Hi, Dario. What if you'll copy original oxAuth login page from its usual location to `/opt/gluu/jetty/oxauth/custom/pages` now and restart the service again? Will it start to work again?

Hi, I made the copy : cp /opt/jetty-9.3/temp/jetty-localhost-8081-oxauth.war-_oxauth-any-129770593283709586.dir/webapp/login.xhtml /opt/gluu/jetty/oxauth/custom/page and service oxauth stop && service oxauth start . The login works well with the default page but when I tried to logout, I've got the same error : _{"error":"invalid_request","error_description":_"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, or is otherwise malformed."}__

When you see this error ``` {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, or is otherwise malformed."}_ ``` it usually means that oxAuth cannot find a session for this user. What client code are you using to logout? Can you include the logs for oxAuth so we can see if there are any clues there? Can you see the logout request that is being sent by your client?

Hello, I'm not using a specific client code. This error, I've got it when I tried to logout from the administration interface of gluu https://xxxobfuscatedxx/identity/logout. The only output on oxAuth log during the login and log off to the administration interface of gluu is the following : _2017-03-27 12:32:58,632 INFO [qtp1395089624-11] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:519) - Attempting to redirect user: SessionUser: SessionState, dn='oxAuthSessionId=77e33599-568e-47a5-8c6d-cad4de727b83,ou=session,o=@!20FC.B0F5.E1AF.8911!0001!B22D.0945,o=gluu', id='77e33599-568e-47a5-8c6d-cad4de727b83', isJwt=false, lastUsedAt=Mon Mar 27 12:32:58 EDT 2017, userDn='inum=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0000!5B9B.8EF5.94C8.34D2,ou=people,o=@!20FC.B0F5.E1AF.8911!0001!B22D.0945,o=gluu', authenticationTime=Mon Mar 27 12:32:58 EDT 2017, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@36fe3bf4, sessionAttributes={auth_step=1, acr=ldap_dev, remote_ip=172.17.116.19, scope=openid profile email user_name, response_type=code id_token, redirect_uri=https://xxxobfuscatedxx/identity/authentication/authcode, nonce=nonce, client_id=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0008!6191.66DB, auth_user=test}, persisted=true} 2017-03-27 12:32:58,634 INFO [qtp1395089624-11] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:527) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@1ceb926e 2017-03-27 12:32:58,643 INFO [qtp1395089624-11] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'test' 2017-03-27 12:32:59,123 INFO [qtp1395089624-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:189) - Authentication success for Client: '@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0008!6191.66DB'_ Regards,

Hi, Dario. Were you able to resolve the issue? If you haven't, could you use **SAMLTRACER** Firefox plugin to capture all HTTP messages happening during this failing logout flow, and share it with us? Though it has "SAML" in its name, it's also suitable for capture generic HTTP messages.

Hello, Sorry for the delay. You can find here the all capture HTTP message trough SAMLTRACER during a login and a logout on oxauth : https://pastebin.com/KkNxdrBJ

Hi Dario, What is the exact version of `oxauth` you are using ? Please provide ldif of the `@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0008!6191.66DB` client. If look into source code of /end_session service there is only 3 possible cases when invalid_request error is sent (for CE 3): - `id_token_hint` and `session_state` is not passed - `post_logout_redirect_uri` is not passed - `post_logout_redirect_uri` is not associated with client that was used during session creation (authentication) Source code here ``` https://github.com/GluuFederation/oxAuth/blob/version_3.0.2/Server/src/main/java/org/xdi/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.java ``` At first glance it seems that `post_logout_redirect_uri` validation failed, it should be clarified by client ldif. Also I opened improvement ticket for oxauth project to improve logging messages ``` https://github.com/GluuFederation/oxAuth/issues/500 ``` Thanks, Yuriy

