA02%210008%217356.E502.A6D1.EA4A HTTP/1.1" 302 632 "https://gluuserver/oxauth/login" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" gluuserver:443 192.168.20.154 - - [06/Dec/2017:10:05:46 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 6246 "-" "Java/1.8.0_144" gluuserver:443 192.168.20.154 - - [06/Dec/2017:10:05:46 +0000] "POST /oxauth/restv1/token HTTP/1.1" 200 659 "-" "Java/1.8.0_144" gluuserver:443 192.168.20.84 - - [06/Dec/2017:10:05:49 +0000] "GET /index.html HTTP/1.1" 200 13425 "-" "Java/1.8.0_112" ``` **Here is what we are seeing on the RP ** ``` 2017-12-06 11:05:56,872 DEBUG [GenProviderOauth] Raw data from getUserData: { "issuer": "https://gluuserver", "authorization_endpoint": "https://gluuserver/oxauth/restv1/authorize", "token_endpoint": "https://gluuserver/oxauth/restv1/token", "userinfo_endpoint": "https://gluuserver/oxauth/restv1/userinfo", "clientinfo_endpoint": "https://gluuserver/oxauth/restv1/clientinfo", "check_session_iframe": "https://gluuserver/oxauth/opiframe", "end_session_endpoint": "https://gluuserver/oxauth/restv1/end_session", "jwks_uri": "https://gluuserver/oxauth/restv1/jwks", "registration_endpoint": "https://gluuserver/oxauth/restv1/register", "id_generation_endpoint": "https://gluuserver/oxauth/restv1/id", "introspection_endpoint": "https://gluuserver/oxauth/restv1/introspection", "scopes_supported": [ "clientinfo", "user_name", "permission", "profile", "mobile_phone", "address", "phone", "Extreme Control Engine", "email", "openid" ], "response_types_supported": [ "code token", "code", "token", "code token id_token", "code id_token", "id_token", "token id_token" ], "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit", "password", "urn:ietf:params:oauth:grant-type:uma-ticket" ], "acr_values_supported": [ "u2f", "auth_ldap_server" ], "auth_level_mapping": { "-1": ["auth_ldap_server"], "10": ["u2f"] }, "subject_types_supported": [ "public", "pairwise" ], "userinfo_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "userinfo_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "userinfo_encryption_enc_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "id_token_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "request_object_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "request_object_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "request_object_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "display_values_supported": [ "page", "popup" ], "claim_types_supported": ["normal"], "claims_supported": [ "birthdate", "country", "name", "email", "email_verified", "given_name", "gender", "inum", "family_name", "updated_at", "locale", "middle_name", "nickname", "phone_number_verified", "picture", "preferred_username", "profile", "zoneinfo", "user_name", "website" ], "service_documentation": "http://gluu.org/docs", "claims_locales_supported": ["en"], "ui_locales_supported": [ "en", "es" ], "scope_to_claims_mapping": [ {"clientinfo": [ "name", "inum" ]}, {"user_name": ["user_name"]}, {"permission": []}, {"profile": [ "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale", "updated_at" ]}, {"mobile_phone": ["phone_mobile_number"]}, {"address": [ "formatted", "postal_code", "street_address", "locality", "country", "region" ]}, {"phone": [ "phone_number_verified", "phone_number" ]}, {"Extreme Control Engine": ["user_name"]}, {"email": [ "email_verified", "email" ]}, {"openid": []}, {"uma_protection": []} ], "claims_parameter_supported": true, "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": false, "op_policy_uri": "http://ox.gluu.org/doku.php?id=oxauth:policy", "op_tos_uri": "http://ox.gluu.org/doku.php?id=oxauth:tos", "frontchannel_logout_supported": "true", "frontchannel_logout_session_supported": true} 2017-12-06 11:05:56,873 DEBUG [GenProviderOauth] JSON: {"request_parameter_supported":true,"introspection_endpoint":"https://gluuserver/oxauth/restv1/introspection","claims_parameter_supported":true,"check_session_iframe":"https://gluuserver/oxauth/opiframe","scopes_supported":["clientinfo","user_name","permission","profile","mobile_phone","address","phone","Extreme Control Engine","email","openid"],"issuer":"https://gluuserver","acr_values_supported":["u2f","auth_ldap_server"],"userinfo_encryption_enc_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"],"id_token_encryption_enc_values_supported":["A128CBC+HS256","A256CBC+HS512","A128GCM","A256GCM"],"authorization_endpoint":"https://gluuserver/oxauth/restv1/authorize","service_documentation":"http://gluu.org/docs","request_object_encryption_enc_values_supported":["A128CBC+HS256","A256CBC+HS512","A128GCM","A256GCM"],"display_values_supported":["page","popup"],"id_generation_endpoint":"https://gluuserver/oxauth/restv1/id","userinfo_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"claims_supported":["birthdate","country","name","email","email_verified","given_name","gender","inum","family_name","updated_at","locale","middle_name","nickname","phone_number_verified","picture","preferred_username","profile","zoneinfo","user_name","website"],"scope_to_claims_mapping":[{"clientinfo":["name","inum"]},{"user_name":["user_name"]},{"permission":[]},{"profile":["name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"]},{"mobile_phone":["phone_mobile_number"]},{"address":["formatted","postal_code","street_address","locality","country","region"]},{"phone":["phone_number_verified","phone_number"]},{"Extreme Control Engine":["user_name"]},{"email":["email_verified","email"]},{"openid":[]},{"uma_protection":[]}],"claim_types_supported":["normal"],"op_policy_uri":"http://ox.gluu.org/doku.php?id=oxauth:policy","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"token_endpoint":"https://gluuserver/oxauth/restv1/token","response_types_supported":["code token","code","token","code token id_token","code id_token","id_token","token id_token"],"request_uri_parameter_supported":true,"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password","urn:ietf:params:oauth:grant-type:uma-ticket"],"end_session_endpoint":"https://gluuserver/oxauth/restv1/end_session","ui_locales_supported":["en","es"],"userinfo_endpoint":"https://gluuserver/oxauth/restv1/userinfo","token_endpoint_auth_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"op_tos_uri":"http://ox.gluu.org/doku.php?id=oxauth:tos","frontchannel_logout_supported":"true","auth_level_mapping":{"-1":["auth_ldap_server"],"10":["u2f"]},"require_request_uri_registration":false,"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"],"jwks_uri":"https://gluuserver/oxauth/restv1/jwks","frontchannel_logout_session_supported":true,"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["none","HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"registration_endpoint":"https://gluuserver/oxauth/restv1/register","claims_locales_supported":["en"],"clientinfo_endpoint":"https://gluuserver/oxauth/restv1/clientinfo","request_object_signing_alg_values_supported":["none","HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"request_object_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"]} 2017-12-06 11:05:56,874 DEBUG [GenProviderOauth] authorization_endpoint: https://gluuserver/oxauth/restv1/authorize 2017-12-06 11:05:56,874 DEBUG [GenProviderOauth] token_endpoint: https://gluuserver/oxauth/restv1/token 2017-12-06 11:05:56,874 DEBUG [GenProviderOauth] userinfo_endpoint: https://gluuserver/oxauth/restv1/userinfo 2017-12-06 11:05:56,874 DEBUG [GenProviderOauth] jwks_uri: https://gluuserver/oxauth/restv1/jwks 2017-12-06 11:05:56,874 DEBUG [GenProviderOauth] getting access token with Url=https://gluuserver/oxauth/restv1/token 2017-12-06 11:05:57,187 DEBUG [GenProviderOauth] Raw data from getAccessToken: {"access_token":"ad037e3b-19a6-422b-b00b-58c2b9292e70","token_type":"bearer","expires_in":299} 2017-12-06 11:05:57,188 DEBUG [GenProviderOauth] JSON: {"access_token":"ad037e3b-19a6-422b-b00b-58c2b9292e70","token_type":"bearer","expires_in":299} 2017-12-06 11:05:57,188 DEBUG [GenProviderOauth] access_token: ad037e3b-19a6-422b-b00b-58c2b9292e70 2017-12-06 11:05:57,188 DEBUG [GenProviderOauth] expires_in: 299 2017-12-06 11:05:57,188 ERROR [NacCaptivePortalGenProviderOauthRegAction] Unable to verify id_token []., for MAC: 98-10-E8-5E-E5-40 IP: 192.168.30.32 ``` As you can see id_token is null: **2017-12-06 11:05:57,188 ERROR [NacCaptivePortalGenProviderOauthRegAction] Unable to verify id_token []., for MAC: 98-10-E8-5E-E5-40 IP: 192.168.30.32** Please note that the captive portal ip address 192.168.20.154 Browser : 192.168.30.32 Gluu server : 192.168.20.84 Nerxt post i will add trace from Web app and Gluu server

By Eric Sans user 06 Dec 2017 at 8:40 a.m. CST

Copy

Attached HAR capture

Video or screenshot link

By Michael Schwartz Account Admin 06 Dec 2017 at 11:04 a.m. CST

Copy

Please paste the ldif for the client (i.e. the entry under `ou=clients,o=(org-inum),o=gluu`)

By Aliaksandr Samuseu staff 06 Dec 2017 at 9:40 p.m. CST

Copy

From what I see in logs and in capture you provided, the flow does seem to proceed as expected, until, perhaps the very end when response from token endpoint is received by RP. This is the tricky part as the full request/response for this type of flow don't end in any of logs provided so far, as it's done via back-channel (though from Apache(?) trace you provided, it can be seen that attempt to contact it was made, and from RP logs it's obvious that at least access token is received). In addition to what Michael requested above, I also would propose to create a dump of that final phase with `mod_dumpio` module for Apache so we could see the full conversation. Here are steps to enable `mod_dumpio` in Ubuntu 14's container: 1) Check whether module is already enabled: `# apachectl -M 2>1 | grep dumpio`. If grep won't return a string with its name, it isn't. In such case enable it by running `# a2enmod dump_io` 2) Now in the `/etc/apache2/sites-enabled/https_gluu.conf`, in section defining Gluu instance's virtual host, find place where logging is configured (should be a single string `LogLevel warn`) and add next directives right below of it: ``` DumpIOInput On DumpIOOutput On LogLevel dumpio:trace7 ``` 3) Restart Apache More about `dumpio` [here](https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html). After these changes Apache should start to dump all HTTP traffic to `/var/log/apache2/error.log` file. You will need to run your failing OIDC flow again, and provide us a full dump it will generate in the file (will be too big to post, please share via other means) Don't forget to disable it after that, it tends to consume disk space quickly.

