Screenshot:

Hi Steve, Can you also send a screenshot of your oxd settings in WordPress? Thanks! Will

Oh.. I think I see the issue in your previous screenshot. Your site login setting field in the WP plugin should have `.../wp-admin` included at the end. So it should be like: `https://example.com/wp-admin` Sorry, docs we're clear enough on this. I just updated them.

Yeah... I tried that as well... same result... Here are the full settings... [cid:image001.png@01D466D9.E82FCC50]

Looks like it didnt come through properly.

Screenshot of oxd https extension settings in OpenID plugin

Can you try dropping the `.php` from the end of the wp-admin?

Same result.

hmm looks like everything is setup properly. Can you confirm that when you made the above changes to the WP admin URL, you re-registered the client? That is, did you simply edit and update or did you delete and re-register? If you did the former, perhaps you can try the latter?

Hi Steve, Could you please share the the updated oxd settings you have in wordpress ? Also you can try again by deleting the settings and do a new setup client by entering valid values.

Same result...

Please share the oxd settings screenshot

I've also tried wp-login and wp-login.php at the end of the login string, as WP forwards wp-admin to wp-login... Oxd config json in screenshot:

oxd doesnt seem to be the issue. Your WP client is being registered in the OP, so that indicates oxd is working as expected. I'm wondering if maybe the structure of your domain is confusing the WP plugin. I have an idea for you to test though.. in the `OpenID Connect Configuration` tab in the plugin, navigate down to Authentication settings and check the box for `Bypass the local WordPress login page and send users straight to the OP for authentication` When you navigate to `mywordpress.com/wp-admin` the new setting should kick you directly to you Gluu server. Try it in an incognito browser..

Interesting: when I do the bypass, I see this at the top of the plugin screen: "Can not connect to the oxd server. Please check the oxd-config.json file to make sure you have entered the correct port and the oxd server is operational." The checkbox stays checked, however. In incognito browser, I just get a blank page now...still on cdn-poc.wp.eresources.com site, not redirected. I checked both oxd-server and oxd-https-extension after that, and also deleted and re-registered (successfully) the plugin, and tried again... same result... with the new ClientID also showing in the Gluu server...see screenshots

blank...

service status

Which version of oxd are you using?

3.1.3-8~xenial+Ub16.04

That was the version that installed when I executed the following: echo "deb https://repo.gluu.org/ubuntu/ xenial main" > /etc/apt/sources.list.d/gluu-repo.list curl https://repo.gluu.org/ubuntu/gluu-apt.key | apt-key add - apt-get update apt-get install oxd-server

Right, OK. There could be a compatibility issue between oxd 3.1.3 and Gluu 3.1.4. We're going to check internally. We're also finishing QA on oxd 3.1.4 now. It should be released next week. Sorry for the trouble. Keeping all the different versions of software compatible can be tricky!

