By: Sakit Atakishiyev user 31 May 2017 at 8:36 a.m. CDT

8 Responses
Sakit Atakishiyev gravatar
Hi . I have some uma policies that authorize resource . When authorize method returns true , i get access granted , that is ok . But when it returns false i get internal error instead of access denied . That is my log : 2017-05-31 17:15:52,792 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"uma_rp_authorize_rpt","params":{"rpt":"7647488e-b2bd-4996-b815-9ab7ee071316/0302.288F.330F.45C3.0B17.A7CB.4A19.D8C9","ticket":"a124f4a8-e982-4f13-b63c-bfef6117a071","oxd_id":"f4a1ee1c-31cf-4230-b6aa-306523102d3a","protection_access_token":null}}', m_leftString=''} 2017-05-31 17:15:52,793 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"uma_rp_authorize_rpt","params":{"rpt":"7647488e-b2bd-4996-b815-9ab7ee071316/0302.288F.330F.45C3.0B17.A7CB.4A19.D8C9","ticket":"a124f4a8-e982-4f13-b63c-bfef6117a071","oxd_id":"f4a1ee1c-31cf-4230-b6aa-306523102d3a","protection_access_token":null}} 2017-05-31 17:15:52,793 DEBUG [org.xdi.oxd.server.op.RpAuthorizeRptOperation] Try to authorize RPT with ticket: a124f4a8-e982-4f13-b63c-bfef6117a071... 2017-05-31 17:15:52,793 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-05-31 17:15:52,797 DEBUG [org.xdi.oxd.server.service.UmaTokenService] AAT from site configuration, site: Rp{oxdId='f4a1ee1c-31cf-4230-b6aa-306523102d3a', opHost='https://cyber.gluu.info', opDiscoveryPath='null', idToken='eyJraWQiOiI0OTJhNzFjOS0wMzA5LTRkYjQtODY0Mi0xMjZkOGMyZTRkYzIiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mbyIsImF1ZCI6IkAhNTRCOC5FNDRCLkExN0MuQTlFOCEwMDAxITVCRDcuN0ZFQSEwMDA4ITJCQ0YuN0VDMS45QzIyLjkwNjkiLCJleHAiOjE0OTYyNDAxMzcsImlhdCI6MTQ5NjIzNjUzNywibm9uY2UiOiI1djE5NDE0Y2wyZGwzNDlyYWxmcmNlOW50bCIsImF1dGhfdGltZSI6MTQ5NjIzNjQ5NCwiYXRfaGFzaCI6Imo2WXlzY0Rocy1HLTVsaC00Y3ZmUVEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mby9veGF1dGgvc2VhbS9yZXNvdXJjZS9yZXN0djEvb3hhdXRoL3ZhbGlkYXRlIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwic3ViIjoiMWxQVkdPTHItZ2M0ZHBJc01SVFpiTzdaSE0xdUpMMVRfS2xOSzJ2bVpUNCJ9.Z5ucfbgbIauLA9t736M0uT8ZehJU7TadV_uJEe0VlcLWB4ibow-X8B8z8UwUFkcCjo6RQo3Oi7MBwwfUjfWDE67eb25TCSmbd8aH5jvISzst9qxtFKC9NoZTCx5JK9YwFz02JbLN34WG8ckc8nyPk22PgntaM86pNIVmoOsi7UflMtipQUYXa4g76e_UTP7p9BT3Y0naeN-uTrXZYgbUFYDllR_XiKBMPxboJfACgehzwh-zIh9y8pT8-67juyRgcEexTSeQddC96LVzYzGVhDYVg4-5I4slIhrKSP7SbFFPdTMsh8PBn5mLhVwWDa4o8fNZfwfi9elB_bzhjKvSVA', accessToken='7db148ad-c1e2-4ff8-b5a8-ff54206c5e31', authorizationRedirectUri='https://cyber.oxd.info:8443/GluuServerTest/user/profile', postLogoutRedirectUri='https://cyber.oxd.info:8443/GluuServerTest', applicationType='web', redirectUris=[https://cyber.oxd.info:8443/GluuServerTest/user/profile], responseTypes=[code], clientId='@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!2BCF.7EC1.9C22.9069', clientSecret='d39ebd70-a2fc-4fa5-82cf-770161471120', clientRegistrationAccessToken='4a875fe1-1a87-4f35-bcc3-64846ef89378', clientRegistrationClientUri='https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/register?client_id=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!2BCF.7EC1.9C22.9069', clientIdIssuedAt=Tue May 30 17:38:09 AZT 2017, clientSecretExpiresAt=Wed May 31 17:38:09 AZT 2017, clientName='null', sectorIdentifierUri='null', clientJwksUri='', setupOxdId='null', scope=[openid, uma_authorization, uma_protection], uiLocales=[en], claimsLocales=[en], acrValues=[], grantType=[authorization_code], contacts=[], userId='null', userSecret='null', aat='7db148ad-c1e2-4ff8-b5a8-ff54206c5e31', aatExpiresIn=300, aatCreatedAt=Wed May 31 17:15:37 AZT 2017, aatRefreshToken='null', pat='ed0ec07c-b802-48ba-b005-ba0c9f310d9f', patExpiresIn=299, patCreatedAt=Wed May 31 17:15:52 AZT 2017, patRefreshToken='null', umaProtectedResources=[UmaResource{id='1496152600525', path='/ai', httpMethods=[GET, POST], scopes=[https://ai.com/], ticketScopes=[https://ai.com/]}], rpt='7647488e-b2bd-4996-b815-9ab7ee071316/0302.288F.330F.45C3.0B17.A7CB.4A19.D8C9', rptExpiresAt=Wed May 31 17:20:37 AZT 2017, rptCreatedAt=Wed May 31 17:15:55 AZT 2017, gat='null', gatExpiresAt=null, gatCreatedAt=null} 2017-05-31 17:15:52,847 ERROR [org.xdi.oxd.server.Processor] RESTEASY003150: Error status 403 Forbidden returned org.jboss.resteasy.client.ClientResponseFailure: RESTEASY003150: Error status 403 Forbidden returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:581) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:572) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:566) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:39) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:128) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:89) at com.sun.proxy.$Proxy46.requestRptPermissionAuthorization(Unknown Source) at org.xdi.oxd.server.op.RpAuthorizeRptOperation.execute(RpAuthorizeRptOperation.java:43) at org.xdi.oxd.server.op.RpAuthorizeRptOperation.execute(RpAuthorizeRptOperation.java:26) at org.xdi.oxd.server.Processor.process(Processor.java:78) at org.xdi.oxd.server.Processor.process(Processor.java:53) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:60) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-05-31 17:15:52,849 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","error_description":"Unknown internal server error occurs."}} 2017-05-31 17:15:52,849 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command.

