Gluu's additonal claims will not work

By: yoom nguyen user 04 Jun 2015 at 1:19 p.m. CDT

43 Responses
yoom nguyen gravatar
We are trying to validate a design concept with GLuu and ID Token and ran into a problem. Wondering if anyone can sight some light on how to go from here. Created a custom scope with a built in claim (birthdate, manager). Scope was added to the client profile. When the ID_Token is sent back there are no claims (birthdate, manager) in the payload of the token. Also when requesting the “profile” scope the claims being returned are just a subset of the full claim even though the user has the attributes enabled under their profile. What are we missing? what is the correct systax and ldap attribute to search the LDAP to see whether the birthdate and manager attribute are indeed map\include to the Scope, claim ? Thanks, Yoom
None
closed

Answers

By yoom nguyen user 09 Jun 2015 at 3:47 p.m. CDT

Copy
yoom nguyen gravatar
Anyone willing to take a stab at it and help troubleshoot this? Tried a number of scenarios with custom attributes/claims and no matter what we do the id_token does not contain any other claims besides what's listed below. According to the definition of "profile" scope (profile being one of the scopes we request) we should be getting a lot more claims. "iss": "aud": "exp": "iat": "sub": "nonce": "auth_time": "oxValidationURI": "oxOpenIDConnectVersion": "user_name": "email": "name": "family_name": "given_name": Thank You

By Mohib Zico Account Admin 11 Jun 2015 at 7:06 a.m. CDT

Copy
Mohib Zico gravatar
Yoom, We will look into it.

By yoom nguyen user 11 Jun 2015 at 12:37 p.m. CDT

Copy
yoom nguyen gravatar
Can I provide any ldap query results ? or any log file. Thanks, Yoom

By yoom nguyen user 12 Jun 2015 at 11:06 p.m. CDT

Copy
yoom nguyen gravatar
Tried multiple ways to retrieve more claims/attributes always with same result. Even the profile scope does not return some of the attributes it contains. Below is header output when using mod_auth_openidc 1. Array 1. ( 1. [Host] => <HOST> 1. [User-Agent] => Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0 1. [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 1. [Accept-Language] => en-US,en;q=0.5 1. [Accept-Encoding] => gzip, deflate 1. [Referer] => https://idm.<DOMAIN>.com/oxauth/login 1. [Cookie] => mod_auth_openidc_session=a1523aca-74bc-4f95-bb7c-de99cea34a7a 1. [Connection] => keep-alive 1. [Cache-Control] => max-age=0 1. [OIDC_CLAIM_given_name] => <VALUE> 1. [OIDC_CLAIM_sub] => @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 1. [OIDC_CLAIM_name] => <VALUE> 1. [OIDC_CLAIM_family_name] => User 1. [OIDC_CLAIM_user_name] => <VALUE> 1. [OIDC_CLAIM_nonce] => qFfXPFJNXWNk9c2tsasiOxxll91IPL_vcslhICwznKA 1. [OIDC_CLAIM_iss] => https://idm.<domain>.com 1. [OIDC_CLAIM_iat] => 1434166875 1. [OIDC_CLAIM_aud] => @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 1. [OIDC_CLAIM_exp] => 1434170475 1. [OIDC_CLAIM_at_hash] => zLVHDJFHgqMdIHZOXWp1wA 1. [OIDC_CLAIM_oxValidationURI] => https://idm.<domain>.com/oxauth/opiframe.seam 1. [OIDC_CLAIM_oxOpenIDConnectVersion] => openidconnect-1.0 1. [OIDC_access_token] => fc0da988-4dfa-4681-af2b-2cf0863c547c 1. [OIDC_access_token_expires] => 1434170623 1. ) LDAP search result for the client is below. It contains 2 built in scopes "openid profie" and out custom scope "securetype" /home/gluu-server/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <pass> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912' dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032 .849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718,ou=scopes, o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!F0C4,ou=scopes,o=@!C 032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!43F1,ou=scopes,o=@!C 032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthSubjectIdentifier: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 oxAuthAppType: web oxLastAccessTime: 20150613034115.517Z oxAuthResponseType: code oxAuthResponseType: token oxAuthResponseType: id_token oxAuthClientSecret: HdUJNbcCCEtdTiWp4f7+K7OOlnMbXAfCvaUKC7FCfrM= objectClass: oxAuthClient objectClass: top oxAuthTokenEndpointAuthMethod: client_secret_basic oxAuthRedirectURI: https://172.16.1.121/example/redirect_uri oxLastLogonTime: 20150613034115.517Z oxAuthTrustedClient: true displayName: client1 oxAuthIdTokenSignedResponseAlg: RS256 inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 The manually defined sope ID is the following one and the ldap info of that scope is below: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718 [root@idm ~]# /home/gluu-server/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <pass> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718' dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718,ou=scopes,o=@!C032. 849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthClaim: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!42D8,ou=attributes,o =@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthClaim: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!CAE3,ou=attributes,o =@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthClaim: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!42E0,ou=attributes,o =@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu oxAuthClaim: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!DB0E,ou=attributes,o =@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu objectClass: oxAuthCustomScope objectClass: top description: Default Secure Type Portal displayName: securetype defaultScope: false inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718

By yoom nguyen user 15 Jun 2015 at 9:39 a.m. CDT

Copy
yoom nguyen gravatar
Mike and Zico, Can you guys give us some insight on how to over come our current problem. It have been a few weeks now and we are stuck with our evaluation process. I would like to get Gluu product evaluation complete. Any help will be appreciate it. Thanks much. Yoom

By Mohib Zico Account Admin 15 Jun 2015 at 10 a.m. CDT

Copy
Mohib Zico gravatar
Hi Yoom, It's in our ToDo list. We will check and get back to you. If you want priority support, you can take a look at our [VIP Support](http://www.gluu.org/gluu-server/pricing/) page. Kind regards, Zico

By Michael Schwartz Account Admin 23 Jun 2015 at 12:26 p.m. CDT

Copy
Michael Schwartz gravatar
We did some testing. Here is what the engineer said: For me there is no problem with birthdate claim. I do next: 1) Log into identity. 2) Added new scope "birthdate" with calim "birthdate". 3) Add bithdate to person entry. 4) Open client inventory. 5) Find required client. 6) Add scope birthdate to client entry. 7) Now we can try to execute authorization request with List<ResponseType> responseTypes = Arrays.asList( ResponseType.CODE, ResponseType.ID_TOKEN); List<String> scopes = Arrays.asList("openid", "birthdate"); 8) Parse idToken Jwt jwt = Jwt.parse(authorizationResponse.getIdToken()); System.out.println(jwt.getClaims().getClaim("birthdate")); 9) ldapsearch with filter (oxAuthClaimName=birthdate) dn: inum=@!D79B.BDA4.A74F.453F!0001!9573.5466!0005!98FC,ou=attributes, \ o=@!D79B.BDA4.A74F.453F!0001!9573.5466,o=gluu ... displayName: Birthdate oxAuthClaimName: birthdate ...