By Eric Sans user 08 Dec 2017 at 3:34 a.m. CST

Copy

Could you plaese let me know how can do that ? i did not find in the UI Please paste the ldif for the client (i.e. the entry under ou=clients,o=(org-inum),o=gluu) Eric

By Eric Sans user 08 Dec 2017 at 4:07 a.m. CST

Copy

Hi I'm unable to load the dump_io module. i have this message root@gluuserver:/opt/gluu-server-3.1.1/usr/lib/apache2/modules# /opt/gluu-server-3.1.1/usr/sbin/a2enmod dump_io ERROR: Module dump_io does not exist! However the module is present in root@gluuserver:/opt/gluu-server-3.1.1/usr/lib/apache2/modules# mod_dumpio.so i'm running as root access

By Eric Sans user 08 Dec 2017 at 5:12 a.m. CST

Copy

Fianally i was able to get the trace from apache2

Video or screenshot link

By Aliaksandr Samuseu staff 08 Dec 2017 at 5:26 a.m. CST

Copy

Hi, Eric. Thanks, but please also provide client's metadata requested by Michael.

By Eric Sans user 08 Dec 2017 at 6:59 a.m. CST

Copy

Hi I would like but i have no idea how can i export these data. Eric

By Mohib Zico Account Admin 13 Dec 2017 at 6:53 a.m. CST

Copy

>> I would like but i have no idea how can i export these data. You can either use ldap browser to grab 'ou=clients' DN or by using ldapsearch to do that. [Here](https://gluu.org/docs/ce/3.1.1/user-management/local-user-management/) is an example how you can connect to your Gluu Server's LDAP by using ldap browser from your computer.

By Eric Sans user 13 Dec 2017 at 8:13 a.m. CST

Copy

Hi I'm sorry but iu followed the documentation form the link attached but unfortunately nothing works **ldapsearch is unable to execute. i have this message **Please set OPENDJ_JAVA_HOME to the root of a Java 7 (or higher) installation or edit the java.properties file and then run the dsjavaproperties script to specify the Java version to be used I tried to use a ldap browser. i have created the tunnel ssh -L 5901:localhost:1636 root@192.168.20.84 i created a profile with jxeplorer and i tried to connect. The server refused the conenction request: TCP RST I have no idea how can i extract these informations from this server. Please if you have suggestion Eric

By Aliaksandr Samuseu staff 13 Dec 2017 at 8:17 a.m. CST

Copy

Hi, Eric. Please use the full path to the tool: `/opt/opendj/bin/ldapsearch`

By Eric Sans user 13 Dec 2017 at 8:22 a.m. CST

Copy

Got the same issue root@gluuserver:/# /opt/gluu-server-3.1.1/opt/opendj/bin/ldapsearch Please set OPENDJ_JAVA_HOME to the root of a Java 7 (or higher) installation or edit the java.properties file and then run the dsjavaproperties script to specify the Java version to be used

By Aliaksandr Samuseu staff 13 Dec 2017 at 8:49 a.m. CST

Copy

Got it. Please note that for all Gluu-related configuration actions, you must enter its chroot container, unless explicitly instructed otherwise. You are trying to run it from outside of container, you need `# service gluu-server-3.1.1 login` first

By Eric Sans user 13 Dec 2017 at 9:17 a.m. CST

Copy

This is what i used but i'm not sure this is what you want ``` GLUU.root@gluuserver:~# ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'XXXXXX' -b o=gluu ou=clients o=org-inum 1.1 dn: ou=clients,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu ``` Please provide the exact ldapsearch command , it will be usefull

By Aliaksandr Samuseu staff 13 Dec 2017 at 10:08 a.m. CST

Copy

First, you need to check corresponding client's metadata page in admin web UI and find out its "inum" attribute (line like "@!XXX..."). Then, issue next command using inum you found out: `# ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'XXXXXX' -b 'ou=clients,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu' '&(inum=@!XXX.XXX..XXX)'`

By Eric Sans user 13 Dec 2017 at 10:19 a.m. CST

Copy

Thanks not easy to find ourself ``` GLUU.root@gluuserver:~# ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w 'XXXXXXX' -b 'ou=clients,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu' '&(inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!7356.E502.A6D1.EA4A)' dn: inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!7356.E502.A6D1.EA4A,ou=client s,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu oxAuthDefaultMaxAge: 300 oxDisabled: false displayName: engine.showroom.fr oxAuthClientSecret: XXXXXXXXXXXXXXXXXXXXXXXX oxAuthGrantType: authorization_code oxAuthIdTokenEncryptedResponseAlg: RSA1_5 oxAuthIdTokenEncryptedResponseEnc: A128CBC+HS256 oxAuthIdTokenSignedResponseAlg: HS256 inum: @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!7356.E502.A6D1.EA4A oxAuthLogoutSessionRequired: false oxAuthAppType: web oxPersistClientAuthorizations: true oxAuthScope: inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0009!F0C4,ou=scopes,o=@!7 8FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu oxAuthTrustedClient: false oxIncludeClaimsInIdToken: false oxAuthRequestObjectEncryptionAlg: RSA1_5 oxAuthRequestObjectEncryptionEnc: A128CBC+HS256 oxAuthRequestObjectSigningAlg: none oxAuthRequireAuthTime: true oxAuthSubjectType: public oxAuthTokenEndpointAuthSigningAlg: none oxAuthUserInfoEncryptedResponseAlg: RSA1_5 oxAuthUserInfoEncryptedResponseEnc: A128CBC+HS256 oxAuthSignedResponseAlg: none objectClass: oxAuthClient objectClass: top oxAuthResponseType: code oxAuthTokenEndpointAuthMethod: client_secret_post oxAuthRedirectURI: https://engine1.showroom.fr/genprovider_oauth1 oxLastLogonTime: 20171208131132.271Z oxLastAccessTime: 20171208131132.271Z ```

By Aliaksandr Samuseu staff 13 Dec 2017 at 8:55 p.m. CST

Copy

Hi, Eric. From your client's dump, I see you're trying to set encryption for both `id_token` and userinfo endpoint's response. You also seem to use asymmetric encryption algorithms for both. It's most likely the cause of issue you observe. In case you insist on using those algorithms, you at least must set either "JWKS URI" or "JWKS" metadata properties as well (the former is url to JWKS containing your client's public keys, the later is JWKS with those keys itself). The other options are to either disable all encryption features you've set so far (perhaps it will be better to just remove the registration and create a new one, to ensure all your changes are flushed), or try to employ symmetric encryption algorithms (starting with "HS") which should work without additional administration overhead of generating/publishing your keys.

By Aliaksandr Samuseu staff 14 Dec 2017 at 10:50 a.m. CST

Copy

Must correct myself: the symmetric algorithms used for key encryption seems to be "A128KW" and "A256KW", so that's what you should try to use for "JWE alg Algorithm for encrypting the ID Token" and "JWE alg Algorithm for encrypting the UserInfo Responses". "HS" family is symmetric algorithms for signing those items, not encrypting them (you already have them selected for that, so no change is required for signing). I would suggest to start with a new, clean and default, client registration, make sure it works, then try adding/changing signing and encryption for items you need to use different algorithms, step by step, testing it after each iteration.

