Hi, The user registration script is used in the scenario in which you allow your installation to perform self-registration. If you want to attach custom logic when addition or edition takes place in oxtrust, the script you have to weak is the one appearing in the "update user" tab. It provides you with: - updateUser - postUpdateUser - addUser - postAddUser - deleteUser - postDeleteUser This is not related to SCIM by the way. If you want to intercept SCIM API calls, there is a different tab where you can plug your custom logic.

When we are adding user using Add Person from the Gluu Server or calling the API (https://test.testmydom.com/identity/restv1/scim/v2/Users) getting the below error in oxtrust.log 2018-08-28 04:13:09,065 ERROR [qtp1744347043-298064] [org.gluu.oxtrust.ldap.service.AttributeService] (AttributeService.java:558) - Failed to find attribute 'oxTrustEmail' metadata For both the cases we have enabled the custome script under Configuration -> Manage Custom Scripts -> User Registration -> user_confirm_registration I noticed that print statements in init and destroy methods are getting envoked. And thought that postRegistration/preRegistration methods will get called at some point during or after registration but its not happening so. As you said did try the self registration also using the url https://test.testmydom.com/identity/register I have also enabled the script in SCIM tab, but still not able to see the print statements in the logs. So can you please guide me on what is missing to address my requirement.

> getting the below error in oxtrust.log Can you attach a bigger section of your log?. I need more context. Please set your oxtrust log level to TRACE, do a user insertion using SCIM API, and send otrust.log and oxtrust_script.log. To change log level go to "Configuration" > "JSON configuration" > "oxtrust config" and search for log level. Then wait 1 min. Also, can you clarify if despite the error being shown, the operation completes successfully? are users actually added?

Yes, I have set the log level to ALL and still was not able to see the messages in print statements in the logs after that only i had the question earlier. Yes the operation is getting completed successfully and user is getting added irrespective of whether the SCIM custom script is in disabled/enabled state.

> do a user insertion using SCIM API, and send otrust.log and oxtrust_script.log. I'd like to have those

Here is what i see in the logs 2018-08-29 09:47:12,086 INFO [oxTrustScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialization 2018-08-29 09:47:12,087 INFO [oxTrustScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialized successfully 2018-08-29 11:20:30,784 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): Current id = kavya 2018-08-29 11:20:30,785 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp1 = Test value 1 2018-08-29 11:20:30,786 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp2 = Test value 2 2018-08-29 14:11:04,179 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialization 2018-08-29 14:11:04,181 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialized successfully 2018-08-29 14:11:04,237 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (init): Initialized successfully 2018-08-29 14:11:04,336 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialization 2018-08-29 14:11:04,336 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialized successfully

I am not sure if I really understand your goals: > still was not able to see the messages in print statements in the logs I can see them: ``` INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp1 = Test value 1 2018-08-29 11:20:30,786 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp2 = Test value 2 2018-08-29 14:11:04,179 ``` The `createUser` function of SCIM script is actually being called as expected. The user registration script has nothing to do with the SCIM API calls.

Yes, the createUser is getting called as you said. But wanted to know when will the post, pre methods get called. As i wanted to send email after the user is created successfully, so wrote the code for send email functionality in postCreateUser method and then created the user. User got created successfully, but the postCreateUser method did get called. So can you please let me know how to achieve the required.

Hi Sam, As you wrote above, it sounded like both createUser and postCreateUser methods were actually called ... createUser is the *pre* method, *postCreateUser* is the post one... Please check the `getApiVersion` method, I think there is a comment there stating that you should return 2 if you want the *post* methods getting called. When returning 1 only the *pre* count. Hope this helps.