By yoom nguyen user 23 Jun 2015 at 2:09 p.m. CDT

Copy
yoom nguyen gravatar
Per your last response we created a scope named "birthdate" and added built-in claim "Birthdate". Added the new "birthdate" scope to the client configuration so the full scope list for the client is now 'birthdate email openid phone profile securetype user_name'. Made sure the test user has birthdate attribute added with test value of 2015 (See LDAP attribute result for user below). Updated `mod_auth_openidc` configuration to add the new scope so the scope configuration line looks like so: OIDCScope "openid profile securetype birthdate" Here is the ID_Token that is returned. Decoing it you will see the info is still missing and only partial: `eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6ImQ2NTc5OTIzLTY3ZDMtNGFlMi1hZjNkLTNmZGZiMzUxOTdmZSJ9.eyJpc3MiOiJodHRwczovL2lkbS5nYWxjby5jb20iLCJhdWQiOiJAIUMwMzIuODQ5Qi4yRkE1LjVFOEMhMDAwMSFCQ0I2LjRBNDIhMDAwOCE0QUNCLjg3NUIiLCJleHAiOjE0MzUwODkzOTQsImlhdCI6MTQzNTA4NTc5NCwic3ViIjoiQCFDMDMyLjg0OUIuMkZBNS41RThDITAwMDEhQkNCNi40QTQyITAwMDAhNUQ5Ny4zRkUwIiwibm9uY2UiOiJLMjZwTEFhdmZFYUtKdTROXzlnN3o4Yy13LVk2ZFVnbldYOW9nTnYyOWJvIiwiYXV0aF90aW1lIjoxNDM1MDY0NzE5LCJhdF9oYXNoIjoiSXQxb1J6UGJFcDRKVU11TDhGR0hPdyIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vaWRtLmdhbGNvLmNvbS9veGF1dGgvb3BpZnJhbWUuc2VhbSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsInBpY3R1cmUiOiJodHRwOi8vd3d3Lmdvb2dsZS5jb20vaW1hZ2VzIiwidXNlcl9uYW1lIjoibW9ua2V5IiwiZW1haWwiOiJqbW9ua2V5QG1zbi5jb20iLCJuYW1lIjoiSm9lIE1vbmtleSIsImZhbWlseV9uYW1lIjoiTW9ua2V5IiwiZ2l2ZW5fbmFtZSI6IkpvZSJ9.dWrWZ6vXe7jyKlQ2SYGSNkGNRS7YwO8dxyBjbo7x4RrnlVAw7p1tUGCQ1oqO3I9BPPXldhODlGVCgfGZ1UuULll5_alenuPJX1hJQxH1jnVBPfEsSYDLcJkDRQVG2zfe9g4ILYv87oQFeJ0ZPgi9NlVQq0jsZFlqLIsihWBUN_9zttYtTCjqcAISsal4FPscmrLs_XY2TGnh5Kp3lP_19_aJOUnLqL2EKUmffskjBEfGYASUixmr8wjBecwb6xkDf5LpyWiORcMiXdted08SXEtuaoMBWKyJn0xkU0o3hYO8vyuQYa6JujN5mKrg5bIGBteyAE-fGV0zi5Aw3pZZyQ` Here is the header information from `mod_auth_openidc`: 1. Array 1. ( 1. [Host] => client1.<domain>.com 1. [User-Agent] => Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 1. [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 1. [Accept-Language] => en-US,en;q=0.5 1. [Accept-Encoding] => gzip, deflate 1. [Cookie] => mod_auth_openidc_session=8e7d6367-f4d4-4186-a8cc-48bd3e91ab65 1. [Connection] => keep-alive 1. [OIDC_CLAIM_sub] => @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 1. [OIDC_CLAIM_name] => Joe Monkey 1. [OIDC_CLAIM_family_name] => Monkey 1. [OIDC_CLAIM_user_name] => monkey 1. [OIDC_CLAIM_given_name] => Joe 1. [OIDC_CLAIM_picture] => http://www.google.com/images 1. [OIDC_CLAIM_email] => jmonkey@msn.com 1. [OIDC_CLAIM_nonce] => fTmw_qrUU-141WEZs0yIwCVJTnXW-hOIJckuGr-2jJs 1. [OIDC_CLAIM_iss] => https://idm.<domain>.com 1. [OIDC_CLAIM_aud] => @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 1. [OIDC_CLAIM_iat] => 1435082843 1. [OIDC_CLAIM_oxValidationURI] => https://idm.<domain>.com/oxauth/opiframe.seam 1. [OIDC_CLAIM_exp] => 1435086443 1. [OIDC_CLAIM_at_hash] => SYFH18H_5ByTLFUqn-5zBg 1. [OIDC_CLAIM_oxOpenIDConnectVersion] => openidconnect-1.0 1. [OIDC_access_token] => c31160ef-f312-46a2-81e2-195258754951 1. [OIDC_access_token_expires] => 1435086597 1. ) Below is result of following command which shows the attributes for the scope: `/home/gluu-server/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <PASSWORD REMOVED> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!C9B3.7B2F'` - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!C9B3.7B2F,ou=scopes,o=@!C032. - 849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthClaim: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC,ou=attributes,o - =@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - objectClass: oxAuthCustomScope - objectClass: top - defaultScope: false - displayName: birthdate - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!C9B3.7B2F Here is the result of the following command which shows the attributes for claim/attribute "Birthdate": `/home/gluu-server/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <PASSWORD REMOVED> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC'` - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC,ou=attributes,o=@!C032.8 - 49B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - gluuAttributeName: birthdate - objectClass: gluuAttribute - objectClass: top - gluuStatus: active - gluuAttributeOrigin: gluuPerson - description:: RW5kLVVzZXIncyBiaXJ0aGRheSwgcmVwcmVzZW50ZWQgYXMgYW4gSVNPIDg2MDE6Mj - AwNCBbSVNPODYwMe+/ve+/ve+/vTIwMDRdIFlZWVktTU0tREQgZm9ybWF0Lg== - urn: http://openid.net/specs/openid-connect-core-1_0.html/StandardClaims/birthda - te - gluuLdapAttributeName: birthdate - gluuAttributeEditType: user - gluuAttributeEditType: admin - gluuAttributeViewType: user - gluuAttributeViewType: admin - gluuAttributeType: string - displayName: Birthdate - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC - Below is the result of the following command which shows the attributes of the testing user account: `/home/gluu-server/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <PASSWORD REMOVED> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0'` - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032. - 849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - galcofield: galcofield1 - gluuStatus: active - uid: monkey - birthdate: 2015 - userPassword: <REMOVED> - gender: male - profile: http://www.google.com/profile - website: http://www.google.com/website - zoneinfo: EST - picture: http://www.google.com/images - givenName: Joe - objectClass: gluuPerson - objectClass: ox-C032849B2FA55E8C0001BCB64A42 - objectClass: top - locale: fas - cn: Joe Joe Monkey - nickname: Banana - sn: Monkey - oxLastLogonTime: 20150623130519.348Z - mail: jmonkey@msn.com - displayName: Joe Monkey - iname: null*person*monkey - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0

By Michael Schwartz Account Admin 23 Jun 2015 at 3:56 p.m. CDT

Copy
Michael Schwartz gravatar
Oh, I think I see the problem. I'm not sure mod_auth_oidc maps anything but the standard OIDC user claims. I created a feature request on the [mod_auth_oidc Issue Tracker](https://github.com/pingidentity/mod_auth_openidc/issues/75) Gluu is working on our own Apache module, mod_auth_ox. I'll inquire if there is any beta software that you can test. I think we have OpenID Connect functionality ready for testing.

By Michael Schwartz Account Admin 23 Jun 2015 at 4:01 p.m. CDT

Copy
Michael Schwartz gravatar
Hans took about two minutes to respond: See OIDCPassIDTokenAs here: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf#L497 Please let us know if that helps.

By yoom nguyen user 23 Jun 2015 at 4:33 p.m. CDT

Copy
yoom nguyen gravatar
Yey Hans! but... I'm aware of the configuration setting OIDCPassIDTokenAs and tried all three options already. It controls how the results are presented back to the application. Tried all 3 options. When the option is set to "payload" the result is a json formatted payload that looks like so: `[OIDC_id_token_payload] =&gt; {"iss":"https://idm.&lt;domain&gt;.com","aud":"@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912","exp":1435097815,"iat":1435094215,"sub":"@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912","nonce":"hEkZiZf1U8BZgFxRjtdTL_v24yGUpL-oVjOR06ViEEI","at_hash":"BeuBDnDxy1DknZEpJS27eg","oxValidationURI":"https://idm.&lt;domain&gt;.com/oxauth/opiframe.seam","oxOpenIDConnectVersion":"openidconnect-1.0"}` When the option is set to "serialized" the result is as the option explains "the complete id_token is passed in compact serialized format in the "`OIDC_id_token`" header" and that looks like so on our end: `[OIDC_id_token] =&gt; eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6ImQ2NTc5OTIzLTY3ZDMtNGFlMi1hZjNkLTNmZGZiMzUxOTdmZSJ9.eyJpc3MiOiJodHRwczovL2lkbS5nYWxjby5jb20iLCJhdWQiOiJAIUMwMzIuODQ5Qi4yRkE1LjVFOEMhMDAwMSFCQ0I2LjRBNDIhMDAwOCFEMEFDLkM5MTIiLCJleHAiOjE0MzUwOTgwMjAsImlhdCI6MTQzNTA5NDQyMCwic3ViIjoiQCFDMDMyLjg0OUIuMkZBNS41RThDITAwMDEhQkNCNi40QTQyITAwMDghRDBBQy5DOTEyIiwibm9uY2UiOiJ6YVNMaGdOYkJKYjdNekVTYVZELVJxUTEtejVJclhpcE1mN0tlNHBkeTlnIiwiYXRfaGFzaCI6IkFlWlpBUTczVXlsd2hybDhjYVlWSlEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2lkbS5nYWxjby5jb20vb3hhdXRoL29waWZyYW1lLnNlYW0iLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAifQ.DiAPlrqwptroVy9ZHhqiyW1mIjeJWIWVAjK9WNTgnWorEoYSwauKMr8-5BmZbZkzIAs33TMPmFMgbx7luGeNaVJpPtg3tG1767iMJ3OU27v1_DA15LSVOWjxODhn4S70c2V40_Go8zZv0V3ZeMAakiQPPI3-ZaHS4kdgO2hUJOPr1CJ8a4ijJZ3Yzfiw6Irtlgg6WinKqopNQqNnH7dSzDk_mf7e5B6lRhfViLmLbkQRVtqyit74yd2q7nnnz-pyZ2EqfctjxjGjwQcQK1XBuJtxLb5Uj8yYCftJkgeuaQMY0fE9HSg1O5hrNyRT35iX8QXH2eQ7xps8T6ak_8KDig` Decoding the serialized value still does not return what we are looking for. According to OpenID Connect Basic Implementation guide the "Birthdate" claim is a standard claim so that should be returned even if the apache module `mod_auth_openidc` only supports standard claims. http://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims I also put together a set of PHP server side scripts using CURL which conforms (I think) to the openid connect standard and i get the same result when it comes to the claims that are returned.

By yoom nguyen user 23 Jun 2015 at 4:38 p.m. CDT

Copy
yoom nguyen gravatar
Also note how "Gender", "Nickname" and "Website URL" are all part of the "PROFILE" scope and we also don't get those returned when requesting "PROFILE" scope. Only a subset for attributes from the profile scope are returned even though they are set as attributes under user profile.

