oxtrust to get/create/update users

By: Carl Buxbaum user 04 May 2016 at 12:43 p.m. CDT

9 Responses
Carl Buxbaum gravatar
Hi, we are trying to use oxtrust to manage users. However, following the instructions below: https://ox.gluu.org/doku.php?id=oxtrust:oxscim we always get a forbidden error. Are these instructions valid, or are they outdated? I noticed something about only being able to authenticate using UMA. Is that the issue? We were trying to authenticate by getting an access code and POSTing using that access code. Thanks, Carl
None
closed

Answers

By William Lowe user 04 May 2016 at 1:13 p.m. CDT

Copy
William Lowe gravatar
Hey Carl, Anything you see on ox.gluu.org you should take with a grain of salt. It's our wiki, not our documentation. Always use our official docs. Here are the [SCIM docs](https://gluu.org/docs/cache-refresh/scim/). Let us know if you have any other problems. Thanks, and sorry for the inconvenience.

By Carl Buxbaum user 04 May 2016 at 1:20 p.m. CDT

Copy
Carl Buxbaum gravatar
Right, we are trying to use the SCIM 2 endpoints, as documented here: https://gluu.org/docs/api/scim-2.0/#scim-20-endpoints using the specifications referenced here from a link in your docs: https://tools.ietf.org/html/draft-ietf-scim-api-19 We do not want to use the ScimClient.

By Michael Schwartz Account Admin 04 May 2016 at 1:47 p.m. CDT

Copy
Michael Schwartz gravatar
Remember, that SCIM says security is out of scope. It says simply basic security or OAuth2. Using basic authentication would kill the whole security model of the Gluu Server--no way we're doing that. So that leaves OAuth... but what kind of OAuth? The spec doesn't say anything about it. Our answer was to use UMA. This means that your client would need to obtain an UMA RPT token from the oxAuth Authorization Server (AS) to call the SCIM API's on the oxTrust Resource Server (RS). In order to obtain the RPT, your client will also need to authenticate to the AS (OAuth2 client credential grant). We prefer crypto authentication for this. One thing that we are introducing in the new server is a test-mode, which will enable a static OAuth2 token to be used. I am guessing that you don't like java. What are you using to script this?

By Carl Buxbaum user 04 May 2016 at 2:16 p.m. CDT

Copy
Carl Buxbaum gravatar
we don't mind java at all. We just thought from the API descriptions that we saw that we could follow the format of just retrieving an access token and sending along a JSON request. We were going to just describe that to our developers or build a simple User API for adding users as we are building api methods to get an access token etc. We were trying to access the rest API using an access token. I guess that is incorrect, and we will need to read up on how to get a UMA token?

By Michael Schwartz Account Admin 04 May 2016 at 2:21 p.m. CDT

Copy
Michael Schwartz gravatar
Well, the nice thing about the Java SCIM client is that it handles all that stuff for you.

By Carl Buxbaum user 04 May 2016 at 2:25 p.m. CDT

Copy
Carl Buxbaum gravatar
Ok, we will probably use that. The adding/managing of users is ancillary to what we are doing right now, which is providing SSO to our apps. We will just add the user management to our list of requirements. However, I think, from looking around at your documentation, we are missing a key piece anyway. We have not created any scopes in the UMA configuration yet. Thanks, Carl

By Carl Buxbaum user 04 May 2016 at 2:33 p.m. CDT

Copy
Carl Buxbaum gravatar
or rather, the scope is already created, but we need to add a clientid to the whitelist of the policy, which I just found in the custom scripts.

By William Lowe user 04 May 2016 at 3:07 p.m. CDT

Copy
William Lowe gravatar
Sounds like I can close this ticket out then. Let me know if you want me to reopen. Thanks for continuing to kick the tires, Carl! Will

By Carl Buxbaum user 05 May 2016 at 8:25 a.m. CDT

Copy
Carl Buxbaum gravatar
Hi, which scim client binary package do I use? 1.1 or 2.3.4? From links at bottom of page: [Scim Client GIT page](https://github.com/GluuFederation/SCIM-Client)

Post an answer