By Eric Sans user 15 Dec 2017 at 6:57 a.m. CST

Copy

Hi I have destroyed my client config and recreated from scratch a new client. Here is the parameters i used ``` GLUU.root@gluuserver:~# ldapsearch -p 1636 -Z -X -D 'cn=directory manager,o=gluu' -w '@120CdG#' -b 'ou=clients,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu' '&(inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!E596.97A8.EF2F.B938)' dn: inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!E596.97A8.EF2F.B938,ou=client s,o=@!78FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu oxDisabled: false oxAuthClientSecret: XXXXXXXXXXXXXXXX inum: @!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!E596.97A8.EF2F.B938 oxAuthLogoutSessionRequired: false oxAuthAppType: web oxPersistClientAuthorizations: true oxAuthTrustedClient: false oxIncludeClaimsInIdToken: false oxAuthSubjectType: pairwise oxAuthTokenEndpointAuthMethod: client_secret_post objectClass: oxAuthClient objectClass: top oxAuthGrantType: authorization_code oxAuthRedirectURI: https://engine1.showroom.fr/genprovider_oauth1 oxAuthResponseType: code oxAuthScope: inum=@!78FE.F41A.51C9.4B96!0001!2051.CA02!0009!F0C4,ou=scopes,o=@!7 8FE.F41A.51C9.4B96!0001!2051.CA02,o=gluu oxLastLogonTime: 20171215105546.889Z oxLastAccessTime: 20171215105546.889Z displayName: engine1.showroom.fr ``` This config works with my RP client but it looks like that on the RP side i do not decrypt the userinfo. May be i have to specify something for my RP de decrypt it **Here is the logs from my RP (ID_TOKEN and UserInfo )** ``` Raw data from getUserData: {"keys": [ { "kid": "a169b748-abca-40a4-b2d6-06238693132c", "kty": "RSA", "use": "sig", "alg": "RS256", "exp": 1543498143119, "n": "mhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ_Mj5LGUzlStm2WQCkXM1zhLSNx_8jUy0jU_fXnq6mryzlwKoFNcR9dp_75Sm6HjX0-U7Ba0lCfPYAmptiFZPCIke68b2rO-d1m7zAq6EWFrGjuIe7sARPAW-Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna-XMF8YB7byBa9e2wLM_R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7-5uRbmO7J1Jgirg6JyCbdudm_GQ", "e": "AQAB", "x5c": ["MIIDBDCCAeygAwIBAgIhAJc3aFEqB/Nt+p1YHG0NMkYfx4f2VdqQz4PaTGrKCR5GMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU0WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ/Mj5LGUzlStm2WQCkXM1zhLSNx/8jUy0jU/fXnq6mryzlwKoFNcR9dp/75Sm6HjX0+U7Ba0lCfPYAmptiFZPCIke68b2rO+d1m7zAq6EWFrGjuIe7sARPAW+Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna+XMF8YB7byBa9e2wLM/R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7+5uRbmO7J1Jgirg6JyCbdudm/GQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBAEUnli69t8UyVKs69U9peDnkvGV9DemGivCjp7No9Rw+N0eIniMX1JTtJNKqpuETSg2t4vPV2ntyLBtyDEDCUL8gLajWpAoS9vns0m2msXvgoO8fW7oYLXt+rmWgzAOrQl0HSr9NW3p7GeHy6mNLc+G2sWorCrEdlZV7tnsmpugpoV/6X2HYpLiiZmm/TwFva9btqCA4IJqv3NmNAr18EedjXLPW2lqc/ZbwgZOBBp+eLWMY62Y2pMuXH+MWunSW4QUcbLrmXiut7XIU9BCHtK6e16aRO0llyO83EDS4Q2s3aUQHoyLPbU2OmeukO9BfzHhqCN/0GQMBhIepB0f4qe0="] }, { "kid": "1c5a2430-921d-4776-9753-9740d6f6eeea", "kty": "RSA", "use": "sig", "alg": "RS384", "exp": 1543498143119, "n": "loT4QpfuDgjfBZ6riZGOkS3L11JRJgUEJLlkqNMIrshGX-Klq5SAt_VRqOGSyyDkP0yw9mDT-Qflg0gyULFdlcRzgw_viR84eKKlgpeCu7w5-eiz-hi9RxIKrDAaSEWPBSvRHM5XfO1W6rOt-3sSHqz2r_9jKytaVHTHkek4d2ePuUZ1V0sKJGGJwttGVdYhogZfyAkklDLsTh-4ew97bKujUuPSOZjcaJljLAOj285_6MNeHguzTWtpOftaluItPHOaLs6NzCNeo_tNvPgzGIoR1DWUVGm1OCrQBdVPGVLVuS5mLw7pdWxxOiMarS7cUYHYoACP-iOj1mRw3-QVoQ", "e": "AQAB", "x5c": ["MIIDAzCCAeugAwIBAgIgdnYNM0YLnqUBOa6d67uFEUdY0N657iJQnf6BadSUbnkwDQYJKoZIhvcNAQEMBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTRaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWhPhCl+4OCN8FnquJkY6RLcvXUlEmBQQkuWSo0wiuyEZf4qWrlIC39VGo4ZLLIOQ/TLD2YNP5B+WDSDJQsV2VxHODD++JHzh4oqWCl4K7vDn56LP6GL1HEgqsMBpIRY8FK9Eczld87Vbqs637exIerPav/2MrK1pUdMeR6Th3Z4+5RnVXSwokYYnC20ZV1iGiBl/ICSSUMuxOH7h7D3tsq6NS49I5mNxomWMsA6Pbzn/ow14eC7NNa2k5+1qW4i08c5ouzo3MI16j+028+DMYihHUNZRUabU4KtAF1U8ZUtW5LmYvDul1bHE6IxqtLtxRgdigAI/6I6PWZHDf5BWhAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQwFAAOCAQEATBafKviRaQoVBprmIzK1jzwVEfU0tLAACF2DukvTruYPF6dOHEYWFLcqR+8ViH+7tZsSoJBAuIFiOaOBfDCoFzLGqs6uGSPjpMUMN5rC98Xv3NWZy3OJTShhBmOt9LbQQU0pefj19UfxaGU6jn+DPeOCUYs5thb8y9CA3g7lRT6N8007jm0OXIRzOzYaNwoOPHYJ7vWwODYh8yTjWwM5VMNIUFlL3G/unlsNppyXU3sZ7rk/f8EZeaDOUrcogRpRkDWin47YGTw5IDkqjTIAbOlXQxlb+rNuvdH9g5cuyI46Mw4DmCS/82dyNAjZjfQQS7Eg01AIGDCG223g/aGDzg=="] }, { "kid": "b2295b3e-96e2-470d-a502-a4ae3bd84bd0", "kty": "RSA", "use": "sig", "alg": "RS512", "exp": 1543498143119, "n": "v5JQk8SyLv8mIWCxhk1dNRe00LQQTMPCoDbRIawLoIS5oEvBDcCEGIDqMa1rkMp3PrFNd7GkE86-Sc_FZnkwwbboYNjiYeHXx3kxriF0a1XNLFxJzIKVxakv4MJlppogY1TzvrdLkrsuLw8XoRS31wgWRw8lnZQXhM9pOqlGbMAirmgNR7nz4ZG3eQLea-qXo7gVllGpdH7_15OAgEcq3o9v8-EPTx-JetbiqYPmFAcWPpIXcEAKRIURaeijJKw15uM30m-hHxm8jFapt-bSiWoAzGUyEHUEWHMn_lZJEszebN-6WIFp5mQIbRbUErMNpVGMLhqQRGV4vvkZmxY--Q", "e": "AQAB", "x5c": ["MIIDAzCCAeugAwIBAgIgVNP7HV6UXKd9Bn6k8cww0g4HeLlcXRQcryfKNw1iCaUwDQYJKoZIhvcNAQENBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/klCTxLIu/yYhYLGGTV01F7TQtBBMw8KgNtEhrAughLmgS8ENwIQYgOoxrWuQync+sU13saQTzr5Jz8VmeTDBtuhg2OJh4dfHeTGuIXRrVc0sXEnMgpXFqS/gwmWmmiBjVPO+t0uSuy4vDxehFLfXCBZHDyWdlBeEz2k6qUZswCKuaA1HufPhkbd5At5r6pejuBWWUal0fv/Xk4CARyrej2/z4Q9PH4l61uKpg+YUBxY+khdwQApEhRFp6KMkrDXm4zfSb6EfGbyMVqm35tKJagDMZTIQdQRYcyf+VkkSzN5s37pYgWnmZAhtFtQSsw2lUYwuGpBEZXi++RmbFj75AgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQ0FAAOCAQEAIBxPGlSpyTUzX8Hi/to21uROeZZx8cLOoOpejkU55c3ph47HGdB8ZnkUXz6h1zecrWDoelLOXyNNwhGyvUY+kIVFLThlUTbisb7LJ03fxvk/18qe/+S3b+Hb+NrOXeBuOUBTJvPxIQLFjvIvSleM7ve1FgCsbB1MdLi/zn2G1qx9HUk0adIZwlqPrBMfFo1kk6cWqXzSKGLj37aP1Zbk0f75M16XzFS4JQgdPBDFzjY/eFVE6+Wro9C+/Qlwq5FRE9dBHGNz2nQpHv7n8MSQA4IuHrhbdbbhp6tUzXxmaL+b54aO7yMpT1euiWyBrNhOhfNN5Aun4x0TkBABuXa3Nw=="] }, { "kid": "7f454bd5-1ace-4bf5-a5bc-e7907b3b6ff1", "kty": "EC", "use": "sig", "alg": "ES256", "exp": 1543498143119, "crv": "P-256", "x": "1fu2P-3JzN8coZIZiEUex9a07ut21whk9BtWAIZ1lHU", "y": "npx-DyNCw65B9MuSZPRP3p9gOD3tHa4EBX1p9XZ0KmI", "x5c": ["MIIBdzCCAR2gAwIBAgIgPNodLAZ4xN48HydAgonrZaJCl7NS2XgSAQWX/t7sRNowCgYIKoZIzj0EAwIwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATV+7Y/7cnM3xyhkhmIRR7H1rTu63bXCGT0G1YAhnWUdZ6cfg8jQsOuQfTLkmT0T96fYDg97R2uBAV9afV2dCpioycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwIDSAAwRQIgbzk+4xRMFB1isJd8GfAyaGv+cx9PcveUbfjo0vmvHaYCIQCAT8Z9CRaKvAMpHbPhABYAU+krbeTuUhg+m3yk6qG2vw=="] }, { "kid": "e3a7710b-38f0-498c-8c64-58606401f603", "kty": "EC", "use": "sig", "alg": "ES384", "exp": 1543498143119, "crv": "P-384", "x": "kzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF-p9B6gBZtY-7CjwUd6pmgY", "y": "ZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6", "x5c": ["MIIBtDCCATugAwIBAgIhAMRu+dDU63pBP++oINut+5Y0TGK7ceCamgnPpwZt7+/CMAoGCCqGSM49BAMDMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF+p9B6gBZtY+7CjwUd6pmgYZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6oycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwMDZwAwZAIwZHBK7ijnXE3outTc0igWwdlgrneGnMd049XKSg3NtwsVTfRsnt5qCbIJYvmPYghvAjAzp2zcbbLTWQ818XHO1eKloLBMXVnxMYOK5kzYGes+dYEDRf8n//3oQRqnWcBfets="] }, { "kid": "9a3aa395-4e16-4ae6-ad29-4799686037dc", "kty": "EC", "use": "sig", "alg": "ES512", "exp": 1543498143119, "crv": "P-521", "x": "MeNorxxf_NW00prpGk564_h3AnXzNuMhKhJc65g9R65IbaEx8bO_uH6ozRiscE1pBx-eSgIS2ezrMitQG0fouHw", "y": "Ad_OiVB3-upgpTqF4BN695pYRtSbnnV5J68qbjB6UCd1s24wRJaUs2F4EmqKNJd5Z-HTEhPM_j2OCX18B66SuiX9", "x5c": ["MIICADCCAWGgAwIBAgIhAIQVm+KpUiKSy/+Z8jEUwSuA9lAHf7eWGKSchmYOBb4CMAoGCCqGSM49BAMEMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAMeNorxxf/NW00prpGk564/h3AnXzNuMhKhJc65g9R65IbaEx8bO/uH6ozRiscE1pBx+eSgIS2ezrMitQG0fouHwB386JUHf66mClOoXgE3r3mlhG1JuedXknrypuMHpQJ3WzbjBElpSzYXgSaoo0l3ln4dMSE8z+PY4JfXwHrpK6Jf2jJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADAKBggqhkjOPQQDBAOBjAAwgYgCQgGZ5ZRg/mhtWxwamVgG8hKTOo0Q3L8fnIOedD3jY0hObXeoXzJLJMyJm5+IvvOlCHI8X+dQzRNLFlxzVfz24dXL4gJCAUhM7bSpTuvSUIwlMLLGn/gw90Ca1QgoUwN/sPhj+ziRFfqywlVdv6T1VlojqOFHHAtLfF8DRQDXorEk8x6EwqvJ"] }]} 