By Yuriy Movchan staff 24 Jun 2015 at 9:05 a.m. CDT

Copy
Yuriy Movchan gravatar
Did you do steps 4-6? I suspect that client which you use don't have "birthdate" scope. Hence it not have access to this information. 4) Open client inventory. 5) Find required client. 6) Add scope birthdate to client entry.

By yoom nguyen user 24 Jun 2015 at 11:28 a.m. CDT

Copy
yoom nguyen gravatar
Of course we did step 4-6. See for yourself below. In our gluu setup birthday scope, after it was added, received an id value of: `@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!C9B3.7B2F` Below is the result of following command which displays LDAP client configuration and please note the presence of the above id for the birthday scope: /home/gluu-server/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <password> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912' - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718,ou=scopes, - o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!F0C4,ou=scopes,o=@!C - 032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!43F1,ou=scopes,o=@!C - 032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=`@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!C9B3.7B2F`,ou=scopes, - o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthSubjectIdentifier: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 - oxAuthAppType: web - oxLastAccessTime: 20150624131745.225Z - oxAuthResponseType: code - oxAuthResponseType: token - oxAuthResponseType: id_token - oxAuthClientSecret: HdUJNbcCCEvRZM4+lCfEkw== - objectClass: oxAuthClient - objectClass: top - oxAuthTokenEndpointAuthMethod: client_secret_basic - oxAuthRedirectURI: https://<domain>/example/redirect_uri - oxAuthRedirectURI: https://<domain>/codeflow/oauth2callback.php - oxAuthRedirectURI: https://client1.<domain>.com/example/redirect_uri - oxAuthRedirectURI: https://client1.<domain>.com/codeflow/oauth2callback.php - oxLastLogonTime: 20150624131745.225Z - oxAuthTrustedClient: true - displayName: <NAME> - oxAuthIdTokenSignedResponseAlg: RS256 - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912

By Yuriy Movchan staff 24 Jun 2015 at 2:07 p.m. CDT

Copy
Yuriy Movchan gravatar
Client entry looks fine. Can you add to this entry: `dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC,ou=attributes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu` new attribute: `oxAuthClaimName: birthdate` In CE 2.3 this entry already contains this attribute: [https://github.com/GluuFederation/community-edition-setup/blob/master/templates/attributes.ldif#L214](https://github.com/GluuFederation/community-edition-setup/blob/master/templates/attributes.ldif#L214)

By yoom nguyen user 24 Jun 2015 at 2:33 p.m. CDT

Copy
yoom nguyen gravatar
Yuriy Movchan can you elaborate and provide some more detail on what i should try? I don't think i understand what you mean. Thank You

By Yuriy Movchan staff 24 Jun 2015 at 2:43 p.m. CDT

Copy
Yuriy Movchan gravatar
Next entry should contains oxAuthClaimName=birthdate attribute. `dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC,ou=attributes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu` ... `oxAuthClaimName: birthdate`

By yoom nguyen user 24 Jun 2015 at 4:08 p.m. CDT

Copy
yoom nguyen gravatar
Created ldif file with contents below: - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!98FC,ou=attributes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - changetype: modify - add: oxAuthClaimName - oxAuthClaimName: birthdate Executed: `/opt/opendj/bin/ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w &lt;password&gt; -f mod-claim.ldif` And vuala: [OIDC_CLAIM_birthdate] =&gt; 2015 Value for birthdate is **NOW being returned**!!! Well we are making progress one step at a time. So what is the problem here guys? I added a custom ATTRIBUTE/CLAIM to the BIRTHDAY scope but that is not returned. I added the 'oxAuthClaimName' attribute to the custom claim but that did not help either. What would be the permanent fix for this as there is clearly some type of problem with associations on gluu/ldap side?

By Yuriy Movchan staff 25 Jun 2015 at 1:54 a.m. CDT

Copy
Yuriy Movchan gravatar
Glad to hear that it's working! This are main rules which can explain this area: 1) Attribute entry should have oxAuthClaimName attribute. It's multivalue attribute. And it's claim name. 2) Scope should contains attributes oxAuthClaim. 3) Client entry should have permission to access scope. Hence it should have right oxAuthScope attributes.

By Michael Schwartz Account Admin 26 Jun 2015 at 10:21 a.m. CDT

Copy
Michael Schwartz gravatar
On 2015-06-26 10:05, Mozol, Michal wrote: > Hi Mike we were making good progress on this issue but our ticket has > been closed without a 100% resolution. We still don't have custom > claims coming back. > Ok, make sure you provide all the required info on the ticket: 1) ldif for the attributes 2) ldif for the person 3) ldif for the client 4) configuration of mod_auth_oidc (turn up logging) 3) log snippet for authentication from oxauth.log 6) log snippet from mod_auth_oidc 7) printout of HTTP headers as seen by client

By yoom nguyen user 26 Jun 2015 at 1:50 p.m. CDT

Copy
yoom nguyen gravatar
Managing the 3 rules outlined by Yuriy Movchan above, how do we do it from withing the GLUU interface? It seems like this is all suppose to be happening automatically as the different configurations are being created from withing the web based GUI. Does not seem like we should manually be creating LDAP modifications on the back end to get, what appears to be a built in to gluu functionality, even built in claims/attributes working (we are not doing any extensive customizations here). Just trying to get the basic functionality working.

By William Lowe user 26 Jun 2015 at 2:16 p.m. CDT

Copy
William Lowe gravatar
Yoom, This problem might be remedied in the newest version of the Gluu Server, v 2.3. Can you deploy the newest version and give it another try? Thanks for working with us on this!