Yes i have set the return value as 2 in getApiVersion already and even then postCreateUser is not getting called. And nor preCreateUser is getting called if the return value is 1 in getApiVersion For you reference Here is the scim_event_handler script from org.xdi.model.custom.script.type.scim import ScimType from org.xdi.util import StringHelper, ArrayHelper from java.util import Arrays, ArrayList from org.gluu.oxtrust.ldap.service import PersonService from org.xdi.service.cdi.util import CdiUtil from org.gluu.oxtrust.model import GluuCustomPerson import java class ScimEventHandler(ScimType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "ScimEventHandler (init): Initialized successfully" return True def destroy(self, configurationAttributes): print "ScimEventHandler (destroy): Destroyed successfully" return True def getApiVersion(self): #return 2 if you want the post* scripts being executed return 2 def createUser(self, user, configurationAttributes): print "ScimEventHandler (createUser): Current id = " + user.getUid() testProp1 = configurationAttributes.get("testProp1").getValue2() testProp2 = configurationAttributes.get("testProp2").getValue2() print "ScimEventHandler (createUser): testProp1 = " + testProp1 print "ScimEventHandler (createUser): testProp2 = " + testProp2 return True def updateUser(self, user, configurationAttributes): personService = CdiUtil.bean(PersonService) oldUser = personService.getPersonByUid(user.getUid()) print "ScimEventHandler (updateUser): Old displayName %s" % oldUser.getDisplayName() print "ScimEventHandler (updateUser): New displayName " + user.getDisplayName() return True def deleteUser(self, user, configurationAttributes): print "ScimEventHandler (deleteUser): Current id = " + user.getUid() return True def createGroup(self, group, configurationAttributes): print "ScimEventHandler (createGroup): Current displayName = " + group.getDisplayName() return True def updateGroup(self, group, configurationAttributes): print "ScimEventHandler (updateGroup): Current displayName = " + group.getDisplayName() return True def deleteGroup(self, group, configurationAttributes): print "ScimEventHandler (deleteGroup): Current displayName = " + group.getDisplayName() return True def postCreateUser(self, user, configurationAttributes): print "Inside postCreateUser Method" return True def postUpdateUser(self, user, configurationAttributes): return True def postDeleteUser(self, user, configurationAttributes): return True def postUpdateGroup(self, group, configurationAttributes): return True def postCreateGroup(self, group, configurationAttributes): return True def postDeleteGroup(self, group, configurationAttributes): return True Can you please look into it and let me know.

Now email is working fine and it is being sent after creating the user, and in email i wanted to send an activation link so that when user access that link user should be activated. After user gets activated, should be able to login using the registered credentials. Any api for login? Please do let me know how can we do these two things.

Can you please share the information as i would be able to proceed

Hi Sam, Here is a summary of steps to perform in order to solve your requirements. It needs some investigation from your side, but most of that is already covered in the Gluu CE docs or in the OpenID connect spec: 1. Ensure your activation process (triggered by a click on email) sets the LDAP `gluuStatus` attribute of the user to `active`. This can be done via SCIM by setting `active` property to `true` in JSON payload: `{ ... active: true ... }` 1. Create an openid connect client via oxTrust that your application will use. Use the already existing "oxTrust Admin GUI" client as a guide. Adjust the redirect URI and post-logout redirect URIs accordingly 1. Create an openid authorization request from your application. This is basically a redirection you send to your user's browser. Ensure you pass `acr` param that identifies the flow you'll create in next step. This is how a request looks like: `https://<domain-name>/oxauth/authorize?response_type=code+...&client_id=...&scope=openid+...&redirect_uri=...&state=...&acr_values=...` 1. Create a new custom authentication flow. This is done by creating a new custom script in Python. You can do so in oxTrust too ("configuration" > "manage custom scripts"). - Use the existing "basic" script all time as a guide. - Display name you use here will be the `acr` value of previous step. - Create a custom page xhtml for your script that autosubmits (that way you don't prompt for username+password). In `getPageForStep` of the script return this page name. Copy the file to `/opt/gluu/jetty/oxauth/custom/pages` - In `authenticate` routine of your script issue a call to `authenticationService.authenticate` passing the username only. The authentication flow is triggered when the authorization request is sent and ends when the `authenticate` method is called, finally this will cause a redirection back to the application (at redirect uri). Some reference docs: - openid spec: http://openid.net/specs/openid-connect-core-1_0.html. For simplicity you can use the "implicit flow" - authentication scripts: https://gluu.org/docs/ce/admin-guide/custom-script/ - openid flows and clients: https://gluu.org/docs/ce/admin-guide/openid-connect

I am closing this ticket since the original problem has been solved. You can open new ones if you like wrt to authentication.