Hi, Ernst. Welcome to Gluu world, hope you'll enjoy your stay. List of client's settings your provided doesn't mention `redirect_uri`, which is mandatory, client must explicitly define all uri it's allowed to redirect user's agent with response to authorize request. If this client was created using auto-enrolment feature, I would also advise to go to "Clients" page in web UI, open it for editing and then try to click "Update" button. It may highlight some mandatory settings you haven't yet set, too. Best regards, Alex

Hi Alex, I am so glad for your help. I feel at the beginning of the learning curve. Config of client updated. Now one step further. After login instead of access_denied I get the following url and the params or request.env do not contain the code. ``` https://test.calm.dhamma.org/users/auth/openid_connect/callback#error_description=The+request+is+missing+a+required+parameter%2C+includes+an+unsupported+parameter+or+parameter+value%2C+or+is+otherwise+malformed.&state=mystate&error=invalid_request ``` Besides allowing the redirect I have added a number of settings which did not get me further.

If I do the same thing with google as OP then the redirect gives: ``` https://test.calm.dhamma.org/users/auth/openid_connect/callback#state=mystate&access_token=ya29.CjBIfJ8pulvNGpJ7QjsH8UQf<..etc>&token_type=Bearer&expires_in=3600&code=4/5iucnYpKW_j1STjrQpYaON6uIpBGBbnivTM6JmddFJw&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjNiNjc1YzMzODM2YzMyZTAxYTBmNjcyMWRlYmU0ODlm<..etc>&authuser=0&session_state=f46bff0e674f<..etc>&prompt=none ``` So it must be a problem with my config for the client on our gluu server.

In order for us to help you, you need to include the ldif of the client entry in ldap. Alex is right... if the client redirect_uri is not configured, the OP will not return the code. You can use ldapsearch to pull the client: ``` /opt/opendj/bin/ldapsearch -h localhost -p 1636 -Z -X \ -D "cn=directory manager" -j ~/.pw -b "o=gluu" \ 'inum=(clientid)' ``` Where (client-id) is the client id and ~/.pw has a file with the DM password (same as admin). It would also be helpful if include any relevant messages from `oxauth.log` from `/opt/tomcat/logs` For testing, use the public Subject Type. Also turn all signing and encyption off, and then add back after you have it working.

Thanks Michael, Followed your advice and now I get the access_token, code and id_token in the url https://jwt.io/ shows the content of the id_token however reports 'Invalid Signature' ``` /opt/opendj/bin/ldapsearch -h localhost -p 1636 -Z -X -D "cn=directory manager" -j ~/.pw -b "o=gluu" 'inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8' dn: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8,ou=clients,o=@!A81A .15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu objectClass: oxAuthClient objectClass: top oxAuthContact: calmernst@gmail.com oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!764C,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!F0C4,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!43F1,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxLastLogonTime: 20160930054301.842Z oxAuthPostLogoutRedirectURI: https://test.calm.dhamma.org/users/auth/openid_conn ect/callback oxAuthAppType: web oxLastAccessTime: 20160930054301.842Z oxAuthLogoURI: https://d30iqsd9yv0c8c.cloudfront.net/assets/bodhi-ad05e7469fa162 721af8590405918451.gif oxAuthRedirectURI: https://test.calm.dhamma.org/users/auth/openid_connect/callba ck oxAuthTokenEndpointAuthMethod: none oxAuthLogoutSessionRequired: false oxAuthDefaultMaxAge: 300 oxAuthTosURI: https://test.calm.dhamma.org/terms_of_service.html oxAuthPolicyURI: https://test.calm.dhamma.org/policy.html oxAuthResponseType: code oxAuthResponseType: token oxAuthResponseType: id_token oxAuthClientURI: https://test.calm.dhamma.org displayName: Registration oxAuthRequireAuthTime: true oxAuthClientSecret: <hidden> oxPersistClientAuthorizations: true oxAuthGrantType: authorization_code oxAuthGrantType: implicit oxAuthGrantType: refresh_token inum: @!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8 oxAuthTrustedClient: false oxAuthSubjectType: public ``` oxauth.log: ``` 2016-10-01 23:29:01,768 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user: SessionUser: SessionState, dn='uniqueIdentifier=4cc85ee1-2059-4f35-8b8f-078361ea3fa7,ou=session,o=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu', id='4cc85ee1-2059-4f35-8b8f-078361ea3fa7', isJwt=false, lastUsedAt=Sat Oct 01 23:29:01 UTC 2016, userDn='inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0000!12D4.DEAF,ou=people,o=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu', authenticationTime=Sat Oct 01 23:29:01 UTC 2016, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={auth_step=1, acr=internal, remote_ip=115.70.36.142, scope=openid profile, response_type=code token id_token, state=mystate, redirect_uri=https://test.calm.dhamma.org/users/auth/openid_connect/callback, nonce=abc, client_id=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8, auth_user=EKA}, persisted=true} 2016-10-01 23:29:01,770 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user: User: org.xdi.oxauth.model.common.User@2905bc2c 2016-10-01 23:29:01,777 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for User: 'EKA' ```

If you are writing a web application, you should not use grant type implicit--that is only for javascript only client apps. Response type should only be `code`--not token or id_token. ``` oxAuthResponseType: code ``` If you want a much easier solution for Ruby on Rails, you may consider using oxd: * [http://oxd.gluu.org/docs](http://oxd.gluu.org/docs) oxd is a middleware server that offers easier API's. There is also a Rails example.

