Hi, I am using Gluu verison 3.1.1 and sugarcrm 6.5.20. I have a problem to configure OpenID connect on sugarcrm. I have configured oxd server according to https://gluu.org/docs/oxd/configuration/ after configuration of oxd server on sugarcrm according to https://gluu.org/docs/oxd/plugin/sugarcrm/ I have a problem with login to sugarcrm with OpenID provider. When I click on "Login by OpenID Provider" then view this message "Missing claims : Please talk to your organizational system administrator or try again" I have found in opt/gluu/jetty/oxauth/logs/oxauth.log: 2018-07-25 08:39:05,744 DEBUG [qtp2008017533-17] [org.xdi.oxauth.service.ClientService] (ClientService.java:192) - Failed to find entry: inum=%40%211A3E.605C.0877.D01C%210001%214B62.CEC6%210008%21906C.AAB0.0DE9.E3E2,ou=clients,o=@!1A3E.605C.0877.D01C!0001!4B62.CEC6,o=gluu 2018-07-25 08:39:05,744 DEBUG [qtp2008017533-17] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 0 entries for client id = %40%211A3E.605C.0877.D01C%210001%214B62.CEC6%210008%21906C.AAB0.0DE9.E3E2 the only difference I noticed is client_id goes as converted string (! as %21, @ as %40) . We did some exploration and we are experiencing strange behavior: When Gluu server gets request to: https://my.Gluu.hostname/oxauth/restv1/authorize then it didn’t convert client_id to string, but when it gets request to: https://my.Gluu.hostname/oxauth/restv1/token then it converts client_id to string. Log snippet of the requests with and without conversion: 2018-07-25 08:39:05,578 DEBUG [qtp2008017533-11] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:165) - Attempting to request authorization: acrValues = basic, amrValues = null, originHeaders = null, codeChallenge = null, codeChallengeMethod = null, customRespHeaders = null, claims = null 2018-07-25 08:39:05,590 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!1A3E.605C.0877.D01C!0001!4B62.CEC6!0008!906C.AAB0.0DE9.E3E2 2018-07-25 08:39:05,590 DEBUG [qtp2008017533-11] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:39) - Checking scopes policy for: openid profile email 2018-07-25 08:39:05,596 DEBUG [qtp2008017533-11] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:59) - Granted scopes: [openid, profile, email] 2018-07-25 08:39:05,597 TRACE [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:195) - Get client from cache by Dn 'inum=@!1A3E.605C.0877.D01C!0001!4B62.CEC6!0008!906C.AAB0.0DE9.E3E2,ou=clients,o=@!1A3E.605C.0877.D01C!0001!4B62.CEC6,o=gluu' 2018-07-25 08:39:05,597 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!1A3E.605C.0877.D01C!0001!4B62.CEC6!0008!906C.AAB0.0DE9.E3E2 ** -------> not converted** 2018-07-25 08:39:05,597 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:76) - Validating redirection URI: clientIdentifier = @!1A3E.605C.0877.D01C!0001!4B62.CEC6!0008!906C.AAB0.0DE9.E3E2, redirectionUri = https://my-sugarcrm//gluu.php?gluu_login=Gluussos, found = 1 2018-07-25 08:39:05,597 DEBUG [qtp2008017533-11] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:82) - Comparing https://my-sugarcrm//gluu.php?gluu_login=Gluussos == https://my-sugarcrm//gluu.php?gluu_login=Gluussos 2018-07-25 08:39:05,601 TRACE [qtp2008017533-11] [org.xdi.oxauth.model.common.AuthorizationGrantList] (AuthorizationGrantList.java:89) - Put authorization grant in cache, code: ffa9c5d0-f993-420d-bd6c-c1cf6614efbc, clientId: @!1A3E.605C.0877.D01C!0001!4B62.CEC6!0008!906C.AAB0.0DE9.E3E2 2018-07-25 08:39:05,601 DEBUG [qtp2008017533-11] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:39) - Checking scopes policy for: openid profile email 2018-07-25 08:39:05,602 DEBUG [qtp2008017533-11] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:59) - Granted scopes: [openid, profile, email] 2018-07-25 08:39:05,741 TRACE [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:88) - Get request to: 'https://my.Gluu.hostname/oxauth/restv1/token' 2018-07-25 08:39:05,741 DEBUG [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:94) - Starting token endpoint authentication 2018-07-25 08:39:05,742 DEBUG [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:101) - Starting Basic Auth token endpoint authentication 2018-07-25 08:39:05,744 DEBUG [qtp2008017533-17] [org.xdi.oxauth.service.ClientService] (ClientService.java:192) - Failed to find entry: inum=%40%211A3E.605C.0877.D01C%210001%214B62.CEC6%210008%21906C.AAB0.0DE9.E3E2,ou=clients,o=@!1A3E.605C.0877.D01C!0001!4B62.CEC6,o=gluu 2018-07-25 08:39:05,744 DEBUG [qtp2008017533-17] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 0 entries for client id = %40%211A3E.605C.0877.D01C%210001%214B62.CEC6%210008%21906C.AAB0.0DE9.E3E2 ** ------------> converted** 2018-07-25 08:39:05,744 INFO [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:222) - Basic authentication failed java.lang.Exception: The Token Authentication Method is not valid. at org.xdi.oxauth.auth.AuthenticationFilter.processBasicAuth(AuthenticationFilter.java:199) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:102) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.gluu.oxserver.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:343) [oxcore-server-3.1.1.Final.jar:?] at org.gluu.oxserver.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:120) [oxcore-server-3.1.1.Final.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.xdi.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:55) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] 2018-07-25 08:39:05,745 DEBUG [qtp2008017533-17] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:70) - Looking for the error with id: invalid_client 2018-07-25 08:39:05,746 DEBUG [qtp2008017533-17] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:75) - Found error, id: invalid_client