2017-12-15 11:22:43,336 DEBUG [GenProviderOauth] JSON: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"a169b748-abca-40a4-b2d6-06238693132c","x5c":["MIIDBDCCAeygAwIBAgIhAJc3aFEqB/Nt+p1YHG0NMkYfx4f2VdqQz4PaTGrKCR5GMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU0WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ/Mj5LGUzlStm2WQCkXM1zhLSNx/8jUy0jU/fXnq6mryzlwKoFNcR9dp/75Sm6HjX0+U7Ba0lCfPYAmptiFZPCIke68b2rO+d1m7zAq6EWFrGjuIe7sARPAW+Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna+XMF8YB7byBa9e2wLM/R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7+5uRbmO7J1Jgirg6JyCbdudm/GQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBAEUnli69t8UyVKs69U9peDnkvGV9DemGivCjp7No9Rw+N0eIniMX1JTtJNKqpuETSg2t4vPV2ntyLBtyDEDCUL8gLajWpAoS9vns0m2msXvgoO8fW7oYLXt+rmWgzAOrQl0HSr9NW3p7GeHy6mNLc+G2sWorCrEdlZV7tnsmpugpoV/6X2HYpLiiZmm/TwFva9btqCA4IJqv3NmNAr18EedjXLPW2lqc/ZbwgZOBBp+eLWMY62Y2pMuXH+MWunSW4QUcbLrmXiut7XIU9BCHtK6e16aRO0llyO83EDS4Q2s3aUQHoyLPbU2OmeukO9BfzHhqCN/0GQMBhIepB0f4qe0="],"exp":1543498143119,"alg":"RS256","n":"mhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ_Mj5LGUzlStm2WQCkXM1zhLSNx_8jUy0jU_fXnq6mryzlwKoFNcR9dp_75Sm6HjX0-U7Ba0lCfPYAmptiFZPCIke68b2rO-d1m7zAq6EWFrGjuIe7sARPAW-Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna-XMF8YB7byBa9e2wLM_R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7-5uRbmO7J1Jgirg6JyCbdudm_GQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"1c5a2430-921d-4776-9753-9740d6f6eeea","x5c":["MIIDAzCCAeugAwIBAgIgdnYNM0YLnqUBOa6d67uFEUdY0N657iJQnf6BadSUbnkwDQYJKoZIhvcNAQEMBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTRaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWhPhCl+4OCN8FnquJkY6RLcvXUlEmBQQkuWSo0wiuyEZf4qWrlIC39VGo4ZLLIOQ/TLD2YNP5B+WDSDJQsV2VxHODD++JHzh4oqWCl4K7vDn56LP6GL1HEgqsMBpIRY8FK9Eczld87Vbqs637exIerPav/2MrK1pUdMeR6Th3Z4+5RnVXSwokYYnC20ZV1iGiBl/ICSSUMuxOH7h7D3tsq6NS49I5mNxomWMsA6Pbzn/ow14eC7NNa2k5+1qW4i08c5ouzo3MI16j+028+DMYihHUNZRUabU4KtAF1U8ZUtW5LmYvDul1bHE6IxqtLtxRgdigAI/6I6PWZHDf5BWhAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQwFAAOCAQEATBafKviRaQoVBprmIzK1jzwVEfU0tLAACF2DukvTruYPF6dOHEYWFLcqR+8ViH+7tZsSoJBAuIFiOaOBfDCoFzLGqs6uGSPjpMUMN5rC98Xv3NWZy3OJTShhBmOt9LbQQU0pefj19UfxaGU6jn+DPeOCUYs5thb8y9CA3g7lRT6N8007jm0OXIRzOzYaNwoOPHYJ7vWwODYh8yTjWwM5VMNIUFlL3G/unlsNppyXU3sZ7rk/f8EZeaDOUrcogRpRkDWin47YGTw5IDkqjTIAbOlXQxlb+rNuvdH9g5cuyI46Mw4DmCS/82dyNAjZjfQQS7Eg01AIGDCG223g/aGDzg=="],"exp":1543498143119,"alg":"RS384","n":"loT4QpfuDgjfBZ6riZGOkS3L11JRJgUEJLlkqNMIrshGX-Klq5SAt_VRqOGSyyDkP0yw9mDT-Qflg0gyULFdlcRzgw_viR84eKKlgpeCu7w5-eiz-hi9RxIKrDAaSEWPBSvRHM5XfO1W6rOt-3sSHqz2r_9jKytaVHTHkek4d2ePuUZ1V0sKJGGJwttGVdYhogZfyAkklDLsTh-4ew97bKujUuPSOZjcaJljLAOj285_6MNeHguzTWtpOftaluItPHOaLs6NzCNeo_tNvPgzGIoR1DWUVGm1OCrQBdVPGVLVuS5mLw7pdWxxOiMarS7cUYHYoACP-iOj1mRw3-QVoQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"b2295b3e-96e2-470d-a502-a4ae3bd84bd0","x5c":["MIIDAzCCAeugAwIBAgIgVNP7HV6UXKd9Bn6k8cww0g4HeLlcXRQcryfKNw1iCaUwDQYJKoZIhvcNAQENBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/klCTxLIu/yYhYLGGTV01F7TQtBBMw8KgNtEhrAughLmgS8ENwIQYgOoxrWuQync+sU13saQTzr5Jz8VmeTDBtuhg2OJh4dfHeTGuIXRrVc0sXEnMgpXFqS/gwmWmmiBjVPO+t0uSuy4vDxehFLfXCBZHDyWdlBeEz2k6qUZswCKuaA1HufPhkbd5At5r6pejuBWWUal0fv/Xk4CARyrej2/z4Q9PH4l61uKpg+YUBxY+khdwQApEhRFp6KMkrDXm4zfSb6EfGbyMVqm35tKJagDMZTIQdQRYcyf+VkkSzN5s37pYgWnmZAhtFtQSsw2lUYwuGpBEZXi++RmbFj75AgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQ0FAAOCAQEAIBxPGlSpyTUzX8Hi/to21uROeZZx8cLOoOpejkU55c3ph47HGdB8ZnkUXz6h1zecrWDoelLOXyNNwhGyvUY+kIVFLThlUTbisb7LJ03fxvk/18qe/+S3b+Hb+NrOXeBuOUBTJvPxIQLFjvIvSleM7ve1FgCsbB1MdLi/zn2G1qx9HUk0adIZwlqPrBMfFo1kk6cWqXzSKGLj37aP1Zbk0f75M16XzFS4JQgdPBDFzjY/eFVE6+Wro9C+/Qlwq5FRE9dBHGNz2nQpHv7n8MSQA4IuHrhbdbbhp6tUzXxmaL+b54aO7yMpT1euiWyBrNhOhfNN5Aun4x0TkBABuXa3Nw=="],"exp":1543498143119,"alg":"RS512","n":"v5JQk8SyLv8mIWCxhk1dNRe00LQQTMPCoDbRIawLoIS5oEvBDcCEGIDqMa1rkMp3PrFNd7GkE86-Sc_FZnkwwbboYNjiYeHXx3kxriF0a1XNLFxJzIKVxakv4MJlppogY1TzvrdLkrsuLw8XoRS31wgWRw8lnZQXhM9pOqlGbMAirmgNR7nz4ZG3eQLea-qXo7gVllGpdH7_15OAgEcq3o9v8-EPTx-JetbiqYPmFAcWPpIXcEAKRIURaeijJKw15uM30m-hHxm8jFapt-bSiWoAzGUyEHUEWHMn_lZJEszebN-6WIFp5mQIbRbUErMNpVGMLhqQRGV4vvkZmxY--Q"},{"kty":"EC","use":"sig","crv":"P-256","kid":"7f454bd5-1ace-4bf5-a5bc-e7907b3b6ff1","x5c":["MIIBdzCCAR2gAwIBAgIgPNodLAZ4xN48HydAgonrZaJCl7NS2XgSAQWX/t7sRNowCgYIKoZIzj0EAwIwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATV+7Y/7cnM3xyhkhmIRR7H1rTu63bXCGT0G1YAhnWUdZ6cfg8jQsOuQfTLkmT0T96fYDg97R2uBAV9afV2dCpioycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwIDSAAwRQIgbzk+4xRMFB1isJd8GfAyaGv+cx9PcveUbfjo0vmvHaYCIQCAT8Z9CRaKvAMpHbPhABYAU+krbeTuUhg+m3yk6qG2vw=="],"x":"1fu2P-3JzN8coZIZiEUex9a07ut21whk9BtWAIZ1lHU","y":"npx-DyNCw65B9MuSZPRP3p9gOD3tHa4EBX1p9XZ0KmI","exp":1543498143119,"alg":"ES256"},{"kty":"EC","use":"sig","crv":"P-384","kid":"e3a7710b-38f0-498c-8c64-58606401f603","x5c":["MIIBtDCCATugAwIBAgIhAMRu+dDU63pBP++oINut+5Y0TGK7ceCamgnPpwZt7+/CMAoGCCqGSM49BAMDMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF+p9B6gBZtY+7CjwUd6pmgYZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6oycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwMDZwAwZAIwZHBK7ijnXE3outTc0igWwdlgrneGnMd049XKSg3NtwsVTfRsnt5qCbIJYvmPYghvAjAzp2zcbbLTWQ818XHO1eKloLBMXVnxMYOK5kzYGes+dYEDRf8n//3oQRqnWcBfets="],"x":"kzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF-p9B6gBZtY-7CjwUd6pmgY","y":"ZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6","exp":1543498143119,"alg":"ES384"},{"kty":"EC","use":"sig","crv":"P-521","kid":"9a3aa395-4e16-4ae6-ad29-4799686037dc","x5c":["MIICADCCAWGgAwIBAgIhAIQVm+KpUiKSy/+Z8jEUwSuA9lAHf7eWGKSchmYOBb4CMAoGCCqGSM49BAMEMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAMeNorxxf/NW00prpGk564/h3AnXzNuMhKhJc65g9R65IbaEx8bO/uH6ozRiscE1pBx+eSgIS2ezrMitQG0fouHwB386JUHf66mClOoXgE3r3mlhG1JuedXknrypuMHpQJ3WzbjBElpSzYXgSaoo0l3ln4dMSE8z+PY4JfXwHrpK6Jf2jJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADAKBggqhkjOPQQDBAOBjAAwgYgCQgGZ5ZRg/mhtWxwamVgG8hKTOo0Q3L8fnIOedD3jY0hObXeoXzJLJMyJm5+IvvOlCHI8X+dQzRNLFlxzVfz24dXL4gJCAUhM7bSpTuvSUIwlMLLGn/gw90Ca1QgoUwN/sPhj+ziRFfqywlVdv6T1VlojqOFHHAtLfF8DRQDXorEk8x6EwqvJ"],"x":"MeNorxxf_NW00prpGk564_h3AnXzNuMhKhJc65g9R65IbaEx8bO_uH6ozRiscE1pBx-eSgIS2ezrMitQG0fouHw","y":"Ad_OiVB3-upgpTqF4BN695pYRtSbnnV5J68qbjB6UCd1s24wRJaUs2F4EmqKNJd5Z-HTEhPM_j2OCX18B66SuiX9","exp":1543498143119,"alg":"ES512"}]} ``` **This what my application extract from the userinfo. Username is not human readable. So i think it miss something** ``` 2017-12-15 11:22:43,338 DEBUG [NacCaptivePortalGenProviderOauthRegAction] ESDMAC:4A-38-44,ESDIP:192.168.30.30 Created GenProvidere RegisteredUser: RegisteredUser - id = null firstName = middleName = null lastName = userName = Guest-Generic Provider1-..**mxeMWnGfbIfNkcIDqZjGk7Hz6Gr7bQMkLTB-4nvYozA** sponsor = null portal = Default location = null 2017-12-15 11:22:43,338 DEBUG [NacCaptivePortalGenProviderOauthRegAction] ESDMAC:4A-38-44,ESDIP:192.168.30.30 Created GenProvidere RegisteredDevice: RegisteredDevice - id = null ipAddress = 192.168.30.30 macAddress = 00-24-D7-4A-38-44 userName = Guest-Generic Provider1-..mxeMWnGfbIfNkcIDqZjGk7Hz6Gr7bQMkLTB-4nvYozA state = null sponsor = null ``` If you have an idea ? Eric