By yoom nguyen user 26 Jun 2015 at 3:58 p.m. CDT

Copy
yoom nguyen gravatar
# Attributes for custom claim: `/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <password> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!D9B5'` - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!D9B5,ou=attributes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - gluuAttributeName: webcust - gluuSAML2URI: urn:oid:webcust - oxSCIMCustomAttribute: true - objectClass: gluuAttribute - objectClass: top - gluuAttributeOrigin: ox-C032849B2FA55E8C0001BCB64A42 - gluuStatus: active - gluuAttributeUsageType: openid - description: web customer - gluuAttributeEditType: admin - gluuAttributeEditType: user - oxAuthClaimName: webcust - oxMultivaluedAttribute: true - gluuAttributeViewType: admin - gluuAttributeViewType: user - gluuSAML1URI: urn:gluu:dir:attribute-def:webcust - gluuAttributeType: string - displayName: webcust - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0005!D9B5 # Attributes for person: `/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <password> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0' ` - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - galcofield: galcofield1 - gluuStatus: active - uid: monkey - birthdate: 2015 - userPassword: {SSHA}DOYgz0brlrEMQm3WUx6BtcPNylWEcF51xX+Pbw== - gender: male - profile: http://www.google.com/profile - website: http://www.google.com/website - zoneinfo: EST - picture: http://www.google.com/images - givenName: Joe - objectClass: gluuPerson - objectClass: ox-C032849B2FA55E8C0001BCB64A42 - objectClass: top - locale: fas - cn: Joe Joe Monkey - nickname: Banana - sn: Monkey - oxLastLogonTime: 20150624210043.427Z - mail: jmonkey@msn.com - webcust: 123456789 - displayName: Joe Monkey - iname: null*person*monkey - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0 # Attributes for the client: `/opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <password> -b "o=gluu" 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912'` - dn: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!2329.B718,ou=scopes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!F0C4,ou=scopes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!43F1,ou=scopes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthScope: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0009!C9B3.7B2F,ou=scopes,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu - oxAuthSubjectIdentifier: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 - oxAuthAppType: web - oxLastAccessTime: 20150624210048.835Z - oxAuthResponseType: code - oxAuthResponseType: token - oxAuthResponseType: id_token - oxAuthClientSecret: HdUJNbcCCEvRZM4+lCfEkw== - objectClass: oxAuthClient - objectClass: top - oxAuthTokenEndpointAuthMethod: client_secret_basic - oxAuthRedirectURI: https://172.16.1.121/example/redirect_uri - oxAuthRedirectURI: https://172.16.1.121/codeflow/oauth2callback.php - oxAuthRedirectURI: https://client1.galco.com/example/redirect_uri - oxAuthRedirectURI: https://client1.galco.com/codeflow/oauth2callback.php - oxLastLogonTime: 20150624210048.835Z - oxAuthTrustedClient: true - displayName: < name> - oxAuthIdTokenSignedResponseAlg: RS256 - inum: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 # mod_auth_oidc configuration - OIDCRedirectURI https://client1.galco.com/example/redirect_uri - - OIDCCryptoPassphrase 123456789 - - OIDCProviderIssuer https://idm.galco.com - OIDCProviderAuthorizationEndpoint https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/authorize - OIDCProviderJwksUri https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/jwks - OIDCProviderTokenEndpoint https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/token - #"client_secret_basic" or "client_secret_post" - OIDCProviderTokenEndpointAuth client_secret_basic - OIDCProviderUserInfoEndpoint https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/userinfo - - OIDCSSLValidateServer Off - OIDCClientID @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 - OIDCClientSecret 123456789 - OIDCScope "openid profile securetype birthdate" - - - - OIDCScrubRequestHeaders Off - - <Location /example/> - AuthType openid-connect - Require valid-user - LogLevel debug - </Location> # Log Snippet from authentication from oxauth.log 2015-06-26 20:50:40,177 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: responseType = code, clientId = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, scope = openid profile securetype birthdate, redirectUri = https://client1.galco.com/example/redirect_uri, nonce = CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, state = CbNpkz2-f47XIXMyR5cT4wuIM_s, request = null, isSecure = true, requestSessionId = null, sessionId = null 2015-06-26 20:50:40,178 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: acrValues = null, amrValues = null, authLevel = null, authMode = null, originHeaders = null 2015-06-26 20:50:40,180 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:40,181 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:40,181 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:40,181 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, oldCompleteUri = https://client1.galco.com/example/redirect_uri => redirectionUri = https://client1.galco.com/example/redirect_uri, found = 4 2015-06-26 20:50:40,181 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:40,181 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/codeflow/oauth2callback.php == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:40,182 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://client1.galco.com/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:40,242 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: 'a94a7916-98ce-41c0-baaf-9754c77173d0' 2015-06-26 20:50:40,245 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: a94a7916-98ce-41c0-baaf-9754c77173d0 ... 2015-06-26 20:50:40,245 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=a94a7916-98ce-41c0-baaf-9754c77173d0,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:40,245 TRACE [org.xdi.oxauth.auth.Authenticator] authenticateBySessionId, sessionId = 'a94a7916-98ce-41c0-baaf-9754c77173d0', session = 'SessionId [dn=uniqueIdentifier=a94a7916-98ce-41c0-baaf-9754c77173d0,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, id=a94a7916-98ce-41c0-baaf-9754c77173d0, lastUsedAt=Fri Jun 26 20:49:58 UTC 2015, userDn=null, authenticationTime=Fri Jun 26 20:49:58 UTC 2015, state=unauthenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={response_type=code, scope=openid profile securetype birthdate, redirect_uri=https://client1.galco.com/example/redirect_uri, nonce=ggUWRhpPoYo5oyFBGW84G5VXbrg8lhYo4a98F0eWtjM, state=LUAz6vY9NPL1pniCwFVdNBjVZr4, client_id=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912}]', state= 'unauthenticated' 2015-06-26 20:50:40,247 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: a94a7916-98ce-41c0-baaf-9754c77173d0 ... 2015-06-26 20:50:40,247 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=a94a7916-98ce-41c0-baaf-9754c77173d0,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:40,248 TRACE [org.xdi.oxauth.service.SessionIdService] Generated new session, id = 'b6cd8c0b-c628-41ae-8909-c10908048112', state = 'unauthenticated', persisted = 'false' 2015-06-26 20:50:40,251 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] Session 'b6cd8c0b-c628-41ae-8909-c10908048112' persisted to LDAP 2015-06-26 20:50:40,308 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: 'b6cd8c0b-c628-41ae-8909-c10908048112' 2015-06-26 20:50:40,311 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: b6cd8c0b-c628-41ae-8909-c10908048112 ... 2015-06-26 20:50:40,311 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:40,315 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:40,315 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:40,317 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:40,318 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:40,318 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:40,318 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:45,763 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: 'b6cd8c0b-c628-41ae-8909-c10908048112' 2015-06-26 20:50:45,764 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: b6cd8c0b-c628-41ae-8909-c10908048112 ... 2015-06-26 20:50:45,767 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:45,767 DEBUG [org.xdi.oxauth.service.AuthenticationService] Authenticating user with LDAP: username: monkey 2015-06-26 20:50:45,767 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to find userDN by primary key: 'uid' and key value: 'monkey' 2015-06-26 20:50:45,767 DEBUG [org.xdi.oxauth.service.AuthenticationService] Getting user information from LDAP: attributeName = 'uid', attributeValue = 'monkey' 2015-06-26 20:50:45,769 DEBUG [org.xdi.oxauth.service.AuthenticationService] Found '1' entries 2015-06-26 20:50:45,769 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to authenticate userDN: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:45,770 DEBUG [org.xdi.oxauth.service.AuthenticationService] User authenticated: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:45,770 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to find userDN by local primary key: uid 2015-06-26 20:50:45,771 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: attributeName = 'uid', attributeValue = 'monkey' 2015-06-26 20:50:45,772 DEBUG [org.xdi.oxauth.service.UserService] Found '1' entries 2015-06-26 20:50:45,778 TRACE [org.xdi.oxauth.service.SessionIdService] Authenticated session, id = 'b6cd8c0b-c628-41ae-8909-c10908048112', state = 'authenticated', persisted = 'true' 2015-06-26 20:50:45,778 DEBUG [org.xdi.oxauth.auth.Authenticator] Sending event to trigger user redirection: 'monkey' 2015-06-26 20:50:45,778 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. SessionUser: SessionId [dn=uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, id=b6cd8c0b-c628-41ae-8909-c10908048112, lastUsedAt=Fri Jun 26 20:50:45 UTC 2015, userDn=inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, authenticationTime=Fri Jun 26 20:50:45 UTC 2015, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={response_type=code, scope=openid profile securetype birthdate, redirect_uri=https://client1.galco.com/example/redirect_uri, nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, state=CbNpkz2-f47XIXMyR5cT4wuIM_s, client_id=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912}] 2015-06-26 20:50:45,779 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. User: org.xdi.oxauth.model.common.User@e7bc46b 2015-06-26 20:50:45,779 TRACE [org.xdi.oxauth.service.AuthenticationService] Logged in successfully! User: org.xdi.oxauth.model.common.User@e7bc46b, page: /authorize.xhtml, map: {scope=openid profile securetype birthdate, response_type=code, nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, redirect_uri=https://client1.galco.com/example/redirect_uri, state=CbNpkz2-f47XIXMyR5cT4wuIM_s, client_id=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912} 2015-06-26 20:50:45,783 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for User: 'monkey' 2015-06-26 20:50:45,783 TRACE [org.xdi.oxauth.auth.Authenticator] Authentication successfully for 'monkey' 2015-06-26 20:50:45,881 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: 'b6cd8c0b-c628-41ae-8909-c10908048112' 2015-06-26 20:50:45,884 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: b6cd8c0b-c628-41ae-8909-c10908048112 ... 2015-06-26 20:50:45,884 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:45,885 TRACE [org.xdi.oxauth.auth.Authenticator] authenticateBySessionId, sessionId = 'b6cd8c0b-c628-41ae-8909-c10908048112', session = 'SessionId [dn=uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, id=b6cd8c0b-c628-41ae-8909-c10908048112, lastUsedAt=Fri Jun 26 20:50:45 UTC 2015, userDn=inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, authenticationTime=Fri Jun 26 20:50:45 UTC 2015, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={response_type=code, scope=openid profile securetype birthdate, redirect_uri=https://client1.galco.com/example/redirect_uri, nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, state=CbNpkz2-f47XIXMyR5cT4wuIM_s, client_id=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912}]', state= 'authenticated' 2015-06-26 20:50:45,890 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: b6cd8c0b-c628-41ae-8909-c10908048112 ... 