I am seeing this in the oxd-server.log file: 2018-10-18 15:00:25,499 TRACE [org.xdi.oxd.server.service.IntrospectionService] Trying to handle compatibility issue ... 2018-10-18 15:00:25,499 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2018-10-18 15:00:25,500 DEBUG [org.xdi.oxd.server.service.UmaTokenService] PAT from site configuration, PAT: dbcd4e2c-c51b-41d5-8508-23f786757188 2018-10-18 15:00:25,508 ERROR [org.xdi.oxd.server.Processor] org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized field "scope" (Class org.xdi.oxd.server.introspection.BackCompatibleIntrospectionResponse), not marked as ignorable at [Source: org.jboss.resteasy.client.core.BaseClientResponse$InputStreamWrapper@416e16d2; line: 1, column: 344] (through reference chain: org.xdi.oxd.server.introspection.BackCompatibleIntrospectionResponse["scope"]) org.jboss.resteasy.spi.ReaderException: org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized field "scope" (Class org.xdi.oxd.server.introspection.BackCompatibleIntrospectionResponse), not marked as ignorable at [Source: org.jboss.resteasy.client.core.BaseClientResponse$InputStreamWrapper@416e16d2; line: 1, column: 344] (through reference chain: org.xdi.oxd.server.introspection.BackCompatibleIntrospectionResponse["scope"]) at org.jboss.resteasy.client.core.BaseClientResponse.readFrom(BaseClientResponse.java:477) at org.jboss.resteasy.client.core.BaseClientResponse.getEntity(BaseClientResponse.java:390) at org.jboss.resteasy.client.core.BaseClientResponse.getEntity(BaseClientResponse.java:361) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:64) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:128) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:89) at com.sun.proxy.$Proxy37.introspectToken(Unknown Source) at org.xdi.oxd.server.service.IntrospectionService.introspectToken(IntrospectionService.java:64) at org.xdi.oxd.server.service.IntrospectionService.introspectToken(IntrospectionService.java:38) at org.xdi.oxd.server.service.ValidationService.introspect(ValidationService.java:144) at org.xdi.oxd.server.service.ValidationService.validate(ValidationService.java:117) at org.xdi.oxd.server.service.ValidationService.validate(ValidationService.java:49) at org.xdi.oxd.server.Processor.process(Processor.java:74) at org.xdi.oxd.server.Processor.process(Processor.java:51) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:55) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized field "scope" (Class org.xdi.oxd.server.introspection.BackCompatibleIntrospectionResponse), not marked as ignorable at [Source: org.jboss.resteasy.client.core.BaseClientResponse$InputStreamWrapper@416e16d2; line: 1, column: 344] (through reference chain: org.xdi.oxd.server.introspection.BackCompatibleIntrospectionResponse["scope"]) at org.codehaus.jackson.map.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:53) at org.codehaus.jackson.map.deser.StdDeserializationContext.unknownFieldException(StdDeserializationContext.java:267) at org.codehaus.jackson.map.deser.std.StdDeserializer.reportUnknownProperty(StdDeserializer.java:673) at org.codehaus.jackson.map.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:659) at org.codehaus.jackson.map.deser.BeanDeserializer.handleUnknownProperty(BeanDeserializer.java:1365) at org.codehaus.jackson.map.deser.BeanDeserializer._handleUnknown(BeanDeserializer.java:725) at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:703) at org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:580) at org.codehaus.jackson.map.ObjectMapper._readValue(ObjectMapper.java:2704) at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1315) at org.codehaus.jackson.jaxrs.JacksonJsonProvider.readFrom(JacksonJsonProvider.java:419) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56) at org.jboss.resteasy.client.core.BaseClientResponse.readFrom(BaseClientResponse.java:442) ... 17 more 2018-10-18 15:00:25,508 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","details":null,"error_description":"Unknown internal server error occurs."}} 2018-10-18 15:00:25,508 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command.

Also: seeing "missing claim" when browsing to the Login Redirect URI (gleaned from the client details in Gluu): https://cdn-poc.wp.eresources.com/index.php?option=oxdOpenId

Full oxd-server.log: https://drive.google.com/open?id=1YFSJBq_-U5JEQj5VdsBVjzVfJ9TLdA7r

> Also: seeing "missing claim" when browsing to the Login Redirect URI (gleaned from the client details in Gluu): Is the `email` scope being released to this Client in Gluu ?

I haven't configured anything besides defaults... not even sure where to look...

Go into Gluu admin UI, open the specific OpenID Connect Client, and add the email scope. See my screenshot below. https://trello-attachments.s3.amazonaws.com/4fedf4163db720c7341e4449/5bc8e6198713690a3a6eeff0/df702f5e25e8802d64cb9f0f6f904b14/image.png

Scope added... no improvement.

My two cents. Steve, can you tell us which user name you are using for logging in? Is it failing for all users or just admin user?

I never get to the point of logging in at all... the login form never appears. I just get loaded directly back to the wp-admin page with no intermediary activity.

Also, can you please send us wordpress specific apache error logs as well?

Apache access log: 10.0.15.118 - - [19/Oct/2018:15:49:08 -0400] "GET /wp-login.php?redirect_to=https%3A%2F%2Fcdn-poc.wp.eresources.com%2Fwp-admin%2F&reauth=1 HTTP/1.1" 200 3842 "https://cdn-poc.wp.eresources.com/wp-login.php?redirect_to=https%3A%2F%2Fcdn-poc.wp.eresources.com%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 OPR/56.0.3051.52" 127.0.0.1 - - [19/Oct/2018:15:49:09 -0400] "GET /favicon.ico HTTP/1.1" 200 131 "https://cdn-poc.wp.eresources.com/wp-login.php?redirect_to=https%3A%2F%2Fcdn-poc.wp.eresources.com%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 OPR/56.0.3051.52" ^C Apache error log: [Fri Oct 19 15:47:26.060262 2018] [proxy_fcgi:error] [pid 12202] [client 173.73.33.49:50522] AH01071: Got error 'PHP message: PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_User_Search has a deprecated constructor in /var/www/vhosts/cdn-poc.eresources.com/public_html/wp-admin/includes/deprecated.php on line 326\n', referer: https://cdn-poc.wp.eresources.com/wp-admin/admin.php?page=oxd_openid_settings&tab=register [Fri Oct 19 15:47:50.538018 2018] [proxy_fcgi:error] [pid 11449] (70007)The timeout specified has expired: [client 173.73.33.49:50472] AH01075: Error dispatching request to : (polling), referer: https://cdn-poc.wp.eresources.com/wp-login.php?redirect_to=https%3A%2F%2Fcdn-poc.wp.eresources.com%2Fwp-admin%2F&reauth=1

Any update?

