Gluu get userinfo always respone: Missed openid scope

By: tuan agile user 06 Dec 2019 at 10:29 a.m. CST

4 Responses
tuan agile gravatar
Hi everyone! I using Gluu 4.0.Final ! I read docs at: https://gluu.org/docs/ce/api-guide/openid-connect-api/#requestuserinfoget Please, help me! Thank you so much! #### **My issue:** I get access_token: Ok! But, i use access_token then Gluu always respone: ``` { "reason": "Missed openid scope.", "error_description": "The request requires higher privileges than provided by the access token.", "error": "insufficient_scope" } ``` **1. Images:** - My Gluu client + scopes configurations: https://drive.google.com/open?id=1Rqomk4zb2cmvdNgz3HrY0MZkLeCqZE9J - requestAccessToken: https://drive.google.com/open?id=1KNV-gVUXVevflL3pRCZ4quIKNoeDy7PD - requestUserInfoPost: https://drive.google.com/open?id=1PUIM2OMfJkNeh7bVTys526Ud-PTkH6ng **2. Demo page:** My domain: https://gluu.agileviet.vn/ user: `admin` pass: `%tE857FwvWO&` **3. Below is PostMan sessions:** 3.1.requestAccessToken ``` POST /oxauth/restv1/token HTTP/1.1 Host: gluu.agileviet.vn Content-Type: application/x-www-form-urlencoded Authorization: Basic NjU3NDIwNjktMzdlOC00YWMzLWI4ZWItNzY1MWE2NWNlNWZhOnJPY21qTlEyMFF2VHRmRDlZcXEzcjVJSg== User-Agent: PostmanRuntime/7.20.1 Accept: */* Cache-Control: no-cache Postman-Token: 7a5e6dfe-aefa-47e2-aa95-d38dbc7c97b8,3c7d616a-6912-4c63-a8e7-968f62318cd4 Host: gluu.agileviet.vn Accept-Encoding: gzip, deflate Content-Length: 60 Connection: keep-alive cache-control: no-cache grant_type=password&username=admin&password=%25tE857FwvWO%26 ``` 3.2. requestUserInfoPost ``` GET /oxauth/restv1/userinfo?access_token=277b866a-af98-4edb-8295-be1136fdbd41 HTTP/1.1 Host: gluu.agileviet.vn Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: PostmanRuntime/7.20.1 Accept: */* Cache-Control: no-cache Postman-Token: b917e6c3-8750-4fed-b024-c0f717fc876a,c20529bd-2670-43c5-997f-009537804870 Host: gluu.agileviet.vn Accept-Encoding: gzip, deflate Content-Length: 0 Connection: keep-alive cache-control: no-cache ```
Gluu 4.0 Ubuntu 16.04
closed

Answers

By Aliaksandr Samuseu staff 06 Dec 2019 at 10:46 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi. If you need access to `/userinfo` you need to request "openid" scope. Your token request doesn't specify any scopes at all. Should carry something like this in its body: `grant_type=password&username=admin&password=1q2w3e4r&scope=openid+profile+email+user_name`

By Michael Schwartz Account Admin 06 Dec 2019 at 11:03 a.m. CST

Copy
Michael Schwartz gravatar
Also, be aware that in future versions, by default, we may not allow the `openid` scope for `password` grant type. The `openid` scope implies that that the user has authorized... which you have not done if you are using the `password` grant type. In fact, you have degraded the user's security by enabling the application to see the user's password (the anti-patter of federated identity).

By tuan agile user 06 Dec 2019 at 11:05 a.m. CST

Copy
tuan agile gravatar
Thank you @Aliaksandr.Samuseu very much! You save my day and my life! GOD bless you!

By tuan agile user 06 Dec 2019 at 11:06 a.m. CST

Copy
tuan agile gravatar
Thank you @Michael.Schwartz! I noted! Thank you all, have good day!

Post an answer