By: Ahmet Soormally user 21 Jun 2020 at 8:07 a.m. CDT

6 Responses
Ahmet Soormally gravatar
I am trying to login with Gluu. My app is redirecting me to the authorize url with the following params: ``` curl -s -k https://{SERVER}/oxauth/restv1/authorize\?client_id=dashboard.ahmet\&redirect_uri=http%3A%2F%2Flocalhost%3A3010%2Fauth%2Ftyk-dashboard-gluu%2Fopenid-connect%2Fcallback\&response_type=code\&scope=openid+email {"error":"unauthorized_client","error_description":"The client is not authorized to request an access token using this method."} ``` Any advice please? I believe I've created my client incorrectly inside Gluu Server:

By Ahmet Soormally user 21 Jun 2020 at 6:42 p.m. CDT

Ahmet Soormally gravatar
Hi Mike, I've edited my host file so that the redirect is to `tib.ahmet ` rather than `localhost`. `authorization_code` was enabled - I also enabled ALL the others just in-case ``` Inum: @!13B5.EFF1.0299.12E3!0001!1C18.E713!0008!E70E.F7CE.88BF.AD3F Application Type: WEB Pre-Authorization: TRUE Response Types: code, id_token, token, Grant Types: authorization_code, refresh_token, implicit Scopes: email, openid, profile Logout Session Required: FALSE Include Claims In Id Token: FALSE Client Name: dashboard.ahmet Client Secret: kjhasdf987sadfkjasdf987 Persist Client Authorizations: FALSE Subject Type: PAIRWISE Authentication method for the Token Endpoint: CLIENT_SECRET_BASIC Redirect Login URIs: http://tib.ahmet:3010/auth/tyk-dashboard-gluu/openid-connect/callback Disabled: false Client's Registration Expires: Mon Jun 22 00:00:00 UTC 2020 ``` In terms of the oxauth.log, nothing shows when I get redirected to this page (when tailing the file) - only logs I see are when I log into the Admin UI which is unrelated. ``` 2020-06-21 23:37:30,576 INFO [qtp804611486-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:533) - Attempting to redirect user: SessionUser: SessionState {dn='oxAuthSessionId=ac1c19d6-b99a-430c-a4e0-4a77233f1eb2,ou=session,o=@!13B5.EFF1.0299.12E3!0001!1C18.E713,o=gluu', id='ac1c19d6-b99a-430c-a4e0-4a77233f1eb2', lastUsedAt=Sun Jun 21 23:37:30 UTC 2020, userDn='inum=@!13B5.EFF1.0299.12E3!0001!1C18.E713!0000!A8F2.DE1E.D7FB,ou=people,o=@!13B5.EFF1.0299.12E3!0001!1C18.E713,o=gluu', authenticationTime=Sun Jun 21 23:37:30 UTC 2020, state=authenticated, sessionState='1d189ac6-2a74-4af1-87e7-4ff6940ff87c', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@7f8af5f6, involvedClients=null, sessionAttributes={auth_step=1, acr=auth_ldap_server, remote_ip=94.10.80.197, auth_external_attributes=null, auth_user=admin, scope=openid profile email user_name, acr_values=auth_ldap_server, response_type=code, redirect_uri=https://{SERVER}/identity/authentication/getauthcode, state=2e0a6149-4fc1-4e35-b5a7-53c0bea0244d, nonce=a98ed01c-b0f0-4bb9-89b9-9e6ff716de0b, client_id=@!13B5.EFF1.0299.12E3!0001!1C18.E713!0008!8BA1.CE5C}, persisted=true} 2020-06-21 23:37:30,578 INFO [qtp804611486-12] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:541) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@3d57ccc7 2020-06-21 23:37:30,580 INFO [qtp804611486-12] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:365) - Authentication success for User: 'admin' 2020-06-21 23:37:30,761 INFO [qtp804611486-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:224) - Authentication success for Client: '@!13B5.EFF1.0299.12E3!0001!1C18.E713!0008!8BA1.CE5C' ```

By Aliaksandr Samuseu staff 22 Jun 2020 at 10:25 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Ahmet. Thanks for the data. From the look at it, your `redirect_uri` in the request doesn't match the one you have assigned to this client in Gluu Server (hostnames are different). These uris must match character by character. Also, please note that, unless hostname is "localhost" or the like, you must use `https://` uri scheme in `redirect_uri`. It may let you use `http://` in earlier packages, but in 4.x https usage is enforced.

By Ahmet Soormally user 22 Jun 2020 at 1:13 p.m. CDT

Ahmet Soormally gravatar
Sorry for being a pain... I now have a self-signed certificate for https://tib.ahmet & as such, am using https for the redirect URI: I try to login, my client redirects me to gluu as follows: ``` https://{GLUU-SERVER}/oxauth/restv1/authorize?client_id=dashboard.ahmet&redirect_uri=https%3A%2F%2Ftib.ahmet%3A3010%2Fauth%2Ftyk-dashboard-gluu%2Fopenid-connect%2Fcallback&response_type=code&scope=openid+email&state=state ``` Gluu returns the error: ``` {"error":"unauthorized_client","error_description":"The client is not authorized to request an access token using this method.","state":"state"} ``` My client config summary is as follows: ``` Inum: @!13B5.EFF1.0299.12E3!0001!1C18.E713!0008!CDD5.F538.D16E.0501 Application Type: WEB Pre-Authorization: FALSE Response Types: code Grant Types: authorization_code Scopes: email profile openid Logout Session Required: FALSE Include Claims In Id Token: FALSE Client Name: dashboard.ahmet Client Secret: UsSpbMw67OdYWe7hvDV1Vef3 Persist Client Authorizations: TRUE Subject Type: PAIRWISE Authentication method for the Token Endpoint: CLIENT_SECRET_BASIC Redirect Login URIs: https://tib.ahmet:3010/auth/tyk-dashboard-gluu/openid-connect/callback Disabled: false Client's Registration Expires: Tue Jun 23 00:00:00 UTC 2020 ```

By Aliaksandr Samuseu staff 22 Jun 2020 at 2:36 p.m. CDT

Aliaksandr Samuseu gravatar
My guess this is probably the cause: ``` client_id=dashboard.ahmet ``` Client id should be your client's inum instead: `@!13B5.EFF1.0299.12E3!0001!1C18.E713!0008!CDD5.F538.D16E.0501`

By Ahmet Soormally user 22 Jun 2020 at 3:10 p.m. CDT

Ahmet Soormally gravatar
Excellent! So the `client_id` is the `inum`. I can log in now - many thanks for your help.