2015-06-26 20:50:45,890 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:45,891 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:45,891 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:45,891 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:45,891 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:45,892 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, oldCompleteUri = https://client1.galco.com/example/redirect_uri => redirectionUri = https://client1.galco.com/example/redirect_uri, found = 4 2015-06-26 20:50:45,892 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:45,892 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/codeflow/oauth2callback.php == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:45,892 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://client1.galco.com/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:45,893 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] checkPermissionGranted, user = org.xdi.oxauth.model.common.User@51cecef2 2015-06-26 20:50:45,896 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] permissionGranted, redirectTo: seam/resource/restv1/oxauth/authorize?scope=openid+profile+securetype+birthdate&response_type=code&nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ&redirect_uri=https%3A%2F%2Fclient1.galco.com%2Fexample%2Fredirect_uri&state=CbNpkz2-f47XIXMyR5cT4wuIM_s&client_id=%40%21C032.849B.2FA5.5E8C%210001%21BCB6.4A42%210008%21D0AC.C912 2015-06-26 20:50:45,951 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: responseType = code, clientId = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, scope = openid profile securetype birthdate, redirectUri = https://client1.galco.com/example/redirect_uri, nonce = CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, state = CbNpkz2-f47XIXMyR5cT4wuIM_s, request = null, isSecure = true, requestSessionId = null, sessionId = null 2015-06-26 20:50:45,952 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: acrValues = null, amrValues = null, authLevel = null, authMode = null, originHeaders = null 2015-06-26 20:50:45,952 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:45,952 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:45,953 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:45,953 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:45,953 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, oldCompleteUri = https://client1.galco.com/example/redirect_uri => redirectionUri = https://client1.galco.com/example/redirect_uri, found = 4 2015-06-26 20:50:45,953 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:45,953 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/codeflow/oauth2callback.php == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:45,953 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://client1.galco.com/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,025 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: 'b6cd8c0b-c628-41ae-8909-c10908048112' 2015-06-26 20:50:46,027 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: b6cd8c0b-c628-41ae-8909-c10908048112 ... 2015-06-26 20:50:46,027 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:46,027 TRACE [org.xdi.oxauth.auth.Authenticator] authenticateBySessionId, sessionId = 'b6cd8c0b-c628-41ae-8909-c10908048112', session = 'SessionId [dn=uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, id=b6cd8c0b-c628-41ae-8909-c10908048112, lastUsedAt=Fri Jun 26 20:50:45 UTC 2015, userDn=inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu, authenticationTime=Fri Jun 26 20:50:45 UTC 2015, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@77dc1742, sessionAttributes={response_type=code, scope=openid profile securetype birthdate, redirect_uri=https://client1.galco.com/example/redirect_uri, nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, state=CbNpkz2-f47XIXMyR5cT4wuIM_s, client_id=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912}]', state= 'authenticated' 2015-06-26 20:50:46,033 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: b6cd8c0b-c628-41ae-8909-c10908048112 ... 2015-06-26 20:50:46,033 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=b6cd8c0b-c628-41ae-8909-c10908048112,ou=session,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:46,034 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,034 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,034 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,034 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,035 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, oldCompleteUri = https://client1.galco.com/example/redirect_uri => redirectionUri = https://client1.galco.com/example/redirect_uri, found = 4 2015-06-26 20:50:46,035 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,035 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/codeflow/oauth2callback.php == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,035 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://client1.galco.com/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,036 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] checkPermissionGranted, user = org.xdi.oxauth.model.common.User@127b2b88 2015-06-26 20:50:46,039 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] permissionGranted, redirectTo: seam/resource/restv1/oxauth/authorize?scope=openid+profile+securetype+birthdate&response_type=code&nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ&redirect_uri=https%3A%2F%2Fclient1.galco.com%2Fexample%2Fredirect_uri&state=CbNpkz2-f47XIXMyR5cT4wuIM_s&client_id=%40%21C032.849B.2FA5.5E8C%210001%21BCB6.4A42%210008%21D0AC.C912 2015-06-26 20:50:46,092 DEBUG [org.xdi.oxauth.service.AuthenticationService] Authenticating user with LDAP: username: monkey 2015-06-26 20:50:46,092 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to find userDN by primary key: 'uid' and key value: 'monkey' 2015-06-26 20:50:46,092 DEBUG [org.xdi.oxauth.service.AuthenticationService] Getting user information from LDAP: attributeName = 'uid', attributeValue = 'monkey' 2015-06-26 20:50:46,094 DEBUG [org.xdi.oxauth.service.AuthenticationService] Found '1' entries 2015-06-26 20:50:46,095 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to authenticate userDN: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:46,096 DEBUG [org.xdi.oxauth.service.AuthenticationService] User authenticated: inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0000!5D97.3FE0,ou=people,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu 2015-06-26 20:50:46,096 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to find userDN by local primary key: uid 2015-06-26 20:50:46,096 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: attributeName = 'uid', attributeValue = 'monkey' 2015-06-26 20:50:46,097 DEBUG [org.xdi.oxauth.service.UserService] Found '1' entries 2015-06-26 20:50:46,103 TRACE [org.xdi.oxauth.service.SessionIdService] Generated new session, id = '49457911-9291-4cc7-a773-e39c5bc84fe1', state = 'authenticated', persisted = 'true' 2015-06-26 20:50:46,103 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for User: 'monkey' 2015-06-26 20:50:46,103 TRACE [org.xdi.oxauth.auth.Authenticator] Authentication successfully for 'monkey' 2015-06-26 20:50:46,104 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: responseType = code, clientId = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, scope = openid profile securetype birthdate, redirectUri = https://client1.galco.com/example/redirect_uri, nonce = CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, state = CbNpkz2-f47XIXMyR5cT4wuIM_s, request = null, isSecure = true, requestSessionId = null, sessionId = null 2015-06-26 20:50:46,104 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: acrValues = null, amrValues = null, authLevel = null, authMode = null, originHeaders = null 2015-06-26 20:50:46,106 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,106 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,106 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,106 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,106 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912, oldCompleteUri = https://client1.galco.com/example/redirect_uri => redirectionUri = https://client1.galco.com/example/redirect_uri, found = 4 2015-06-26 20:50:46,106 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,106 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://172.16.1.121/codeflow/oauth2callback.php == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,107 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://client1.galco.com/example/redirect_uri == https://client1.galco.com/example/redirect_uri? 2015-06-26 20:50:46,113 DEBUG [org.xdi.oxauth.model.common.AbstractAuthorizationGrant] Checking scopes policy for: openid profile securetype birthdate 2015-06-26 20:50:46,123 DEBUG [org.xdi.oxauth.model.common.AbstractAuthorizationGrant] Granted scopes: openid profile securetype birthdate 2015-06-26 20:50:46,330 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,331 DEBUG [org.xdi.oxauth.service.ClientService] Authenticating Client with LDAP: clientId = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,331 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,331 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,332 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,332 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,335 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for Client: '@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912' 2015-06-26 20:50:46,335 TRACE [org.xdi.oxauth.auth.Authenticator] Authentication successfully for '@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912' 2015-06-26 20:50:46,336 DEBUG [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] Attempting to request access token: grantType = authorization_code, code = 80317569-5feb-4864-85f0-03fba1728b27, redirectUri = https://client1.galco.com/example/redirect_uri, username = null, refreshToken = null, clientId = null, ExtraParams = {grant_type=[Ljava.lang.String;@57f0cbfc, code=[Ljava.lang.String;@1e03a7f, redirect_uri=[Ljava.lang.String;@282068cf}, isSecure = true 2015-06-26 20:50:46,338 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: userId = monkey 2015-06-26 20:50:46,339 DEBUG [org.xdi.oxauth.service.UserService] Found 1 entries for user id = monkey 2015-06-26 20:50:46,340 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:46,343 DEBUG [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] Issuing access token: 8d1aa888-c1c8-47f1-9783-a05e87e8327f 2015-06-26 20:50:46,394 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: 80317569-5feb-4864-85f0-03fba1728b27 2015-06-26 20:50:46,579 DEBUG [xdi.oxauth.userinfo.ws.rs.UserInfoRestWebServiceImpl] Attempting to request User Info, Access token = 8d1aa888-c1c8-47f1-9783-a05e87e8327f, Is Secure = true 2015-06-26 20:50:46,581 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: userId = monkey 2015-06-26 20:50:46,582 DEBUG [org.xdi.oxauth.service.UserService] Found 1 entries for user id = monkey 2015-06-26 20:50:46,583 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912,ou=clients,o=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42,o=gluu' 2015-06-26 20:50:46,583 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 2015-06-26 20:50:48,173 TRACE [org.xdi.service.custom.script.CustomScriptManager] Last finished time '6/26/15 8:50 PM' # Log from mod_auth_oidc [Fri Jun 26 16:53:12.884970 2015] [authz_core:debug] [pid 18858] mod_authz_core.c(802): [client 172.16.0.59:39649] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Fri Jun 26 16:53:12.885149 2015] [authz_core:debug] [pid 18858] mod_authz_core.c(802): [client 172.16.0.59:39649] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Fri Jun 26 16:53:12.885173 2015] [auth_openidc:debug] [pid 18858] src/mod_auth_openidc.c(2197): [client 172.16.0.59:39649] oidc_check_user_id: incoming request: "/example/?