By Aliaksandr Samuseu staff 15 Dec 2017 at 7:34 p.m. CST

Copy

Hi, Eric. >it looks like that on the RP side i do not decrypt the userinfo. May be i have to specify something for my RP de decrypt it You don't seem to set encryption or signing for userinfo response (judging from your current dump), so it shouldn't be the case. Btw you also don't seem to set signing for `id_token` as well now, and you actually should as it's strongly recommended by the spec; there shouldn't be any issues with signing (at least at oxAuth's side), regardless of actual algorithm used. >Username is not human readable. So i think it miss something I believe what you see is pretty normal look of oxAuth's default `sub` value :) There are 2 type of subject identifier oxAuth uses, "public" and "pairwise", with the latter being default. [Here is](http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg) how pairwise type is devised, it's a product of a cryptographic function, what explains its look. So if you need a more "user-friendly" id, you have 2 options: 1. Use "sub" of type "public" (can be set in client's properties); by default it will draw its value from `uid` attribute 2. Just release whatever claim you need to represent your user to this RP, then configure RP to use this claim as user's id. You know better whether it's possible with your RP software, perhaps.

By Eric Sans user 19 Dec 2017 at 8:02 a.m. CST

Copy

Hi I have modified my clients at the OP side. I changed the sub type from pairwise to public. Now we receive something readable but this is not what i expect. I receive as sub value the INUM of the client (Client_ID). I would like a information that identify the username. So i added claims to the Open ID scope but it did not change anything. AZny suggestion will be appreciated to improve that Here is what we receive at the RP side 2017-12-19 14:53:21,634 DEBUG [GenProviderOauth] Raw data from getUserData: { "issuer": "https://gluuserver", "authorization_endpoint": "https://gluuserver/oxauth/restv1/authorize", "token_endpoint": "https://gluuserver/oxauth/restv1/token", "userinfo_endpoint": "https://gluuserver/oxauth/restv1/userinfo", "clientinfo_endpoint": "https://gluuserver/oxauth/restv1/clientinfo", "check_session_iframe": "https://gluuserver/oxauth/opiframe", "end_session_endpoint": "https://gluuserver/oxauth/restv1/end_session", "jwks_uri": "https://gluuserver/oxauth/restv1/jwks", "registration_endpoint": "https://gluuserver/oxauth/restv1/register", "id_generation_endpoint": "https://gluuserver/oxauth/restv1/id", "introspection_endpoint": "https://gluuserver/oxauth/restv1/introspection", "scopes_supported": [ "clientinfo", "user_name", "permission", "profile", "mobile_phone", "address", "phone", "Extreme Control Engine", "email", "openid" ], "response_types_supported": [ "id_token", "id_token token code", "token", "code", "token code", "id_token code", "id_token token" ], "grant_types_supported": [ "password", "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:uma-ticket" ], "acr_values_supported": [ "u2f", "auth_ldap_server" ], "auth_level_mapping": { "-1": ["auth_ldap_server"], "10": ["u2f"] }, "subject_types_supported": [ "public", "pairwise" ], "userinfo_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "userinfo_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "userinfo_encryption_enc_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "id_token_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "request_object_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "request_object_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "request_object_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "display_values_supported": [ "page", "popup" ], "claim_types_supported": ["normal"], "claims_supported": [ "birthdate", "country", "name", "email", "email_verified", "given_name", "gender", "inum", "family_name", "updated_at", "locale", "middle_name", "nickname", "phone_number_verified", "picture", "preferred_username", "profile", "zoneinfo", "user_name", "website" ], "service_documentation": "http://gluu.org/docs", "claims_locales_supported": ["en"], "ui_locales_supported": [ "en", "es" ], "scope_to_claims_mapping": [ {"clientinfo": [ "name", "inum" ]}, {"user_name": ["user_name"]}, {"permission": []}, {"profile": [ "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale", "updated_at" ]}, {"mobile_phone": ["phone_mobile_number"]}, {"address": [ "formatted", "postal_code", "street_address", "locality", "country", "region" ]}, {"phone": [ "phone_number_verified", "phone_number" ]}, {"Extreme Control Engine": ["user_name"]}, {"email": [ "email_verified", "email" ]}, {"openid": []}, {"uma_protection": []} ], "claims_parameter_supported": true, "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": false, "op_policy_uri": "http://ox.gluu.org/doku.php?id=oxauth:policy", "op_tos_uri": "http://ox.gluu.org/doku.php?id=oxauth:tos", "frontchannel_logout_supported": "true", "frontchannel_logout_session_supported": true} 2017-12-19 14:53:21,637 DEBUG [GenProviderOauth] JSON: {"request_parameter_supported":true,"introspection_endpoint":"https://gluuserver/oxauth/restv1/introspection","claims_parameter_supported":true,"check_session_iframe":"https://gluuserver/oxauth/opiframe","scopes_supported":["clientinfo","user_name","permission","profile","mobile_phone","address","phone","Extreme Control Engine","email","openid"],"issuer":"https://gluuserver","acr_values_supported":["u2f","auth_ldap_server"],"userinfo_encryption_enc_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"],"id_token_encryption_enc_values_supported":["A128CBC+HS256","A256CBC+HS512","A128GCM","A256GCM"],"authorization_endpoint":"https://gluuserver/oxauth/restv1/authorize","service_documentation":"http://gluu.org/docs","request_object_encryption_enc_values_supported":["A128CBC+HS256","A256CBC+HS512","A128GCM","A256GCM"],"display_values_supported":["page","popup"],"id_generation_endpoint":"https://gluuserver/oxauth/restv1/id","userinfo_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"claims_supported":["birthdate","country","name","email","email_verified","given_name","gender","inum","family_name","updated_at","locale","middle_name","nickname","phone_number_verified","picture","preferred_username","profile","zoneinfo","user_name","website"],"scope_to_claims_mapping":[{"clientinfo":["name","inum"]},{"user_name":["user_name"]},{"permission":[]},{"profile":["name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"]},{"mobile_phone":["phone_mobile_number"]},{"address":["formatted","postal_code","street_address","locality","country","region"]},{"phone":["phone_number_verified","phone_number"]},{"Extreme Control Engine":["user_name"]},{"email":["email_verified","email"]},{"openid":[]},{"uma_protection":[]}],"claim_types_supported":["normal"],"op_policy_uri":"http://ox.gluu.org/doku.php?id=oxauth:policy","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"token_endpoint":"https://gluuserver/oxauth/restv1/token","response_types_supported":["id_token","id_token token code","token","code","token code","id_token code","id_token token"],"request_uri_parameter_supported":true,"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"],"grant_types_supported":["password","authorization_code","client_credentials","implicit","refresh_token","urn:ietf:params:oauth:grant-type:uma-ticket"],"end_session_endpoint":"https://gluuserver/oxauth/restv1/end_session","ui_locales_supported":["en","es"],"userinfo_endpoint":"https://gluuserver/oxauth/restv1/userinfo","token_endpoint_auth_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"op_tos_uri":"http://ox.gluu.org/doku.php?id=oxauth:tos","frontchannel_logout_supported":"true","auth_level_mapping":{"-1":["auth_ldap_server"],"10":["u2f"]},"require_request_uri_registration":false,"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"],"jwks_uri":"https://gluuserver/oxauth/restv1/jwks","frontchannel_logout_session_supported":true,"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["none","HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"registration_endpoint":"https://gluuserver/oxauth/restv1/register","claims_locales_supported":["en"],"clientinfo_endpoint":"https://gluuserver/oxauth/restv1/clientinfo","request_object_signing_alg_values_supported":["none","HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"request_object_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","A128KW","A256KW"]} 