Hi Steve, We tested oxd 3.1.3 with Gluu server 3.1.4 and it is confirmed that there is compatibility issue between both. So I would suggest you to try with oxd 3.1.4 and Word press plugin will work fine with oxd/Gluu 3.1.4 . If you face any problem please let us know. oxd 3.1.4 is not officially released yet . But you can try this from the following url https://github.com/GluuFederation/docs-oxd-prod/blob/3.1.4/3.1.4/sources/install/index.md Jajati

I purged oxd-server and then followed the instructions from https://github.com/GluuFederation/docs-oxd-prod/blob/3.1.4/3.1.4/sources/install/index.md For Ubuntu 16.04: echo "deb https://repo.gluu.org/ubuntu/ xenial main" > /etc/apt/sources.list.d/gluu-repo.list curl https://repo.gluu.org/ubuntu/gluu-apt.key | apt-key add - apt-get update apt-get install oxd-server It installed version 3.1.3 again: dpkg -l | grep oxd ii oxd-server 3.1.3.1-16~xenial+Ub16.04 all plugins for OpenID and UMA Please advise

OK... now oxd-server is upgraded to 3.1.4... getting a new error: In the browser, after configuration Wordpress plugin: Error: call to URL https://vva-er-gluu.eresources.com:8443/setup-client failed with status 500, response Command response is null, please check oxd-server.log file of oxd-server application., curl_error , curl_errno 0 From oxd-server.log: 2018-10-30 15:55:08,496 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_client_token","params":{"scope":null,"algorithm":null,"client_id":"@!BD71.78A2.3E61.821D!0001!51D5.A9C9!0008!1BBD.DBF4.F286.A646","":"ca56d277-bd3e-4be1-af0c-282c827d2d85","op_host":"https://vva-er-gluu.eresources.com","op_discovery_path":null,"authentication_method":null,"key_id":null}} 2018-10-30 15:55:08,499 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2018-10-30 15:55:08,522 ERROR [org.xdi.oxd.server.op.GetClientTokenOperation] access_token is blank in response, params: GetClientTokenParams{clientId='@!BD71.78A2.3E61.821D!0001!51D5.A9C9!0008!1BBD.DBF4.F286.A646', opHost='https://vva-er-gluu.eresources.com', opDiscoveryPath='null', scope=null, authenticationMethod='null', algorithm='null', keyId='null'}, response: org.xdi.oxauth.client.TokenResponse@5b2f83b4

First thing to make sure is that during `setup_client` or `register_site` grant_type `client_credentials` value is present. If it is present then there must be some mis-configuration which has to be investigated since in this particular request AS (oxauth) didn't return `access_token`. * please give full `oxd-server.log` file (with TRACE log level) * full `oxauth.log` (with TRACE log level) Thanks, Yuriy Z

OK... after setting the logs to trace and restarting all services, it now proceeded to register. After browsing to wp-admin, it would allow me to log in at the Gluu server, but then on return to the Wordpress site I received this error: Missing claim : (email). Please talk to your organizational system administrator. The only 3 scopes configured in the plugin are the default ones (openid, profile, email), and the scopes are showing in the Gluu config as well. The user I'm using for testing is a native Gluu user configured with email address. Screenshot: https://photos.app.goo.gl/hvwCaCY8rtC8jr2n9 Please assist.

This means the scope isn't being passed from the Gluu Server. There are two things to check, both in oxTrust: 1. Check the OpenID Connect client, and make sure the scope is included in the scopes being released. 2. Go into OpenID Connect > Scopes, and make sure the email scope is set to `true` for `Allow for dynamic registration`. Thanks, Will

Also, make sure the Gluu Server user you are testing with does **not** have the same email address as the WP admin user.. i.e. if WP admin user's email is xyz@example.com , make sure the user(s) you are testing with do not have xyz@example.com as their email in Gluu. I noticed that created some role conflict issues.

Have you been able to find a solution, Steve?

I've had to backburner this issue...I'll get back to it later...closing the case for now.