(null)", ap_is_initial_req(r)=1 [Fri Jun 26 16:53:12.885399 2015] [auth_openidc:debug] [pid 18858] src/util.c(742): [client 172.16.0.59:39649] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null> [Fri Jun 26 16:53:12.885430 2015] [auth_openidc:debug] [pid 18858] src/session.c(83): [client 172.16.0.59:39649] oidc_session_load: <null> [Fri Jun 26 16:53:12.885447 2015] [auth_openidc:debug] [pid 18858] src/util.c(781): [client 172.16.0.59:39649] oidc_util_request_matches_url: comparing "/example/"=="/example/redirect_uri" [Fri Jun 26 16:53:12.885454 2015] [auth_openidc:debug] [pid 18858] src/util.c(364): [client 172.16.0.59:39649] oidc_get_current_url: current URL 'https://client1.galco.com/example/' [Fri Jun 26 16:53:12.885457 2015] [auth_openidc:debug] [pid 18858] src/mod_auth_openidc.c(1373): [client 172.16.0.59:39649] oidc_authenticate_user: enter [Fri Jun 26 16:53:12.885516 2015] [auth_openidc:debug] [pid 18858] src/mod_auth_openidc.c(141): [client 172.16.0.59:39649] oidc_get_browser_state_hash: enter [Fri Jun 26 16:53:12.885649 2015] [auth_openidc:debug] [pid 18858] src/util.c(702): [client 172.16.0.59:39649] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_state_CbNpkz2-f47XIXMyR5cT4wuIM_s=jQ5-kgHlSo2OJTJ7_yvnc4Vsflr6Z01uRYyheAkqPKpKkQzcPtkRrbzsZNGhEz9e6Ds2DIgNDTMhBC21dIASuJbD35AAEGC-95hxcjSEZABpJwk8Fq-BFtSN-IjvdruwPvfGkGZ_A8YPQbU__Q1V_uYCEJgopkXjJwGmpru9XC4S-Q4sz9XfTRfvrFIl17SVz2TDLvbZ-40WV575zpRLq1vR0OGpQjH0Cbu6tYcM-X0UHk53zzlUa7DDeIz0vFiQL81rY4F8j5EYzAdzpeKzGXqKvI7_UJgywJo6fELR1ew;Path=/; expires=Fri, 26 Jun 2015 20:58:12 GMT;Secure;HttpOnly [Fri Jun 26 16:53:12.885664 2015] [auth_openidc:debug] [pid 18858] src/proto.c(111): [client 172.16.0.59:39649] oidc_proto_authorization_request: enter, issuer=https://idm.galco.com, redirect_uri=https://client1.galco.com/example/redirect_uri, state=CbNpkz2-f47XIXMyR5cT4wuIM_s, proto_state={"issuer": "https://idm.galco.com", "original_url": "https://client1.galco.com/example/", "original_method": "get", "response_type": "code", "timestamp": 1435351992, "nonce": "CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ"} [Fri Jun 26 16:53:12.885819 2015] [auth_openidc:debug] [pid 18858] src/proto.c(197): [client 172.16.0.59:39649] oidc_proto_authorization_request: adding outgoing header: Location: https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&scope=openid%20profile%20securetype%20birthdate&client_id=%40%21C032.849B.2FA5.5E8C%210001%21BCB6.4A42%210008%21D0AC.C912&state=CbNpkz2-f47XIXMyR5cT4wuIM_s&redirect_uri=https%3A%2F%2Fclient1.galco.com%2Fexample%2Fredirect_uri&nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ [Fri Jun 26 16:53:18.910750 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911026 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911062 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(2197): [client 172.16.0.59:60747] oidc_check_user_id: incoming request: "/example/redirect_uri?session_id=49457911-9291-4cc7-a773-e39c5bc84fe1&scope=openid+profile+securetype+birthdate&state=CbNpkz2-f47XIXMyR5cT4wuIM_s&code=80317569-5feb-4864-85f0-03fba1728b27", ap_is_initial_req(r)=1, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911250 2015] [auth_openidc:debug] [pid 18861] src/util.c(742): [client 172.16.0.59:60747] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911257 2015] [auth_openidc:debug] [pid 18861] src/session.c(83): [client 172.16.0.59:60747] oidc_session_load: <null>, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911263 2015] [auth_openidc:debug] [pid 18861] src/util.c(781): [client 172.16.0.59:60747] oidc_util_request_matches_url: comparing "/example/redirect_uri"=="/example/redirect_uri", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911273 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(1269): [client 172.16.0.59:60747] oidc_handle_redirect_authorization_response: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911395 2015] [auth_openidc:debug] [pid 18861] src/util.c(1004): [client 172.16.0.59:60747] oidc_util_read_form_encoded_params: parsed: "" in to 4 elements, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911402 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(1122): [client 172.16.0.59:60747] oidc_handle_authorization_response: enter, response_mode=query, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911405 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(797): [client 172.16.0.59:60747] oidc_authorization_response_match_state: enter (state=CbNpkz2-f47XIXMyR5cT4wuIM_s), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911408 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(436): [client 172.16.0.59:60747] oidc_restore_proto_state: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911421 2015] [auth_openidc:debug] [pid 18861] src/util.c(742): [client 172.16.0.59:60747] oidc_util_get_cookie: returning "mod_auth_openidc_state_CbNpkz2-f47XIXMyR5cT4wuIM_s" = "jQ5-kgHlSo2OJTJ7_yvnc4Vsflr6Z01uRYyheAkqPKpKkQzcPtkRrbzsZNGhEz9e6Ds2DIgNDTMhBC21dIASuJbD35AAEGC-95hxcjSEZABpJwk8Fq-BFtSN-IjvdruwPvfGkGZ_A8YPQbU__Q1V_uYCEJgopkXjJwGmpru9XC4S-Q4sz9XfTRfvrFIl17SVz2TDLvbZ-40WV575zpRLq1vR0OGpQjH0Cbu6tYcM-X0UHk53zzlUa7DDeIz0vFiQL81rY4F8j5EYzAdzpeKzGXqKvI7_UJgywJo6fELR1ew", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911462 2015] [auth_openidc:debug] [pid 18861] src/util.c(702): [client 172.16.0.59:60747] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_state_CbNpkz2-f47XIXMyR5cT4wuIM_s=;Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;Secure;HttpOnly, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911495 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(455): [client 172.16.0.59:60747] oidc_restore_proto_state: restored JSON state cookie value: {"issuer": "https://idm.galco.com", "original_url": "https://client1.galco.com/example/", "original_method": "get", "response_type": "code", "timestamp": 1435351992, "nonce": "CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ"}, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911568 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(141): [client 172.16.0.59:60747] oidc_get_browser_state_hash: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911632 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(488): [client 172.16.0.59:60747] oidc_restore_proto_state: restored state: {"original_method": "get", "issuer": "https://idm.galco.com", "original_url": "https://client1.galco.com/example/", "nonce": "CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ", "response_type": "code", "timestamp": 1435351992}, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911645 2015] [auth_openidc:debug] [pid 18861] src/proto.c(1497): [client 172.16.0.59:60747] oidc_proto_handle_authorization_response_code: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911652 2015] [auth_openidc:debug] [pid 18861] src/proto.c(867): [client 172.16.0.59:60747] oidc_proto_resolve_code: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911690 2015] [auth_openidc:debug] [pid 18861] src/util.c(590): [client 172.16.0.59:60747] oidc_util_http_post_form: post data="grant_type=authorization_code&code=80317569-5feb-4864-85f0-03fba1728b27&redirect_uri=https%3A%2F%2Fclient1.galco.com%2Fexample%2Fredirect_uri", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:18.911749 2015] [auth_openidc:debug] [pid 18861] src/util.c(430): [client 172.16.0.59:60747] oidc_util_http_call: url=https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/token, data=grant_type=authorization_code&code=80317569-5feb-4864-85f0-03fba1728b27&redirect_uri=https%3A%2F%2Fclient1.galco.com%2Fexample%2Fredirect_uri, content_type=application/x-www-form-urlencoded, basic_auth=@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912:123456789, bearer_token=(null), ssl_validate_server=0, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.161512 2015] [auth_openidc:debug] [pid 18861] src/util.c(541): [client 172.16.0.59:60747] oidc_util_http_call: response={"access_token":"8d1aa888-c1c8-47f1-9783-a05e87e8327f","token_type":"bearer","expires_in":3599,"refresh_token":"46de67df-b43c-4c2b-a282-3390950cedd7","id_token":"eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6ImQ2NTc5OTIzLTY3ZDMtNGFlMi1hZjNkLTNmZGZiMzUxOTdmZSJ9.eyJpc3MiOiJodHRwczovL2lkbS5nYWxjby5jb20iLCJhdWQiOiJAIUMwMzIuODQ5Qi4yRkE1LjVFOEMhMDAwMSFCQ0I2LjRBNDIhMDAwOCFEMEFDLkM5MTIiLCJleHAiOjE0MzUzNTU0NDYsImlhdCI6MTQzNTM1MTg0Niwic3ViIjoiQCFDMDMyLjg0OUIuMkZBNS41RThDITAwMDEhQkNCNi40QTQyITAwMDghRDBBQy5DOTEyIiwibm9uY2UiOiJDZnNuVTJ2d0lLX2NXSktBaHlWRUZfVXF5UWRpMXNxck9JRGR2aVQtNmRRIiwiYXRfaGFzaCI6IlhWb0pkNG1UX3JIdEpHYThpQXBkZFEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2lkbS5nYWxjby5jb20vb3hhdXRoL29waWZyYW1lLnNlYW0iLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAifQ.WtJ_7nZn22IgitZ0V_mrWkQnW_Zwmn1v4Eqh8GLin5pa9ObbxFXENPbhHxYyRMlFqazPMJAUsFecMaJiQCsIuVSooaFHFn67rRW3nptnF9qjGSUtVHaZjvgLgZJBLOK8qmFF6Y0va0ygqFFsbXWnSpVBjZlTtQFcoLZlZizdee-BRxiDlXIlm62ywZekaRoTARLru-pNJXAd0T157DQYYCd1gqs5PZvGfZKp8ORUnU1CM26ijwnquxtaFRS5RiS4_N68cxMSpA7SCpyFSJ8ZWZkq9aHQYWXMY5Q951YCYc5hqCu7QKHXlaHO2VtfmoRRkPsbdjQq-hpYdSf2fuAvTA"}, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.161684 2015] [auth_openidc:debug] [pid 18861] src/proto.c(1190): [client 172.16.0.59:60747] oidc_proto_validate_code_response: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.161698 2015] [auth_openidc:debug] [pid 18861] src/proto.c(716): [client 172.16.0.59:60747] oidc_proto_parse_idtoken: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.161762 2015] [auth_openidc:debug] [pid 18861] src/proto.c(730): [client 172.16.0.59:60747] oidc_proto_parse_idtoken: successfully parsed (and possibly decrypted) JWT with header: "{"typ":"JWS","alg":"RS256","kid":"d6579923-67d3-4ae2-af3d-3fdfb35197fe"}", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.161771 2015] [auth_openidc:debug] [pid 18861] src/metadata.c(723): [client 172.16.0.59:60747] oidc_metadata_jwks_get: enter, jwks_uri=https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/jwks, refresh=0, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.161793 2015] [auth_openidc:debug] [pid 18861] src/cache/shm.c(156): [client 172.16.0.59:60747] oidc_cache_shm_get: enter, section="jwks", key="https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/jwks", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162084 2015] [auth_openidc:debug] [pid 18861] src/proto.c(532): [client 172.16.0.59:60747] oidc_proto_get_key_from_jwks: search for kid "d6579923-67d3-4ae2-af3d-3fdfb35197fe" or thumbprint x5t "(null)", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162092 2015] [auth_openidc:debug] [pid 18861] src/proto.c(581): [client 172.16.0.59:60747] oidc_proto_get_key_from_jwks: found matching kid: "d6579923-67d3-4ae2-af3d-3fdfb35197fe", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162106 2015] [auth_openidc:debug] [pid 18861] src/proto.c(659): [client 172.16.0.59:60747] oidc_proto_get_keys_from_jwks_uri: returning 1 key(s) obtained from the (possibly cached) JWKs URI, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162270 2015] [auth_openidc:debug] [pid 18861] src/proto.c(701): [client 172.16.0.59:60747] oidc_proto_jwt_verify: JWT signature verification with algorithm "RS256" was successful, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162276 2015] [auth_openidc:debug] [pid 18861] src/proto.c(481): [client 172.16.0.59:60747] oidc_proto_validate_idtoken: enter, jwt.header="{"typ":"JWS","alg":"RS256","kid":"d6579923-67d3-4ae2-af3d-3fdfb35197fe"}", jwt.payload={"iss":"https://idm.galco.com","aud":"@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912","exp":1435355446,"iat":1435351846,"sub":"@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912","nonce":"CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ","at_hash":"XVoJd4mT_rHtJGa8iApddQ","oxValidationURI":"https://idm.galco.com/oxauth/opiframe.seam","oxOpenIDConnectVersion":"openidconnect-1.0"}", nonce=CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162281 