Issue is just fixed in both oxd 3.0.2 and 3.1.0 ``` https://github.com/GluuFederation/oxd/commit/925918bbd7599de45fe21ba61b0547c8671dacfc ``` Please find oxd with this fix here: ``` https://ox.gluu.org/maven/org/xdi/oxd-server/3.0.2/oxd-server-3.0.2-distribution.zip https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0-SNAPSHOT/oxd-server-3.1.0-SNAPSHOT-distribution.zip ```

I use oxd-server-3.1.0-beta version . Because there was an issue with 3.1.0-Snapshot . I dont remember what was that , is everything ok with snapshot now ?

yes, it is, please take 3.1.0-SNAPSHOT version.

I used 3.1.0-SNAPSHOT but that issue was not resolved , it seems. I mean , when that policy returns true , i get granted , but when it returns false i get error instead of denied : This is my log 2017-06-01 09:55:22,834 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"uma_rp_authorize_rpt","params":{"rpt":"cb1796a3-44d7-4e87-8e5d-2c8035e55efc/A9A0.F134.B275.555F.7167.22C4.CDB4.6930","ticket":"a9766996-b159-4974-96f3-3e772f5454ad","oxd_id":"660fc067-a24c-4986-84be-a897718b2e8f","protection_access_token":null}}', m_leftString=''} 2017-06-01 09:55:22,834 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"uma_rp_authorize_rpt","params":{"rpt":"cb1796a3-44d7-4e87-8e5d-2c8035e55efc/A9A0.F134.B275.555F.7167.22C4.CDB4.6930","ticket":"a9766996-b159-4974-96f3-3e772f5454ad","oxd_id":"660fc067-a24c-4986-84be-a897718b2e8f","protection_access_token":null}} 2017-06-01 09:55:22,836 DEBUG [org.xdi.oxd.server.op.RpAuthorizeRptOperation] Try to authorize RPT with ticket: a9766996-b159-4974-96f3-3e772f5454ad... 2017-06-01 09:55:22,836 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2017-06-01 09:55:22,840 DEBUG [org.xdi.oxd.server.service.UmaTokenService] AAT from site configuration, site: Rp{oxdId='660fc067-a24c-4986-84be-a897718b2e8f', opHost='https://cyber.gluu.info', opDiscoveryPath='null', idToken='eyJraWQiOiI0OTJhNzFjOS0wMzA5LTRkYjQtODY0Mi0xMjZkOGMyZTRkYzIiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mbyIsImF1ZCI6IkAhNTRCOC5FNDRCLkExN0MuQTlFOCEwMDAxITVCRDcuN0ZFQSEwMDA4IUIzMjAuODM0Qy45QkE5LkE1MDUiLCJleHAiOjE0OTYzMDAxMDksImlhdCI6MTQ5NjI5NjUwOSwibm9uY2UiOiJuZDBwZWg1c21vN2MxOGE0c2Nqc3QzMTU4NSIsImF1dGhfdGltZSI6MTQ5NjI5NjQ3MiwiYXRfaGFzaCI6IllmdVdLZlRKVEtTOUViZFlsTTlUS2ciLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2N5YmVyLmdsdXUuaW5mby9veGF1dGgvc2VhbS9yZXNvdXJjZS9yZXN0djEvb3hhdXRoL3ZhbGlkYXRlIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwic3ViIjoiMWxQVkdPTHItZ2M0ZHBJc01SVFpiTzdaSE0xdUpMMVRfS2xOSzJ2bVpUNCJ9.XaIk91xiCMOxlCRRAAgl5Xel-OXHbNTqLojnc-EeUXOzjS1_pnluFKgE8W2RArxyhDAriEd8kIYHw0nrYX_FaTODEol_TvIPs5A3CWZ2Xp2QB2ojr251_DotmkD_z7Efsg0NXQxgPymsteRCe0vqw8pANW9UWdufmG3nmS4J7fmHqHdf2f4aUK6wGmKxUf4_QlG8vJz8fKObNST9AAZVerUx1wJRbkGdhL-LNeNls9DJZBG_5_euwSD87mj0svDKw-0GSgxAeQ6ZaR8FUeXjp7iHT5BccYDohJYtMFrJwjaMx4h67zSLV8xIHUSX8pRhDZkR5H_PsSqankbXSxNu1Q', accessToken='56cfa049-ab8c-4236-a895-6e8b297c779d', authorizationRedirectUri='https://cyber.oxd.info:8443/GluuServerTest/user/profile', postLogoutRedirectUri='https://cyber.oxd.info:8443/GluuServerTest', applicationType='web', redirectUris=[https://cyber.oxd.info:8443/GluuServerTest/user/profile], responseTypes=[code], clientId='@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!B320.834C.9BA9.A505', clientSecret='53f77813-6624-4e1a-a34f-45c2a366c0c8', clientRegistrationAccessToken='58d1d020-3b66-4144-b6ff-40d92276014f', clientRegistrationClientUri='https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/register?client_id=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!B320.834C.9BA9.A505', clientIdIssuedAt=Thu