By Yuriy Zabrovarnyy staff 31 May 2017 at 3:27 p.m. CDT

Yuriy Zabrovarnyy gravatar
Issue is just fixed in both oxd 3.0.2 and 3.1.0 ``` https://github.com/GluuFederation/oxd/commit/925918bbd7599de45fe21ba61b0547c8671dacfc ``` Please find oxd with this fix here: ``` https://ox.gluu.org/maven/org/xdi/oxd-server/3.0.2/oxd-server-3.0.2-distribution.zip https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0-SNAPSHOT/oxd-server-3.1.0-SNAPSHOT-distribution.zip ```

By Sakit Atakishiyev user 01 Jun 2017 at 12:15 a.m. CDT

Sakit Atakishiyev gravatar
I use oxd-server-3.1.0-beta version . Because there was an issue with 3.1.0-Snapshot . I dont remember what was that , is everything ok with snapshot now ?

By Yuriy Zabrovarnyy staff 01 Jun 2017 at 12:20 a.m. CDT

Yuriy Zabrovarnyy gravatar
yes, it is, please take 3.1.0-SNAPSHOT version.

By Sakit Atakishiyev user 01 Jun 2017 at 12:58 a.m. CDT

Sakit Atakishiyev gravatar
I used 3.1.0-SNAPSHOT but that issue was not resolved , it seems. I mean , when that policy returns true , i get granted , but when it returns false i get error instead of denied : This is my log 2017-06-01 09:55:22,834 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"uma_rp_authorize_rpt","params":{"rpt":"cb1796a3-44d7-4e87-8e5d-2c8035e55efc/A9A0.F134.B275.555F.7167.22C4.CDB4.6930","ticket":"a9766996-b159-4974-96f3-3e772f5454ad","oxd_id":"660fc067-a24c-4986-84be-a897718b2e8f","protection_access_token":null}}', m_leftString=''} 2017-06-01 09:55:22,834 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"uma_rp_authorize_rpt","params":{"rpt":"cb1796a3-44d7-4e87-8e5d-2c8035e55efc/A9A0.F134.B275.555F.7167.22C4.CDB4.6930","ticket":"a9766996-b159-4974-96f3-3e772f5454ad","oxd_id":"660fc067-a24c-4986-84be-a897718b2e8f","protection_access_token":null}} 2017-06-01 09:55:22,836 DEBUG [org.xdi.oxd.server.op.RpAuthorizeRptOperation] Try to authorize RPT with ticket: a9766996-b159-4974-96f3-3e772f5454ad... 2017-06-01 09:55:22,836 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-06-01 09:55:22,840 DEBUG [org.xdi.oxd.server.service.UmaTokenService] AAT from site configuration, site: Rp{oxdId='660fc067-a24c-4986-84be-a897718b2e8f', opHost='https://cyber.gluu.info', opDiscoveryPath='null', idToken='eyJraWQiOiI0OTJhNzFjOS0wMzA5LTRkYjQtODY0Mi0xMjZkOGMyZTRkYzIiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mbyIsImF1ZCI6IkAhNTRCOC5FNDRCLkExN0MuQTlFOCEwMDAxITVCRDcuN0ZFQSEwMDA4IUIzMjAuODM0Qy45QkE5LkE1MDUiLCJleHAiOjE0OTYzMDAxMDksImlhdCI6MTQ5NjI5NjUwOSwibm9uY2UiOiJuZDBwZWg1c21vN2MxOGE0c2Nqc3QzMTU4NSIsImF1dGhfdGltZSI6MTQ5NjI5NjQ3MiwiYXRfaGFzaCI6IllmdVdLZlRKVEtTOUViZFlsTTlUS2ciLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mby9veGF1dGgvc2VhbS9yZXNvdXJjZS9yZXN0djEvb3hhdXRoL3ZhbGlkYXRlIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwic3ViIjoiMWxQVkdPTHItZ2M0ZHBJc01SVFpiTzdaSE0xdUpMMVRfS2xOSzJ2bVpUNCJ9.XaIk91xiCMOxlCRRAAgl5Xel-OXHbNTqLojnc-EeUXOzjS1_pnluFKgE8W2RArxyhDAriEd8kIYHw0nrYX_FaTODEol_TvIPs5A3CWZ2Xp2QB2ojr251_DotmkD_z7Efsg0NXQxgPymsteRCe0vqw8pANW9UWdufmG3nmS4J7fmHqHdf2f4aUK6wGmKxUf4_QlG8vJz8fKObNST9AAZVerUx1wJRbkGdhL-LNeNls9DJZBG_5_euwSD87mj0svDKw