2015] [auth_openidc:debug] [pid 18861] src/cache/shm.c(156): [client 172.16.0.59:60747] oidc_cache_shm_get: enter, section="nonce", key="CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162782 2015] [auth_openidc:debug] [pid 18861] src/cache/shm.c(213): [client 172.16.0.59:60747] oidc_cache_shm_set: enter, section="nonce", key="CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ", value size=%lu, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162818 2015] [auth_openidc:debug] [pid 18861] src/proto.c(297): [client 172.16.0.59:60747] oidc_proto_validate_nonce: nonce "CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ" validated successfully and is now cached for 1210 seconds, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162828 2015] [auth_openidc:debug] [pid 18861] src/proto.c(761): [client 172.16.0.59:60747] oidc_proto_parse_idtoken: valid id_token for user "@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912" expires: [Fri, 26 Jun 2015 21:50:46 GMT], in %ld secs from now), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162845 2015] [auth_openidc:debug] [pid 18861] src/proto.c(1074): [client 172.16.0.59:60747] oidc_proto_validate_hash: successfully validated the provided "at_hash" hash value (XVoJd4mT_rHtJGa8iApddQ) against the calculated value (XVoJd4mT_rHtJGa8iApddQ), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162852 2015] [auth_openidc:debug] [pid 18861] src/proto.c(911): [client 172.16.0.59:60747] oidc_proto_resolve_userinfo: enter, endpoint=https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/userinfo, access_token=8d1aa888-c1c8-47f1-9783-a05e87e8327f, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.162868 2015] [auth_openidc:debug] [pid 18861] src/util.c(430): [client 172.16.0.59:60747] oidc_util_http_call: url=https://idm.galco.com/oxauth/seam/resource/restv1/oxauth/userinfo, data=(null), content_type=(null), basic_auth=(null), bearer_token=8d1aa888-c1c8-47f1-9783-a05e87e8327f, ssl_validate_server=0, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369308 2015] [auth_openidc:debug] [pid 18861] src/util.c(541): [client 172.16.0.59:60747] oidc_util_http_call: response={\n "sub": "@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912",\n "name": "Joe Monkey",\n "family_name": "Monkey",\n "given_name": "Joe",\n "picture": "http://www.google.com/images",\n "birthdate": "2015"\n}, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369515 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(939): [client 172.16.0.59:60747] oidc_get_remote_user: set user to "@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912@idm.galco.com", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369535 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(633): [client 172.16.0.59:60747] oidc_log_session_expires: session expires Sat, 27 Jun 2015 04:53:19 GMT (in 28799 secs from now), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369557 2015] [auth_openidc:debug] [pid 18861] src/session.c(93): [client 172.16.0.59:60747] oidc_session_save: 7f3d04c5-caf7-45ae-85ca-1f83912b6328, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369581 2015] [auth_openidc:debug] [pid 18861] src/util.c(702): [client 172.16.0.59:60747] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_session=7f3d04c5-caf7-45ae-85ca-1f83912b6328;Path=/;Secure;HttpOnly, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369586 2015] [auth_openidc:debug] [pid 18861] src/cache/shm.c(213): [client 172.16.0.59:60747] oidc_cache_shm_set: enter, section="session", key="7f3d04c5-caf7-45ae-85ca-1f83912b6328", value size=%lu, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.369706 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(1218): [client 172.16.0.59:60747] oidc_handle_authorization_response: session created and stored, redirecting to original URL: https://client1.galco.com/example/, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378394 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378437 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378453 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(2197): [client 172.16.0.59:60747] oidc_check_user_id: incoming request: "/example/?(null)", ap_is_initial_req(r)=1, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378734 2015] [auth_openidc:debug] [pid 18861] src/util.c(742): [client 172.16.0.59:60747] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "7f3d04c5-caf7-45ae-85ca-1f83912b6328", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378742 2015] [auth_openidc:debug] [pid 18861] src/cache/shm.c(156): [client 172.16.0.59:60747] oidc_cache_shm_get: enter, section="session", key="7f3d04c5-caf7-45ae-85ca-1f83912b6328", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378797 2015] [auth_openidc:debug] [pid 18861] src/session.c(83): [client 172.16.0.59:60747] oidc_session_load: 7f3d04c5-caf7-45ae-85ca-1f83912b6328, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378805 2015] [auth_openidc:debug] [pid 18861] src/util.c(781): [client 172.16.0.59:60747] oidc_util_request_matches_url: comparing "/example/"=="/example/redirect_uri", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378808 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(673): [client 172.16.0.59:60747] oidc_handle_existing_session: enter, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378820 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(633): [client 172.16.0.59:60747] oidc_log_session_expires: session expires Sat, 27 Jun 2015 04:53:19 GMT (in 28799 secs from now), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378918 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_birthdate: 2015", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378925 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_sub: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378928 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_name: Joe Monkey", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378932 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_family_name: Monkey", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378935 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_given_name: Joe", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378938 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_picture: http://www.google.com/images", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378967 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_iss: https://idm.galco.com", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378973 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_aud: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378980 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_exp: 1435355446", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378985 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_iat: 1435351846", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378989 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_nonce: CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378992 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_sub: @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378996 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_at_hash: XVoJd4mT_rHtJGa8iApddQ", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.378999 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_oxValidationURI: https://idm.galco.com/oxauth/opiframe.seam", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379003 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_CLAIM_oxOpenIDConnectVersion: openidconnect-1.0", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379009 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_access_token: 8d1aa888-c1c8-47f1-9783-a05e87e8327f", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379051 2015] [auth_openidc:debug] [pid 18861] src/util.c(1168): [client 172.16.0.59:60747] oidc_util_set_app_header: setting header "OIDC_access_token_expires: 1435355598", referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379060 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : granted, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379063 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: granted, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379255 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379262 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379267 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(2197): [client 172.16.0.59:60747] oidc_check_user_id: incoming request: "/example/index.html?(null)", ap_is_initial_req(r)=0, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379271 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(2167): [client 172.16.0.59:60747] oidc_check_userid_openidc: recycling user '@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912@idm.galco.com' from initial request for sub-request, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379275 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : granted, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379278 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: granted, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379499 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379524 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379531 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(2197): [client 172.16.0.59:60747] oidc_check_user_id: incoming request: "/example/index.php?(null)", ap_is_initial_req(r)=0, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379535 2015] [auth_openidc:debug] [pid 18861] src/mod_auth_openidc.c(2167): [client 172.16.0.59:60747] oidc_check_userid_openidc: recycling user '@!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912@idm.galco.com' from initial request for sub-request, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379539 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of Require valid-user : granted, referer: https://idm.galco.com/oxauth/login [Fri Jun 26 16:53:19.379542 2015] [authz_core:debug] [pid 18861] mod_authz_core.c(802): [client 172.16.0.59:60747] AH01626: authorization result of <RequireAny>: granted, referer: https://idm.galco.com/oxauth/login # Client Headers Array ( [Host] => client1.galco.com [User-Agent] => Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [Accept-Language] => en-US,en;q=0.5 [Accept-Encoding] => gzip, deflate [Referer] => https://idm.galco.com/oxauth/login [Cookie] => mod_auth_openidc_state_LUAz6vY9NPL1pniCwFVdNBjVZr4=oEhO0m3NiVB--8NMS-pSix0xjL_RNBtAIWSYfsZEJhrSFpGYx-FsDmIXAKq_fxpwDQw0F2BVwOtyJYG3SgT7B4srT_w0s6v8OgnTxslvk3rsmqbzVGj0fALTGv_hmLKeQagFEdjH4aA7OQhV62ZuQ_sn2FUaYvhX2SvQL1btJKSh79AQpGInl93knF54kEq2FJ0l-LPRXwzYW3GnA23rhBnnLLwb5hZ_yCirqNNt733mnneesWWDBQ4XqQQbr-H4abiaY0K-18PLKSob0DJm9L87jeQ8crIAr8JhKLVLlYc; mod_auth_openidc_state_VOlCveZ4I1MjcxXG2tyub09IDM4=oEhO0m3NiVB--8NMS-pSix0xjL_RNBtAIWSYfsZEJhrSFpGYx-FsDmIXAKq_fxpwAzegLvSe3ntLAPwygl_vrkH1DLTOP2noTTILoiD8CQQGNXApJfSrl0Z4Ycpm3AySczbMoYemxsjK-ujf24CrYpAuQCPHavyDOulfH14XESu3sjvTkVKdJs9W8DEt9uNAFLvd418BgGpOlpiAp8wB0HUjqCJ-uzp3blIpKiDXmg-GnEh2OHyMhza2hxLDn0mmrAZeaeEOjgzCpnw5WDTflPG0UgjY18dWxemaIbHF5dw; mod_auth_openidc_session=7f3d04c5-caf7-45ae-85ca-1f83912b6328 [Connection] => keep-alive [OIDC_CLAIM_birthdate] => 2015 [OIDC_CLAIM_sub] => @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 [OIDC_CLAIM_name] => Joe Monkey [OIDC_CLAIM_family_name] => Monkey [OIDC_CLAIM_given_name] => Joe [OIDC_CLAIM_picture] => http://www.google.com/images [OIDC_CLAIM_iss] => https://idm.galco.com [OIDC_CLAIM_aud] => @!C032.849B.2FA5.5E8C!0001!BCB6.4A42!0008!D0AC.C912 [OIDC_CLAIM_exp] => 1435355446 [OIDC_CLAIM_iat] => 1435351846 [OIDC_CLAIM_nonce] => CfsnU2vwIK_cWJKAhyVEF_UqyQdi1sqrOIDdviT-6dQ [OIDC_CLAIM_at_hash] => XVoJd4mT_rHtJGa8iApddQ [OIDC_CLAIM_oxValidationURI] => https://idm.galco.com/oxauth/opiframe.seam [OIDC_CLAIM_oxOpenIDConnectVersion] => openidconnect-1.0 [OIDC_access_token] => 8d1aa888-c1c8-47f1-9783-a05e87e8327f [OIDC_access_token_expires] => 1435355598 )