Thanks Michael, Yes I found that with code,token,id_token my client did not receive the tokens, they were in the url hash (JS location.hash) So changed to code only. Next step is to post to the token endpoint (https://ids1-hz.dhamma.org.au/oxauth/seam/resource/restv1/oxauth/token) with http basic auth. I try my client's inum as username and the oxAuthClientSecret as password. Post parameters: ``` :code=>"f070f3a9-2089-4d49-840d-90501467f746", :grant_type=>"authorization_code", :redirect_uri=>"https://test.calm.dhamma.org/users/auth/openid_connect/callback" ``` Result in oxauth.log ``` org.xdi.oxauth.auth.AuthenticationFilter] Basic authentication failed java.lang.Exception: The Token Authentication Method is not valid. ``` ``` root@ids1-hz:~# /opt/opendj/bin/ldapsearch -h localhost -p 1636 -Z -X -D "cn=directory manager" -j ~/.pw -b "o=gluu" 'inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8' dn: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8,ou=clients,o=@!A81A .15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu objectClass: oxAuthClient objectClass: top oxAuthContact: calmernst@gmail.com oxAuthPolicyURI: https://test.calm.dhamma.org/policy.html oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!764C,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!F0C4,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!43F1,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxLastLogonTime: 20160930054301.842Z oxAuthPostLogoutRedirectURI: https://test.calm.dhamma.org/users/auth/openid_conn ect/callback oxAuthAppType: web oxLastAccessTime: 20161003033629.536Z oxAuthLogoURI: https://d30iqsd9yv0c8c.cloudfront.net/assets/bodhi-ad05e7469fa162 721af8590405918451.gif oxAuthRedirectURI: https://test.calm.dhamma.org/users/auth/openid_connect/callba ck oxAuthRedirectURI: https://test.calm.dhamma.org/users/auth/openid_connect/rcv_to kens oxAuthResponseType: code oxAuthResponseType: token oxAuthResponseType: id_token oxAuthClientURI: https://test.calm.dhamma.org oxAuthTokenEndpointAuthMethod: client_secret_basic displayName: Registration oxAuthRequireAuthTime: true oxAuthClientSecret: itBLrDJOjY5fun9CeSGcSQNBruTDufCO oxAuthLogoutSessionRequired: false oxAuthDefaultMaxAge: 300 oxPersistClientAuthorizations: true oxAuthGrantType: authorization_code oxAuthGrantType: refresh_token oxAuthTosURI: https://test.calm.dhamma.org/terms_of_service.html inum: @!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!C3A5.73A8 oxAuthTrustedClient: false oxAuthSubjectType: public ```

> If you want a much easier solution for Ruby on Rails, you may consider using oxd: > > http://oxd.gluu.org/docs > oxd is a middleware server that offers easier API's. There is also a Rails example. I am a volunteer working for the benefit of a not for profit organistion (http://www.dhamma.org). So purchasing a commercial license is a challenge (depending on price). I hope that we can use gluu with the community license.

Hi Ernst, oxd and the Gluu Server are separate products. You should be able to get everything working with free open source software, Mike was simply suggesting that oxd would make it easier to secure your application properly. The oxd license is going to cost around $0.33 per server per day. Our goal is to keep it affordable enough for non-profits and small and medium businesses to use. The other option is to keep going down your existing path, trying to integrate the OpenID Connect code directly into the app. If you need additional support from us, I would suggest that you close this ticket and create new tickets around specific issues you're facing. Focused support tickets will get faster responses than long threads like this that jump from issue to issue. Thanks, Will

I think you are really struggline to re-invent the wheel. oxd, at about $10/month, is really a nice option, and we can support you on it much more easily. But it's hard for us as the developers of a free open source platform to support your low-level protocol implementation. A few more options you may want to consider: 1. [Ruby OpenID Connect Library](https://github.com/nov/openid_connect) 2. [mod_auth_openidc](https://gluu.org/docs/integrate/ubuntu-installation/) -- Then pick up the user_info from the HTTP headers, but let the apache filter do some of the heavy lifting 3. [nginx openid plugin](http://www.gluu.co/openid-nginx)

Hi William and Michael, Thank you for your advice. I will look closer at those options. Regards, Ernst