-0GSgxAeQ6ZaR8FUeXjp7iHT5BccYDohJYtMFrJwjaMx4h67zSLV8xIHUSX8pRhDZkR5H_PsSqankbXSxNu1Q', accessToken='56cfa049-ab8c-4236-a895-6e8b297c779d', authorizationRedirectUri='https://cyber.oxd.info:8443/GluuServerTest/user/profile', postLogoutRedirectUri='https://cyber.oxd.info:8443/GluuServerTest', applicationType='web', redirectUris=[https://cyber.oxd.info:8443/GluuServerTest/user/profile], responseTypes=[code], clientId='@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!B320.834C.9BA9.A505', clientSecret='53f77813-6624-4e1a-a34f-45c2a366c0c8', clientRegistrationAccessToken='58d1d020-3b66-4144-b6ff-40d92276014f', clientRegistrationClientUri='https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/register?client_id=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!B320.834C.9BA9.A505', clientIdIssuedAt=Thu Jun 01 09:30:21 AZT 2017, clientSecretExpiresAt=Fri Jun 02 09:30:21 AZT 2017, clientName='null', sectorIdentifierUri='null', clientJwksUri='', setupOxdId='null', setupClientId='null', scope=[openid, uma_authorization, uma_protection], uiLocales=[en], claimsLocales=[en], acrValues=[], grantType=[authorization_code], contacts=[], userId='null', userSecret='null', aat='56cfa049-ab8c-4236-a895-6e8b297c779d', aatExpiresIn=3000, aatCreatedAt=Thu Jun 01 09:55:09 AZT 2017, aatRefreshToken='null', pat='ac454485-2442-407c-8c91-143f72fc9543', patExpiresIn=2999, patCreatedAt=Thu Jun 01 09:45:03 AZT 2017, patRefreshToken='null', umaProtectedResources=[UmaResource{id='1496295416436', path='/ml', httpMethods=[GET, POST], scopes=[https://ml.com/], ticketScopes=[https://ml.com/]}], rpt='cb1796a3-44d7-4e87-8e5d-2c8035e55efc/A9A0.F134.B275.555F.7167.22C4.CDB4.6930', rptExpiresAt=Thu Jun 01 10:45:09 AZT 2017, rptCreatedAt=Thu Jun 01 09:55:25 AZT 2017, gat='null', gatExpiresAt=null, gatCreatedAt=null} 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.server.op.RpAuthorizeRptOperation] Forbidden. org.jboss.resteasy.client.ClientResponseFailure: RESTEASY003150: Error status 403 Forbidden returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:581) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:572) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:566) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:39) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:128) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:89) at com.sun.proxy.$Proxy49.requestRptPermissionAuthorization(Unknown Source) at org.xdi.oxd.server.op.RpAuthorizeRptOperation.execute(RpAuthorizeRptOperation.java:46) at org.xdi.oxd.server.op.RpAuthorizeRptOperation.execute(RpAuthorizeRptOperation.java:27) at org.xdi.oxd.server.Processor.process(Processor.java:78) at org.xdi.oxd.server.Processor.process(Processor.java:53) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:60) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"rpt_not_authorized","error_description":"Unable to authorize RPT."}} 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-06-01 09:55:22,884 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-06-01 09:55:22,884 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank.