2017-12-19 14:53:21,637 DEBUG [GenProviderOauth] authorization_endpoint: https://gluuserver/oxauth/restv1/authorize 2017-12-19 14:53:21,637 DEBUG [GenProviderOauth] token_endpoint: https://gluuserver/oxauth/restv1/token 2017-12-19 14:53:21,637 DEBUG [GenProviderOauth] userinfo_endpoint: https://gluuserver/oxauth/restv1/userinfo 2017-12-19 14:53:21,637 DEBUG [GenProviderOauth] jwks_uri: https://gluuserver/oxauth/restv1/jwks 2017-12-19 14:53:21,637 DEBUG [GenProviderOauth] getting access token with Url=https://gluuserver/oxauth/restv1/token 2017-12-19 14:53:21,755 DEBUG [GenProviderOauth] Raw data from getAccessToken: {"access_token":"1c544779-a0c2-4d92-a093-251bfd12ac6f","token_type":"bearer","expires_in":299,"id_token":"eyJraWQiOiJhMTY5Yjc0OC1hYmNhLTQwYTQtYjJkNi0wNjIzODY5MzEzMmMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXVzZXJ2ZXIiLCJhdWQiOiJAITc4RkUuRjQxQS41MUM5LjRCOTYhMDAwMSEyMDUxLkNBMDIhMDAwOCE3ODA1LkU4NjkuMzlBMC40M0Q2IiwiZXhwIjoxNTEzNjk1MTcyLCJpYXQiOjE1MTM2OTE1NzIsIm5vbmNlIjoiW0JANGE3MTRmOCIsImF1dGhfdGltZSI6MTUxMzY4NTAyOCwiYXRfaGFzaCI6IkZ5MjNMaXlXS292eERUbC1zTmJha3ciLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJAITc4RkUuRjQxQS41MUM5LjRCOTYhMDAwMSEyMDUxLkNBMDIhMDAwMCFBOEYyLkRFMUUuRDdGQiJ9.kXGRctsuzhbCI5OM1ZWGwjeT93EcVrTY6xT3U4sJFmz6JlAlvk-qW5930gjfWlLuuml_J19hMsIhLgPn0mIsKOVGYiW8Cw17pbErrqTbqtv675dXJb21sB6EBmPFlTRlRhP0UTFW60XelHVr139qk-gtmT07itK67Aje3mcP5TzHWgME3ppAxwge665V_LZ1wxyplm_i3_Z3KSibjc6qTn-k70ByKwTXIRWGggCJ-i6TEgC-OYqFin1YgK1MRlj6q02amPuNIpKkWu9uBOYHqdkak4q4ZrE_scbZuyJRkBS1wujBtH6VedolfiyyyylIsQWiNpNsFnKE7nAGqsv-bw"} 2017-12-19 14:53:21,759 DEBUG [GenProviderOauth] Token JSON: {"access_token":"1c544779-a0c2-4d92-a093-251bfd12ac6f","id_token":"eyJraWQiOiJhMTY5Yjc0OC1hYmNhLTQwYTQtYjJkNi0wNjIzODY5MzEzMmMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXVzZXJ2ZXIiLCJhdWQiOiJAITc4RkUuRjQxQS41MUM5LjRCOTYhMDAwMSEyMDUxLkNBMDIhMDAwOCE3ODA1LkU4NjkuMzlBMC40M0Q2IiwiZXhwIjoxNTEzNjk1MTcyLCJpYXQiOjE1MTM2OTE1NzIsIm5vbmNlIjoiW0JANGE3MTRmOCIsImF1dGhfdGltZSI6MTUxMzY4NTAyOCwiYXRfaGFzaCI6IkZ5MjNMaXlXS292eERUbC1zTmJha3ciLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJAITc4RkUuRjQxQS41MUM5LjRCOTYhMDAwMSEyMDUxLkNBMDIhMDAwMCFBOEYyLkRFMUUuRDdGQiJ9.kXGRctsuzhbCI5OM1ZWGwjeT93EcVrTY6xT3U4sJFmz6JlAlvk-qW5930gjfWlLuuml_J19hMsIhLgPn0mIsKOVGYiW8Cw17pbErrqTbqtv675dXJb21sB6EBmPFlTRlRhP0UTFW60XelHVr139qk-gtmT07itK67Aje3mcP5TzHWgME3ppAxwge665V_LZ1wxyplm_i3_Z3KSibjc6qTn-k70ByKwTXIRWGggCJ-i6TEgC-OYqFin1YgK1MRlj6q02amPuNIpKkWu9uBOYHqdkak4q4ZrE_scbZuyJRkBS1wujBtH6VedolfiyyyylIsQWiNpNsFnKE7nAGqsv-bw","token_type":"bearer","expires_in":299} 2017-12-19 14:53:21,767 DEBUG [GenProviderOauth] access_token: 1c544779-a0c2-4d92-a093-251bfd12ac6f 2017-12-19 14:53:21,767 DEBUG [GenProviderOauth] expires_in: 299 2017-12-19 14:53:21,783 DEBUG [GenProviderOauth] Raw data from getUserData: {"keys": [ { "kid": "a169b748-abca-40a4-b2d6-06238693132c", "kty": "RSA", "use": "sig", "alg": "RS256", "exp": 1543498143119, "n": "mhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ_Mj5LGUzlStm2WQCkXM1zhLSNx_8jUy0jU_fXnq6mryzlwKoFNcR9dp_75Sm6HjX0-U7Ba0lCfPYAmptiFZPCIke68b2rO-d1m7zAq6EWFrGjuIe7sARPAW-Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna-XMF8YB7byBa9e2wLM_R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7-5uRbmO7J1Jgirg6JyCbdudm_GQ", "e": "AQAB", "x5c": ["MIIDBDCCAeygAwIBAgIhAJc3aFEqB/Nt+p1YHG0NMkYfx4f2VdqQz4PaTGrKCR5GMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU0WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ/Mj5LGUzlStm2WQCkXM1zhLSNx/8jUy0jU/fXnq6mryzlwKoFNcR9dp/75Sm6HjX0+U7Ba0lCfPYAmptiFZPCIke68b2rO+d1m7zAq6EWFrGjuIe7sARPAW+Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna+XMF8YB7byBa9e2wLM/R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7+5uRbmO7J1Jgirg6JyCbdudm/GQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBAEUnli69t8UyVKs69U9peDnkvGV9DemGivCjp7No9Rw+N0eIniMX1JTtJNKqpuETSg2t4vPV2ntyLBtyDEDCUL8gLajWpAoS9vns0m2msXvgoO8fW7oYLXt+rmWgzAOrQl0HSr9NW3p7GeHy6mNLc+G2sWorCrEdlZV7tnsmpugpoV/6X2HYpLiiZmm/TwFva9btqCA4IJqv3NmNAr18EedjXLPW2lqc/ZbwgZOBBp+eLWMY62Y2pMuXH+MWunSW4QUcbLrmXiut7XIU9BCHtK6e16aRO0llyO83EDS4Q2s3aUQHoyLPbU2OmeukO9BfzHhqCN/0GQMBhIepB0f4qe0="] }, { "kid": "1c5a2430-921d-4776-9753-9740d6f6eeea", "kty": "RSA", "use": "sig", "alg": "RS384", "exp": 1543498143119, "n": "loT4QpfuDgjfBZ6riZGOkS3L11JRJgUEJLlkqNMIrshGX-Klq5SAt_VRqOGSyyDkP0yw9mDT-Qflg0gyULFdlcRzgw_viR84eKKlgpeCu7w5-eiz-hi9RxIKrDAaSEWPBSvRHM5XfO1W6rOt-3sSHqz2r_9jKytaVHTHkek4d2ePuUZ1V0sKJGGJwttGVdYhogZfyAkklDLsTh-4ew97bKujUuPSOZjcaJljLAOj285_6MNeHguzTWtpOftaluItPHOaLs6NzCNeo_tNvPgzGIoR1DWUVGm1OCrQBdVPGVLVuS5mLw7pdWxxOiMarS7cUYHYoACP-iOj1mRw3-QVoQ", "e": "AQAB", "x5c": ["MIIDAzCCAeugAwIBAgIgdnYNM0YLnqUBOa6d67uFEUdY0N657iJQnf6BadSUbnkwDQYJKoZIhvcNAQEMBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTRaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWhPhCl+4OCN8FnquJkY6RLcvXUlEmBQQkuWSo0wiuyEZf4qWrlIC39VGo4ZLLIOQ/TLD2YNP5B+WDSDJQsV2VxHODD++JHzh4oqWCl4K7vDn56LP6GL1HEgqsMBpIRY8FK9Eczld87Vbqs637exIerPav/2MrK1pUdMeR6Th3Z4+5RnVXSwokYYnC20ZV1iGiBl/ICSSUMuxOH7h7D3tsq6NS49I5mNxomWMsA6Pbzn/ow14eC7NNa2k5+1qW4i08c5ouzo3MI16j+028+DMYihHUNZRUabU4KtAF1U8ZUtW5LmYvDul1bHE6IxqtLtxRgdigAI/6I6PWZHDf5BWhAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQwFAAOCAQEATBafKviRaQoVBprmIzK1jzwVEfU0tLAACF2DukvTruYPF6dOHEYWFLcqR+8ViH+7tZsSoJBAuIFiOaOBfDCoFzLGqs6uGSPjpMUMN5rC98Xv3NWZy3OJTShhBmOt9LbQQU0pefj19UfxaGU6jn+DPeOCUYs5thb8y9CA3g7lRT6N8007jm0OXIRzOzYaNwoOPHYJ7vWwODYh8yTjWwM5VMNIUFlL3G/unlsNppyXU3sZ7rk/f8EZeaDOUrcogRpRkDWin47YGTw5IDkqjTIAbOlXQxlb+rNuvdH9g5cuyI46Mw4DmCS/82dyNAjZjfQQS7Eg01AIGDCG223g/aGDzg=="] }, { "kid": "b2295b3e-96e2-470d-a502-a4ae3bd84bd0", "kty": "RSA", "use": "sig", "alg": "RS512", "exp": 1543498143119, "n": "v5JQk8SyLv8mIWCxhk1dNRe00LQQTMPCoDbRIawLoIS5oEvBDcCEGIDqMa1rkMp3PrFNd7GkE86-Sc_FZnkwwbboYNjiYeHXx3kxriF0a1XNLFxJzIKVxakv4MJlppogY1TzvrdLkrsuLw8XoRS31wgWRw8lnZQXhM9pOqlGbMAirmgNR7nz4ZG3eQLea-qXo7gVllGpdH7_15OAgEcq3o9v8-EPTx-JetbiqYPmFAcWPpIXcEAKRIURaeijJKw15uM30m-hHxm8jFapt-bSiWoAzGUyEHUEWHMn_lZJEszebN-6WIFp5mQIbRbUErMNpVGMLhqQRGV4vvkZmxY--Q", "e": "AQAB", "x5c": ["MIIDAzCCAeugAwIBAgIgVNP7HV6UXKd9Bn6k8cww0g4HeLlcXRQcryfKNw1iCaUwDQYJKoZIhvcNAQENBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/klCTxLIu/yYhYLGGTV01F7TQtBBMw8KgNtEhrAughLmgS8ENwIQYgOoxrWuQync+sU13saQTzr5Jz8VmeTDBtuhg2OJh4dfHeTGuIXRrVc0sXEnMgpXFqS/gwmWmmiBjVPO+t0uSuy4vDxehFLfXCBZHDyWdlBeEz2k6qUZswCKuaA1HufPhkbd5At5r6pejuBWWUal0fv/Xk4CARyrej2/z4Q9PH4l61uKpg+YUBxY+khdwQApEhRFp6KMkrDXm4zfSb6EfGbyMVqm35tKJagDMZTIQdQRYcyf+VkkSzN5s37pYgWnmZAhtFtQSsw2lUYwuGpBEZXi++RmbFj75AgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQ0FAAOCAQEAIBxPGlSpyTUzX8Hi/to21uROeZZx8cLOoOpejkU55c3ph47HGdB8ZnkUXz6h1zecrWDoelLOXyNNwhGyvUY+kIVFLThlUTbisb7LJ03fxvk/18qe/+S3b+Hb+NrOXeBuOUBTJvPxIQLFjvIvSleM7ve1FgCsbB1MdLi/zn2G1qx9HUk0adIZwlqPrBMfFo1kk6cWqXzSKGLj37aP1Zbk0f75M16XzFS4JQgdPBDFzjY/eFVE6+Wro9C+/Qlwq5FRE9dBHGNz2nQpHv7n8MSQA4IuHrhbdbbhp6tUzXxmaL+b54aO7yMpT1euiWyBrNhOhfNN5Aun4x0TkBABuXa3Nw=="] }, { "kid": "7f454bd5-1ace-4bf5-a5bc-e7907b3b6ff1", "kty": "EC", "use": "sig", "alg": "ES256", "exp": 1543498143119, "crv": "P-256", "x": "1fu2P-3JzN8coZIZiEUex9a07ut21whk9BtWAIZ1lHU", "y": "npx-DyNCw65B9MuSZPRP3p9gOD3tHa4EBX1p9XZ0KmI", "x5c": ["MIIBdzCCAR2gAwIBAgIgPNodLAZ4xN48HydAgonrZaJCl7NS2XgSAQWX/t7sRNowCgYIKoZIzj0EAwIwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATV+7Y/7cnM3xyhkhmIRR7H1rTu63bXCGT0G1YAhnWUdZ6cfg8jQsOuQfTLkmT0T96fYDg97R2uBAV9afV2dCpioycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwIDSAAwRQIgbzk+4xRMFB1isJd8GfAyaGv+cx9PcveUbfjo0vmvHaYCIQCAT8Z9CRaKvAMpHbPhABYAU+krbeTuUhg+m3yk6qG2vw=="] }, { "kid": "e3a7710b-38f0-498c-8c64-58606401f603", "kty": "EC", "use": "sig", "alg": "ES384", "exp": 