By: Cristian Chiru user 28 Sep 2017 at 5:26 p.m. CDT

5 Responses

# Summary - Newly created scope does not seem to use the associated dynamic scope script. - This worked in 3.0.2. - There is no "dynamic" in the scope type field, only **Default, OpenID and OAuth**. # Gluu Setup ```sh yum install -y gluu-server-3.1.0.x86_64 /sbin/gluu-serverd-3.1.0 start /sbin/gluu-serverd-3.1.0 login cd /install/community-edition-setup ./setup.py -f setup.properties ``` where `setup.properties` is: ```sh orgName=Org city=CC state=SS countryCode=CC admin_email=admin@somedomain ip=10.xxx.xxx.xxx hostname=somedomain application_max_ram=5144 installAsimba=True installCas=False installHttpd=True installJce=True installLdap=True installOxAuthRP=False installOxTrust=True installPassport=True installSaml=True ldapPass=somepass ldap_hostname=localhost log=./setup.log logError=./setup_error.log oxTrustConfigGeneration=true setup_properties_fn=./setup.properties ``` # Configuration 1. Created a new dynamic scope script: - Name: dynamic_groups - Level: 100 - Location Type: Ldap - Enabled: checked - Script: ```python from org.xdi.model.custom.script.type.scope import DynamicScopeType from org.xdi.oxauth.service import UserService, UserGroupService from org.xdi.util import StringHelper, ArrayHelper from java.util import Arrays, ArrayList import java class DynamicScope(DynamicScopeType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "Group dynamic scope. Initialization" print "Group dynamic scope. Initialized successfully" return True def destroy(self, configurationAttributes): print "Group dynamic scope. Destroy" print "Group dynamic scope. Destroyed successfully" return True def update(self, dynamicScopeContext, configurationAttributes): print "Group dynamic scope scope. Update method" authorizationGrant = dynamicScopeContext.getAuthorizationGrant() user = dynamicScopeContext.getUser() jsonWebResponse = dynamicScopeContext.getJsonWebResponse() claims = jsonWebResponse.getClaims() userService = UserService.instance() userGroupService = UserGroupService.instance() groups = userService.getCustomAttribute(user, "memberOf").getValues() print groups group_claims = "" i = 1 if groups != None: for member_of in groups: if i > 1: group_claims += ':' i += 1; print "["+userGroupService.loadGroup(member_of).getDisplayName()+"]" group_claims += userGroupService.loadGroup(member_of).getDisplayName() claims.setClaim("groups", group_claims) return True def logout(self, configurationAttributes, requestParameters): return True def getApiVersion(self): return 1 ``` 2. Created a new scope: - Display Name: groups - Scopye Type: Default (*Here there is no "dynamic" in the list*) - Allow for dynamic registration: False - Dynamic Scope Scripts: dynamic_groups 3. Added the scope to the client definition: - Scopes: address, email, **groups**, openid, permission, profile, user_name 4. Configured the client (mod_auth_openidc) to request the new scope: `OIDCScope "openid email permission groups"` 5. Created 2 groups: group1 and group2 and added the user `admin` to both of them # The problem - Currently the above claim does not reach the client - This set-up worked in 3.0.2 as expected with the result: `OIDC_CLAIM_groups="group1:group2"` - In `oxauth_script.log` there is no output for calling the `update` method from the script. There is only: ``` [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:208) - Group dynamic scope. Destroy [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:208) - Group dynamic scope. Destroyed [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:208) - Group dynamic scope. Initialization [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:208) - Group dynamic scope. Initialized successfully ``` - Changing scope type to `OpenID` and adding another claim (e.g. `IMAP Data`) to the Scope definition **does work** but only for the added attributes, not the dynamic script. - Adding the shipped `dynamic_permission` script to the `groups` scope does not seem to work either. # Conclusion Could this be related to the absence of "dynamic" scope type? The official docs say should be there, but in fact... it is missing, but in 3.0.2 it is present. ![enter image description here](https://ibin.co/w800/3bziOGtqNBDS.png "enter image title here")

CentOS 7.3

closed

By Aliaksandr Samuseu staff 28 Sep 2017 at 6:44 p.m. CDT

Copy

Hi, Cristian. Thanks for your report. Let me look into it.

By Michael Schwartz Account Admin 29 Sep 2017 at 10:02 a.m. CDT

Copy

Thanks for this detailed bug report.

By Yuriy Movchan staff 29 Sep 2017 at 1:26 p.m. CDT

Copy

Thank you for report. oxAuth works fine. Can you set manually this scope attribute oxScopeType to 'dynamic'? It's oxTrust GUI issue.

By Michael Schwartz Account Admin 29 Sep 2017 at 1:29 p.m. CDT

Copy

Created this [oxTrust-738](https://github.com/GluuFederation/oxTrust/issues/738) issue on Github. Will be fixed in 3.1.1 next week.

By Cristian Chiru user 01 Oct 2017 at 5:22 p.m. CDT

Copy

Thank you for the suggestions. Indeed, I have succeeded in applying the suggested workaround and now everything works as expected. # Workaround Manually updated the ldap attribute for the claim `oxScopeType: dynamic`: - Logged in to gluu: `/sbin/gluu-serverd-3.1.0 login` - Created the ldif to change the attribute: ```sh LDAPTLS_REQCERT=never /opt/symas/bin/ldapsearch -H 'ldaps://localhost:1636' \ -o ldif-wrap=no -W -LLL \ -b "o=gluu" -D "cn=directory manager,o=gluu" -w somepassword \ "(&(objectClass=oxAuthCustomScope)(displayName=groups))" \ | grep 'dn:' > somescript.ldif echo "changetype: modify" >> somescript.ldif echo "replace: oxScopeType" >> somescript.ldif echo "oxScopeType: dynamic" >> somescript.ldif LDAPTLS_REQCERT=never /opt/symas/bin/ldapmodify -v -W -H 'ldaps://localhost:1636' \ -D "cn=directory manager,o=gluu" -w somepassword \ -f somescript.ldif ``` - Restarted oxauth: `systemctl restart oxauth` # Updated the script for 3.1.0 Following the suggestions from [Migration_stepts_to_3.1.x.txt](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/Migration_stepts_to_3.1.x.txt), I have updated the script: ```python from org.xdi.service.cdi.util import CdiUtil [...] userService = CdiUtil.bean(UserService) userGroupService = CdiUtil.bean(UserGroupService) [...] ```

You need to Login in order to post an answer

Dynamic scope script does not seem to be called anymore in 3.1.0

By: Cristian Chiru user 28 Sep 2017 at 5:26 p.m. CDT

Answers

By Aliaksandr Samuseu staff 28 Sep 2017 at 6:44 p.m. CDT

By Michael Schwartz Account Admin 29 Sep 2017 at 10:02 a.m. CDT

By Yuriy Movchan staff 29 Sep 2017 at 1:26 p.m. CDT

By Michael Schwartz Account Admin 29 Sep 2017 at 1:29 p.m. CDT

By Cristian Chiru user 01 Oct 2017 at 5:22 p.m. CDT

Post an answer