Jun 01 09:30:21 AZT 2017, clientSecretExpiresAt=Fri Jun 02 09:30:21 AZT 2017, clientName='null', sectorIdentifierUri='null', clientJwksUri='', setupOxdId='null', setupClientId='null', scope=[openid, uma_authorization, uma_protection], uiLocales=[en], claimsLocales=[en], acrValues=[], grantType=[authorization_code], contacts=[], userId='null', userSecret='null', aat='56cfa049-ab8c-4236-a895-6e8b297c779d', aatExpiresIn=3000, aatCreatedAt=Thu Jun 01 09:55:09 AZT 2017, aatRefreshToken='null', pat='ac454485-2442-407c-8c91-143f72fc9543', patExpiresIn=2999, patCreatedAt=Thu Jun 01 09:45:03 AZT 2017, patRefreshToken='null', umaProtectedResources=[UmaResource{id='1496295416436', path='/ml', httpMethods=[GET, POST], scopes=[https://ml.com/], ticketScopes=[https://ml.com/]}], rpt='cb1796a3-44d7-4e87-8e5d-2c8035e55efc/A9A0.F134.B275.555F.7167.22C4.CDB4.6930', rptExpiresAt=Thu Jun 01 10:45:09 AZT 2017, rptCreatedAt=Thu Jun 01 09:55:25 AZT 2017, gat='null', gatExpiresAt=null, gatCreatedAt=null} 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.server.op.RpAuthorizeRptOperation] Forbidden. org.jboss.resteasy.client.ClientResponseFailure: RESTEASY003150: Error status 403 Forbidden returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:581) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:572) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:566) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:39) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:128) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:89) at com.sun.proxy.$Proxy49.requestRptPermissionAuthorization(Unknown Source) at org.xdi.oxd.server.op.RpAuthorizeRptOperation.execute(RpAuthorizeRptOperation.java:46) at org.xdi.oxd.server.op.RpAuthorizeRptOperation.execute(RpAuthorizeRptOperation.java:27) at org.xdi.oxd.server.Processor.process(Processor.java:78) at org.xdi.oxd.server.Processor.process(Processor.java:53) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:60) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"rpt_not_authorized","error_description":"Unable to authorize RPT."}} 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-06-01 09:55:22,883 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-06-01 09:55:22,884 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2017-06-01 09:55:22,884 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank.

Sakit, It works as designed, look at documentation ``` https://gluu.org/docs/oxd/3.0.1/protocol/#uma-rp-authorize-rpt ``` If rpt is not authorized then following error is returned: ``` {"status":"error", "data":{"error":"rpt_not_authorized","error_description":"Unable to authorize RPT."}} ``` Access denied is used for `uma_rs_check_access` command.

I know that . When i auhtorize rpt , i get this error . Because my uma policy(script) returns false .so What must i do after that?

Not sure I got the question. It's up to RP what to do in this situation. Authorization process depends on policy logic and information provided by RP. If desired behavior is to grant access then RP must satisfy conditions that are coded in policy script (to get true instead of false from script). Thanks, Yuriy

I got it . Thanks