1543498143119, "crv": "P-384", "x": "kzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF-p9B6gBZtY-7CjwUd6pmgY", "y": "ZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6", "x5c": ["MIIBtDCCATugAwIBAgIhAMRu+dDU63pBP++oINut+5Y0TGK7ceCamgnPpwZt7+/CMAoGCCqGSM49BAMDMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF+p9B6gBZtY+7CjwUd6pmgYZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6oycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwMDZwAwZAIwZHBK7ijnXE3outTc0igWwdlgrneGnMd049XKSg3NtwsVTfRsnt5qCbIJYvmPYghvAjAzp2zcbbLTWQ818XHO1eKloLBMXVnxMYOK5kzYGes+dYEDRf8n//3oQRqnWcBfets="] }, { "kid": "9a3aa395-4e16-4ae6-ad29-4799686037dc", "kty": "EC", "use": "sig", "alg": "ES512", "exp": 1543498143119, "crv": "P-521", "x": "MeNorxxf_NW00prpGk564_h3AnXzNuMhKhJc65g9R65IbaEx8bO_uH6ozRiscE1pBx-eSgIS2ezrMitQG0fouHw", "y": "Ad_OiVB3-upgpTqF4BN695pYRtSbnnV5J68qbjB6UCd1s24wRJaUs2F4EmqKNJd5Z-HTEhPM_j2OCX18B66SuiX9", "x5c": ["MIICADCCAWGgAwIBAgIhAIQVm+KpUiKSy/+Z8jEUwSuA9lAHf7eWGKSchmYOBb4CMAoGCCqGSM49BAMEMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAMeNorxxf/NW00prpGk564/h3AnXzNuMhKhJc65g9R65IbaEx8bO/uH6ozRiscE1pBx+eSgIS2ezrMitQG0fouHwB386JUHf66mClOoXgE3r3mlhG1JuedXknrypuMHpQJ3WzbjBElpSzYXgSaoo0l3ln4dMSE8z+PY4JfXwHrpK6Jf2jJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADAKBggqhkjOPQQDBAOBjAAwgYgCQgGZ5ZRg/mhtWxwamVgG8hKTOo0Q3L8fnIOedD3jY0hObXeoXzJLJMyJm5+IvvOlCHI8X+dQzRNLFlxzVfz24dXL4gJCAUhM7bSpTuvSUIwlMLLGn/gw90Ca1QgoUwN/sPhj+ziRFfqywlVdv6T1VlojqOFHHAtLfF8DRQDXorEk8x6EwqvJ"] }]} 2017-12-19 14:53:21,788 DEBUG [GenProviderOauth] JSON: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"a169b748-abca-40a4-b2d6-06238693132c","x5c":["MIIDBDCCAeygAwIBAgIhAJc3aFEqB/Nt+p1YHG0NMkYfx4f2VdqQz4PaTGrKCR5GMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU0WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ/Mj5LGUzlStm2WQCkXM1zhLSNx/8jUy0jU/fXnq6mryzlwKoFNcR9dp/75Sm6HjX0+U7Ba0lCfPYAmptiFZPCIke68b2rO+d1m7zAq6EWFrGjuIe7sARPAW+Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna+XMF8YB7byBa9e2wLM/R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7+5uRbmO7J1Jgirg6JyCbdudm/GQIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBAEUnli69t8UyVKs69U9peDnkvGV9DemGivCjp7No9Rw+N0eIniMX1JTtJNKqpuETSg2t4vPV2ntyLBtyDEDCUL8gLajWpAoS9vns0m2msXvgoO8fW7oYLXt+rmWgzAOrQl0HSr9NW3p7GeHy6mNLc+G2sWorCrEdlZV7tnsmpugpoV/6X2HYpLiiZmm/TwFva9btqCA4IJqv3NmNAr18EedjXLPW2lqc/ZbwgZOBBp+eLWMY62Y2pMuXH+MWunSW4QUcbLrmXiut7XIU9BCHtK6e16aRO0llyO83EDS4Q2s3aUQHoyLPbU2OmeukO9BfzHhqCN/0GQMBhIepB0f4qe0="],"exp":1543498143119,"alg":"RS256","n":"mhgxP0TPtHCyzGD5kW47nXQPdEqyhWMJNMrAq2SFMqdCMB9PVH4irZ_Mj5LGUzlStm2WQCkXM1zhLSNx_8jUy0jU_fXnq6mryzlwKoFNcR9dp_75Sm6HjX0-U7Ba0lCfPYAmptiFZPCIke68b2rO-d1m7zAq6EWFrGjuIe7sARPAW-Xpd1dw0odXcUGD4WfV2mxWt71hxMUrf5KwRzXdDpPufJskAna-XMF8YB7byBa9e2wLM_R22Y693nOosO7g47BMa2p3amnf3edSpge8g11FVc6UDdhoDNype1f58HU71KnOaQ2ufmwnKr7-5uRbmO7J1Jgirg6JyCbdudm_GQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"1c5a2430-921d-4776-9753-9740d6f6eeea","x5c":["MIIDAzCCAeugAwIBAgIgdnYNM0YLnqUBOa6d67uFEUdY0N657iJQnf6BadSUbnkwDQYJKoZIhvcNAQEMBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTRaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWhPhCl+4OCN8FnquJkY6RLcvXUlEmBQQkuWSo0wiuyEZf4qWrlIC39VGo4ZLLIOQ/TLD2YNP5B+WDSDJQsV2VxHODD++JHzh4oqWCl4K7vDn56LP6GL1HEgqsMBpIRY8FK9Eczld87Vbqs637exIerPav/2MrK1pUdMeR6Th3Z4+5RnVXSwokYYnC20ZV1iGiBl/ICSSUMuxOH7h7D3tsq6NS49I5mNxomWMsA6Pbzn/ow14eC7NNa2k5+1qW4i08c5ouzo3MI16j+028+DMYihHUNZRUabU4KtAF1U8ZUtW5LmYvDul1bHE6IxqtLtxRgdigAI/6I6PWZHDf5BWhAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQwFAAOCAQEATBafKviRaQoVBprmIzK1jzwVEfU0tLAACF2DukvTruYPF6dOHEYWFLcqR+8ViH+7tZsSoJBAuIFiOaOBfDCoFzLGqs6uGSPjpMUMN5rC98Xv3NWZy3OJTShhBmOt9LbQQU0pefj19UfxaGU6jn+DPeOCUYs5thb8y9CA3g7lRT6N8007jm0OXIRzOzYaNwoOPHYJ7vWwODYh8yTjWwM5VMNIUFlL3G/unlsNppyXU3sZ7rk/f8EZeaDOUrcogRpRkDWin47YGTw5IDkqjTIAbOlXQxlb+rNuvdH9g5cuyI46Mw4DmCS/82dyNAjZjfQQS7Eg01AIGDCG223g/aGDzg=="],"exp":1543498143119,"alg":"RS384","n":"loT4QpfuDgjfBZ6riZGOkS3L11JRJgUEJLlkqNMIrshGX-Klq5SAt_VRqOGSyyDkP0yw9mDT-Qflg0gyULFdlcRzgw_viR84eKKlgpeCu7w5-eiz-hi9RxIKrDAaSEWPBSvRHM5XfO1W6rOt-3sSHqz2r_9jKytaVHTHkek4d2ePuUZ1V0sKJGGJwttGVdYhogZfyAkklDLsTh-4ew97bKujUuPSOZjcaJljLAOj285_6MNeHguzTWtpOftaluItPHOaLs6NzCNeo_tNvPgzGIoR1DWUVGm1OCrQBdVPGVLVuS5mLw7pdWxxOiMarS7cUYHYoACP-iOj1mRw3-QVoQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"b2295b3e-96e2-470d-a502-a4ae3bd84bd0","x5c":["MIIDAzCCAeugAwIBAgIgVNP7HV6UXKd9Bn6k8cww0g4HeLlcXRQcryfKNw1iCaUwDQYJKoZIhvcNAQENBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/klCTxLIu/yYhYLGGTV01F7TQtBBMw8KgNtEhrAughLmgS8ENwIQYgOoxrWuQync+sU13saQTzr5Jz8VmeTDBtuhg2OJh4dfHeTGuIXRrVc0sXEnMgpXFqS/gwmWmmiBjVPO+t0uSuy4vDxehFLfXCBZHDyWdlBeEz2k6qUZswCKuaA1HufPhkbd5At5r6pejuBWWUal0fv/Xk4CARyrej2/z4Q9PH4l61uKpg+YUBxY+khdwQApEhRFp6KMkrDXm4zfSb6EfGbyMVqm35tKJagDMZTIQdQRYcyf+VkkSzN5s37pYgWnmZAhtFtQSsw2lUYwuGpBEZXi++RmbFj75AgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQ0FAAOCAQEAIBxPGlSpyTUzX8Hi/to21uROeZZx8cLOoOpejkU55c3ph47HGdB8ZnkUXz6h1zecrWDoelLOXyNNwhGyvUY+kIVFLThlUTbisb7LJ03fxvk/18qe/+S3b+Hb+NrOXeBuOUBTJvPxIQLFjvIvSleM7ve1FgCsbB1MdLi/zn2G1qx9HUk0adIZwlqPrBMfFo1kk6cWqXzSKGLj37aP1Zbk0f75M16XzFS4JQgdPBDFzjY/eFVE6+Wro9C+/Qlwq5FRE9dBHGNz2nQpHv7n8MSQA4IuHrhbdbbhp6tUzXxmaL+b54aO7yMpT1euiWyBrNhOhfNN5Aun4x0TkBABuXa3Nw=="],"exp":1543498143119,"alg":"RS512","n":"v5JQk8SyLv8mIWCxhk1dNRe00LQQTMPCoDbRIawLoIS5oEvBDcCEGIDqMa1rkMp3PrFNd7GkE86-Sc_FZnkwwbboYNjiYeHXx3kxriF0a1XNLFxJzIKVxakv4MJlppogY1TzvrdLkrsuLw8XoRS31wgWRw8lnZQXhM9pOqlGbMAirmgNR7nz4ZG3eQLea-qXo7gVllGpdH7_15OAgEcq3o9v8-EPTx-JetbiqYPmFAcWPpIXcEAKRIURaeijJKw15uM30m-hHxm8jFapt-bSiWoAzGUyEHUEWHMn_lZJEszebN-6WIFp5mQIbRbUErMNpVGMLhqQRGV4vvkZmxY--Q"},{"kty":"EC","use":"sig","crv":"P-256","kid":"7f454bd5-1ace-4bf5-a5bc-e7907b3b6ff1","x5c":["MIIBdzCCAR2gAwIBAgIgPNodLAZ4xN48HydAgonrZaJCl7NS2XgSAQWX/t7sRNowCgYIKoZIzj0EAwIwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzExMjkxMzI4NTVaFw0xODExMjkxMzI5MDNaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATV+7Y/7cnM3xyhkhmIRR7H1rTu63bXCGT0G1YAhnWUdZ6cfg8jQsOuQfTLkmT0T96fYDg97R2uBAV9afV2dCpioycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwIDSAAwRQIgbzk+4xRMFB1isJd8GfAyaGv+cx9PcveUbfjo0vmvHaYCIQCAT8Z9CRaKvAMpHbPhABYAU+krbeTuUhg+m3yk6qG2vw=="],"x":"1fu2P-3JzN8coZIZiEUex9a07ut21whk9BtWAIZ1lHU","y":"npx-DyNCw65B9MuSZPRP3p9gOD3tHa4EBX1p9XZ0KmI","exp":1543498143119,"alg":"ES256"},{"kty":"EC","use":"sig","crv":"P-384","kid":"e3a7710b-38f0-498c-8c64-58606401f603","x5c":["MIIBtDCCATugAwIBAgIhAMRu+dDU63pBP++oINut+5Y0TGK7ceCamgnPpwZt7+/CMAoGCCqGSM49BAMDMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF+p9B6gBZtY+7CjwUd6pmgYZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6oycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwMDZwAwZAIwZHBK7ijnXE3outTc0igWwdlgrneGnMd049XKSg3NtwsVTfRsnt5qCbIJYvmPYghvAjAzp2zcbbLTWQ818XHO1eKloLBMXVnxMYOK5kzYGes+dYEDRf8n//3oQRqnWcBfets="],"x":"kzjmcUsHaSE6OGePIcJazaTwoxl3FInQMQaF6sWasF-p9B6gBZtY-7CjwUd6pmgY","y":"ZfQrQBuMxG2vLBEUNBC6CJeSpc6Uu383UVzfjSSgBjPnYIVj1bWtPeHHDV1041P6","exp":1543498143119,"alg":"ES384"},{"kty":"EC","use":"sig","crv":"P-521","kid":"9a3aa395-4e16-4ae6-ad29-4799686037dc","x5c":["MIICADCCAWGgAwIBAgIhAIQVm+KpUiKSy/+Z8jEUwSuA9lAHf7eWGKSchmYOBb4CMAoGCCqGSM49BAMEMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTcxMTI5MTMyODU1WhcNMTgxMTI5MTMyOTAzWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAMeNorxxf/NW00prpGk564/h3AnXzNuMhKhJc65g9R65IbaEx8bO/uH6ozRiscE1pBx+eSgIS2ezrMitQG0fouHwB386JUHf66mClOoXgE3r3mlhG1JuedXknrypuMHpQJ3WzbjBElpSzYXgSaoo0l3ln4dMSE8z+PY4JfXwHrpK6Jf2jJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADAKBggqhkjOPQQDBAOBjAAwgYgCQgGZ5ZRg/mhtWxwamVgG8hKTOo0Q3L8fnIOedD3jY0hObXeoXzJLJMyJm5+IvvOlCHI8X+dQzRNLFlxzVfz24dXL4gJCAUhM7bSpTuvSUIwlMLLGn/gw90Ca1QgoUwN/sPhj+ziRFfqywlVdv6T1VlojqOFHHAtLfF8DRQDXorEk8x6EwqvJ"],"x":"MeNorxxf_NW00prpGk564_h3AnXzNuMhKhJc65g9R65IbaEx8bO_uH6ozRiscE1pBx-eSgIS2ezrMitQG0fouHw","y":"Ad_OiVB3-upgpTqF4BN695pYRtSbnnV5J68qbjB6UCd1s24wRJaUs2F4EmqKNJd5Z-HTEhPM_j2OCX18B66SuiX9","exp":1543498143119,"alg":"ES512"}]} 2017-12-19 14:53:21,797 DEBUG [GenProviderOauth] JSON: {"at_hash":"Fy23LiyWKovxDTl-sNbakw","aud":"@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!7805.E869.39A0.43D6","sub":"@!78FE.F41A.51C9.4B96!0001!2051.CA02!0000!A8F2.DE1E.D7FB","auth_time":1513685028,"iss":"https://gluuserver","exp":1513695172,"iat":1513691572,"nonce":"[B@4a714f8","oxOpenIDConnectVersion":"openidconnect-1.0"} 2017-12-19 14:53:21,797 DEBUG [GenProviderOauth] sub: **@!78FE.F41A.51C9.4B96!0001!2051.CA02!0000!A8F2.DE1E.D7FB** Regards Eric