Here is the final logout request from the trace Dario provided: ``` GET https://lablgl02b.montrealnet.vdm.qc.ca/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xhYmxnbDAyYi5tb250cmVhbG5ldC52ZG0ucWMuY2EiLCJhdWQiOiJAITIwRkMuQjBGNS5FMUFGLjg5MTEhMDAwMSFCMjJELjA5NDUhMDAwOCE2MTkxLjY2REIiLCJleHAiOjE0OTIwOTEwOTIsImlhdCI6MTQ5MjA4NzQ5Miwibm9uY2UiOiJub25jZSIsImF1dGhfdGltZSI6MTQ5MjA4NzQ5MiwiY19oYXNoIjoicUg5TjRKVkJTTHdOdXZ4bFAtLURDdyIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vbGFibGdsMDJiLm1vbnRyZWFsbmV0LnZkbS5xYy5jYS9veGF1dGgvb3BpZnJhbWUiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJAITIwRkMuQjBGNS5FMUFGLjg5MTEhMDAwMSFCMjJELjA5NDUhMDAwMCE1QjlCLjhFRjUuOTRDOC4zNEQyIn0.RWDkGAK-P2ngM5QsdSL7iZ2c5LnEqslV2V-5WQrV_9E&session_state=de454d1f-b743-4267-b260-637634da4205&post_logout_redirect_uri=https%3A%2F%2Flablgl02b.montrealnet.vdm.qc.ca%2Fidentity%2Fauthentication%2Ffinishlogout HTTP/1.1 Host: lablgl02b.montrealnet.vdm.qc.ca User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: https://lablgl02b.montrealnet.vdm.qc.ca/identity/home?cid=135 Cookie: JSESSIONID=1vocdnl9t16wf17uzsw3tg6aar; javax.faces.ClientToken=KHTpkPulBiXhFECn18p0Zy7avsDHnXvtf5jWvbYO1YN3WlCznI; session_state=de454d1f-b743-4267-b260-637634da4205 HTTP/?.? 400 Bad Request Date: Thu, 13 Apr 2017 12:44:57 GMT Server: Jetty(9.3.15.v20161220) X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Type: text/plain Content-Length: 196 Access-Control-Allow-Origin: * Connection: close ``` It contains `id_token_hint`, `session_state` and `post_logout_redirect_uri`, so I suppose it leaves us with the only option of "post_logout_redirect_uri is not associated with client that was used during session creation (authentication)".

Hi, Here is the ldif of client @!20FC.B0F5.E1AF.8911!0001!B22D.0945!0008!6191.66DB ``` dn: inum=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0008!6191.66DB,ou=clients,o=@!20FC .B0F5.E1AF.8911!0001!B22D.0945,o=gluu objectClass: oxAuthClient objectClass: top displayName: oxTrust Admin GUI inum: @!20FC.B0F5.E1AF.8911!0001!B22D.0945!0008!6191.66DB oxAuthClientSecret: (bla bla bla ) oxAuthAppType: web oxAuthResponseType: code oxAuthResponseType: id_token oxAuthResponseType: token oxAuthScope: inum=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0009!F0C4,ou=scopes,o=@!2 0FC.B0F5.E1AF.8911!0001!B22D.0945,o=gluu oxAuthScope: inum=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0009!10B2,ou=scopes,o=@!2 0FC.B0F5.E1AF.8911!0001!B22D.0945,o=gluu oxAuthScope: inum=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0009!764C,ou=scopes,o=@!2 0FC.B0F5.E1AF.8911!0001!B22D.0945,o=gluu oxAuthScope: inum=@!20FC.B0F5.E1AF.8911!0001!B22D.0945!0009!43F1,ou=scopes,o=@!2 0FC.B0F5.E1AF.8911!0001!B22D.0945,o=gluu oxAuthRedirectURI: https://lablgl02b.montrealnet.vdm.qc.ca/identity/scim/auth oxAuthRedirectURI: https://lablgl02b.montrealnet.vdm.qc.ca/identity/authenticati on/authcode oxAuthRedirectURI: https://lablgl02b.montrealnet.vdm.qc.ca/idp/auth-code.jsp oxAuthRedirectURI: https://lablgl02b.montrealnet.vdm.qc.ca/cas/login oxAuthTokenEndpointAuthMethod: client_secret_basic oxAuthIdTokenSignedResponseAlg: HS256 oxAuthTrustedClient: true oxAuthSubjectType: public oxPersistClientAuthorizations: false oxAuthLogoutSessionRequired: true oxAuthPostLogoutRedirectURI: http://directory.montreal.qc.ca/simplesaml/module.p hp/saml/sp/saml2-logout.php/directoryessai oxAuthPostLogoutRedirectURI: http://lablnu01a:8080/nuxeo/nxstartup.faces oxAuthPostLogoutRedirectURI: http://scorpowdkdev5/wfc/logon/logonWFC.html oxLastLogonTime: 20170413124452.870Z oxLastAccessTime: 20170413124452.870Z ``` Thanks again for you help. Regards,

Thanks, Dario. Your list of post-logout uris: ``` oxAuthPostLogoutRedirectURI: http://directory.montreal.qc.ca/simplesaml/module.php/saml/sp/saml2-logout.php/directoryessai oxAuthPostLogoutRedirectURI: http://lablnu01a:8080/nuxeo/nxstartup.faces oxAuthPostLogoutRedirectURI: http://scorpowdkdev5/wfc/logon/logonWFC.html ``` And here is one from request I posted above: `https://lablgl02b.montrealnet.vdm.qc.ca/identity/authentication/finishlogout` So it's not on the list. Please try to add it by editing properties of this client and retry the flow again.

Hi, ca marche! ( It works ! ) Thanks again for you help.