By Yuriy Zabrovarnyy staff 01 Jun 2017 at 1:37 a.m. CDT

Yuriy Zabrovarnyy gravatar
Sakit, It works as designed, look at documentation ``` https://gluu.org/docs/oxd/3.0.1/protocol/#uma-rp-authorize-rpt ``` If rpt is not authorized then following error is returned: ``` {"status":"error", "data":{"error":"rpt_not_authorized","error_description":"Unable to authorize RPT."}} ``` Access denied is used for `uma_rs_check_access` command.

By Sakit Atakishiyev user 01 Jun 2017 at 3:17 a.m. CDT

Sakit Atakishiyev gravatar
I know that . When i auhtorize rpt , i get this error . Because my uma policy(script) returns false .so What must i do after that?

By Yuriy Zabrovarnyy staff 01 Jun 2017 at 3:21 a.m. CDT

Yuriy Zabrovarnyy gravatar
Not sure I got the question. It's up to RP what to do in this situation. Authorization process depends on policy logic and information provided by RP. If desired behavior is to grant access then RP must satisfy conditions that are coded in policy script (to get true instead of false from script). Thanks, Yuriy

By Sakit Atakishiyev user 01 Jun 2017 at 3:24 a.m. CDT

Sakit Atakishiyev gravatar
I got it . Thanks