By Aliaksandr Samuseu staff 19 Dec 2017 at 1:13 p.m. CST

Copy

Hi, Eric. You can set source attribute for "sub" at "JSON Configuration -> oxAuth" by editing "openidSubAttribute" property.

By Eric Sans user 20 Dec 2017 at 7:45 a.m. CST

Copy

Hi I have modified the sub attribute and now i have the expected value i can use to map the user to the network registration (NAC) Do we have anoither way to pass the RP other info for the user (not the client). I had a look at the userinfo but i guess the RP has to make a request to the OP to get more information. If you can make suggestion. However i can consider the issue resolved. We have successfully implemented this interperabilty between Extreme Control and Gluu server. I will write a tech note internally in case some customers are interested by using a Provider other than Facebook Google .... I would like to tell you many thanks for you help and your avalibility to find the root cause of this issue. This was my first expirience with Open ID and in general with this kind of solution. I'm a Network specialist not in authentication but it was a very interesting expirience. If you can have a look at my last question Regards Eric

By Aliaksandr Samuseu staff 20 Dec 2017 at 8:33 a.m. CST

Copy

Hi, Eric. One of main selling features of Gluu is extensive and thorough support of [OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html) (and auxillary) spec(s). You should be able to use all of the flows defined there. > Do we have anoither way to pass the RP other info for the user (not the client). Could you elaborate? What RP receives in most cases will be user's personal data. The amount of disclosed data is defined by scopes you request from OP (not all of them may be allowed to be sent to this client/RP by OP or user, though). If you need more data to be disclosed, your need to define more claims/scopes, assign them to client, and request them. More details are [here](https://gluu.org/docs/ce/3.1.1/admin-guide/openid-connect/) >I had a look at the userinfo but i guess the RP has to make a request to the OP to get more information. In most of flows most of user's claims are requested from userinfo. Not much suggestions here, aside from checking some materials on OIDC, in general. We have [some guides](https://gluu.org/docs/ce/3.1.1/admin-guide/openid-connect/) if you interested, and our paid product [oxd server](https://gluu.org/docs/oxd/3.1.1/) may save you from dealing with some low-level mechanics. You may consider purchasing a support contract from Gluu if you believe you may need a more timely and in-depth consulting.

By Eric Sans user 20 Dec 2017 at 10:30 a.m. CST

Copy

Hi This is the list of claims we receive on the RP side from the ID TOKEN JSON: {"at_hash":"4s31Gtobpckxro9HAJbyqQ","aud":"@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!7805.E869.39A0.43D6","sub":"admin","auth_time":1513782745,"iss":"https://gluuserver","exp":1513786346,"iat":1513782746,"nonce":"[B@51f2cb9","oxOpenIDConnectVersion":"openidconnect-1.0"} it is specified in open ID you can return standard claims in the user info or the id_token i added more scopes in the clients configuration (openid , profile, email) but the attributes are not passed. I guess i have misconfigured something. I found an option in the JSON OXauth configuration :legacyIdTokenClaims But not sure it will fix this problem I had the confirmation that we do not request userinfo from the RP. For the contract purchasing , i'm not an end user so the server is not in a production environment. I just verify the interoperability et make recommendation if the solution works well. Eric

By Eric Sans user 20 Dec 2017 at 10:36 a.m. CST

Copy

Hi Finally it was the good parameter. All the claims expected are returned to the RP JSON: {"at_hash":"6ma-ddGRFV6KOa8ZsZT4cQ","sub":"admin","website":"https://www.gluu.org/","zoneinfo":"America/Los_Angeles","birthdate":"20170907123010.485Z","email_verified":"true","gender":"male","profile":"https://www.facebook.com/gluufederation/","iss":"https://gluuserver","preferred_username":"admin","given_name":"Admin","middle_name":"Admin","nonce":"[B@1547ff0","picture":"https://www.gluu.org/wp-content/themes/gluu/images/gl.png","oxOpenIDConnectVersion":"openidconnect-1.0","aud":"@!78FE.F41A.51C9.4B96!0001!2051.CA02!0008!7805.E869.39A0.43D6","auth_time":1513787550,"name":"Default Admin User","nickname":"Admin","exp":1513791150,"iat":1513787550,"family_name":"User","email":"admin@gluuserver"} Thanks You can close the case Eric

You need to Login in order to post an answer

Unable to get ID token

By: Eric Sans user 05 Dec 2017 at 4:37 a.m. CST

Answers

By Michael Schwartz Account Admin 05 Dec 2017 at 11:17 a.m. CST

By Aliaksandr Samuseu staff 05 Dec 2017 at 12:43 p.m. CST

By Eric Sans user 06 Dec 2017 at 4:23 a.m. CST

By Eric Sans user 06 Dec 2017 at 8:40 a.m. CST

By Michael Schwartz Account Admin 06 Dec 2017 at 11:04 a.m. CST

By Aliaksandr Samuseu staff 06 Dec 2017 at 9:40 p.m. CST

By Eric Sans user 08 Dec 2017 at 3:34 a.m. CST

By Eric Sans user 08 Dec 2017 at 4:07 a.m. CST

By Eric Sans user 08 Dec 2017 at 5:12 a.m. CST

By Aliaksandr Samuseu staff 08 Dec 2017 at 5:26 a.m. CST

By Eric Sans user 08 Dec 2017 at 6:59 a.m. CST

By Mohib Zico Account Admin 13 Dec 2017 at 6:53 a.m. CST

By Eric Sans user 13 Dec 2017 at 8:13 a.m. CST

By Aliaksandr Samuseu staff 13 Dec 2017 at 8:17 a.m. CST

By Eric Sans user 13 Dec 2017 at 8:22 a.m. CST

By Aliaksandr Samuseu staff 13 Dec 2017 at 8:49 a.m. CST

By Eric Sans user 13 Dec 2017 at 9:17 a.m. CST

By Aliaksandr Samuseu staff 13 Dec 2017 at 10:08 a.m. CST

By Eric Sans user 13 Dec 2017 at 10:19 a.m. CST

By Aliaksandr Samuseu staff 13 Dec 2017 at 8:55 p.m. CST

By Aliaksandr Samuseu staff 14 Dec 2017 at 10:50 a.m. CST

By Eric Sans user 15 Dec 2017 at 6:57 a.m. CST

By Aliaksandr Samuseu staff 15 Dec 2017 at 7:34 p.m. CST

By Eric Sans user 19 Dec 2017 at 8:02 a.m. CST

By Aliaksandr Samuseu staff 19 Dec 2017 at 1:13 p.m. CST

By Eric Sans user 20 Dec 2017 at 7:45 a.m. CST

By Aliaksandr Samuseu staff 20 Dec 2017 at 8:33 a.m. CST

By Eric Sans user 20 Dec 2017 at 10:30 a.m. CST

By Eric Sans user 20 Dec 2017 at 10:36 a.m. CST

Post an answer