By William Lowe user 29 Jun 2015 at 3:20 p.m. CDT

Copy
William Lowe gravatar
Is this problem still persisting in the newest version of the Gluu Server, v 2.3?

By yoom nguyen user 30 Jun 2015 at 12:28 p.m. CDT

Copy
yoom nguyen gravatar
I am out of the office for the holiday and won't be back until Monday, July 6. I will assume the testing when I am back on Monday. Thank you

By William Lowe user 30 Jun 2015 at 3:46 p.m. CDT

Copy
William Lowe gravatar
Thanks, Yoom. We look forward to finding a resolution to the issue when you're back.

By William Lowe user 10 Jul 2015 at 10 a.m. CDT

Copy
William Lowe gravatar
Hi Yoom, any update on this issue?

By yoom nguyen user 10 Jul 2015 at 10:51 a.m. CDT

Copy
yoom nguyen gravatar
Hi William. Yes as a matter of fact i have updates. Was able to deploy version 2.3 and test it out. Happy to announce that built in claims (birthdate, gender etc) are now working properly with PROFILE or customer created scope but there is STILL A PROBLEM with custom attributes/claim. Creating a new attribute and adding it to a new scope and to user profile. Value still not returned. Let me know what you would like to see in order to troubleshoot it. Thanks

By Mohib Zico Account Admin 11 Jul 2015 at 3:44 a.m. CDT

Copy
Mohib Zico gravatar
Hi Yoom, How is it going? Is there anything else we can assist you here in this ticket?

By yoom nguyen user 13 Jul 2015 at 8:39 a.m. CDT

Copy
yoom nguyen gravatar
Hi mohib zico. Yes we still don't have a working custom claim/attribute. Appears that part is still broken.

By yoom nguyen user 15 Jul 2015 at 9:11 a.m. CDT

Copy
yoom nguyen gravatar
Custom created attributes/claims still do not work. How do we make them work? Still battling the same problem from when we started evaluating gluu. This is fundamental piece of functionality in the application and does not make the application look good.

By yoom nguyen user 16 Jul 2015 at 1:28 p.m. CDT

Copy
yoom nguyen gravatar
So what do you guys think about the problem gluu is still having with custom attributes not being returned as part of the scope when the scope is requested?

By Yuriy Movchan staff 16 Jul 2015 at 2:32 p.m. CDT

Copy
Yuriy Movchan gravatar
I've tested this issue on latest CE 2.3.1. It works fine. Can you install this version: http://deb-repo.gluu.org/centos/6/gluu-server-2.3.1-1.el6.x86_64.rpm And try next steps: 1) Log into identity. 2) Added new scope "birthdate" with calim "birthdate". 3) Add bithdate to person entry. 4) Open attributes inventory. 5) Open birthdate attribute. 6) Check if "oxAuth claim name"=birthdate 7) Open client inventory. 8) Find required client. 9) Add scope birthdate to client entry. 10) Now we can try to execute authorization request with List<ResponseType> responseTypes = Arrays.asList( ResponseType.CODE, ResponseType.ID_TOKEN); List<String> scopes = Arrays.asList("openid", "birthdate"); 11) Parse idToken Jwt jwt = Jwt.parse(authorizationResponse.getIdToken()); System.out.println(jwt.getClaims().getClaim("birthdate"));

By yoom nguyen user 16 Jul 2015 at 2:40 p.m. CDT

Copy
yoom nguyen gravatar
Yuriy Movchan built in claims WORK (brithday, gender etc as part of custom scope works now). We tested that and i mentioned it above. 1. Go to Configuration > Attributes 1. Add a new attribute 1. Add the attribute to person entry 1. Add the attribute to your scope. NEW ATTRIBUTE is not returned.

By Michael Schwartz Account Admin 16 Jul 2015 at 2:43 p.m. CDT

Copy
Michael Schwartz gravatar
Did you update to the latest version as he mentioned?

By yoom nguyen user 17 Jul 2015 at 2:15 p.m. CDT

Copy
yoom nguyen gravatar
What Yuriy Movchan is describing above is part of the problem which has been addressed in version 2.3.0-1 and that is built in claims did even work. Understand that the original problem is still present where a custom attribute created through Configuration > Attributes is not passed back when requested though a scope it belongs to. This is still not working. I have since tried it on gluu version gluu-server-2.3.1-1.el6.x86_64 suggested by Yuriy and it is still NOT working.

By William Lowe user 17 Jul 2015 at 2:16 p.m. CDT

Copy
William Lowe gravatar
OK, thanks for the update. We will look into this ASAP.

By Yuriy Movchan staff 17 Jul 2015 at 3:48 p.m. CDT

Copy
Yuriy Movchan gravatar
Yoom, I think we started from bithday claim... And we are speaking about custom attributes now/ For me it's better to create different tickets to help understand problem. Regarding custom attributes... Yes, there is one issue. Can you add to your custom attribute new attribute 'gluuLdapAttributeName' manually? The values should be the the same to displayName attribute. After adding this attribute my test with custom attribute is successful.

By Yuriy Movchan staff 17 Jul 2015 at 3:53 p.m. CDT

Copy
Yuriy Movchan gravatar
I created issue: https://github.com/GluuFederation/oxTrust/issues/88 It's small update and we will fix it in 2.3.2.

By yoom nguyen user 17 Jul 2015 at 4:19 p.m. CDT

Copy
yoom nguyen gravatar
Yuriy Movchan i confirmed that adding 'gluuLdapAttributeName' manually to the attribute addressed the problem. The claim was returned when the scope was requested. We will await the release of new version of the package where this bug is addressed. I have to agree that the original request only touched on troubles with built in attributes/claims but let me assure you that this was a problem since the beginning. Thanks

By Mohib Zico Account Admin 20 Jul 2015 at 3:25 a.m. CDT

Copy
Mohib Zico gravatar
Hi Yuriy / Yoom, Do we need to keep this community ticket open? We have a github [issue](https://github.com/GluuFederation/oxTrust/issues/88) which we can track.

By yoom nguyen user 20 Jul 2015 at 8:30 a.m. CDT

Copy
yoom nguyen gravatar
I think it's safe to close this. As long as the issue is addressed we should be good to go on our end.

By Mohib Zico Account Admin 20 Jul 2015 at 8:44 a.m. CDT

Copy
Mohib Zico gravatar
Thanks for confirmation, Yoom.

Post an answer