By: melkisidek Bequengue user 05 Oct 2016 at 3:51 p.m. CDT

8 Responses
melkisidek Bequengue gravatar
**Hi I'm trying to get a id token without success. When i use response_type=code+id_token i get a error message **strong text****“https://vps296312.ovh.net/login.html#error=invalid_request&error_description=The+request+is+missing+a+required+parameter%2C+includes+an+unsupported+parameter+or+parameter+value%2C+or+is+otherwise+malformed.” https://vps296312.ovh.net/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid&response_type=code+id_token&client_id=@!21B5.88F4.D899.8B87!0001!3638.8568!0008!299A.7938&redirect_uri=https://vps296312.ovh.net/login.html **https://vps296312.ovh.net/login.html#error=invalid_request&error_description=The+request+is+missing+a+required+parameter%2C+includes+an+unsupported+parameter+or+parameter+value%2C+or+is+otherwise+malformed. ** When i use response_type=code is ok of course I don’t get any id token https://vps296312.ovh.net/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid&response_type=code&client_id=@!21B5.88F4.D899.8B87!0001!3638.8568!0008!299A.7938&redirect_uri=https://vps296312.ovh.net/login.html https://vps296312.ovh.net/login.html?session_state=11dfbab1-847f-4038-b727-7b30fa9aeffc&scope=openid&state&code=32b3078e-11f2-4db2-a1ae-156ba826ab65 MY server config picture : ![https://vps296312.ovh.net/gluu.jpg](https://vps296312.ovh.net/gluu.jpg "enter image title here") https://vps296312.ovh.net/.well-known/openid-configuration response_types_supported": [ "code", "code id_token", "token", "token id_token", "code token", "code token id_token", "id_token" ], "grant_types_supported": [ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer" ],

By Aliaksandr Samuseu staff 05 Oct 2016 at 4:09 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Melkisidek. Please provide more details, like captures of your requests and responses from server, at least for initial steps of OIDC flow you use. Best regards, Alex.

By Aliaksandr Samuseu staff 05 Oct 2016 at 4:13 p.m. CDT

Aliaksandr Samuseu gravatar
What RP or tool do you use to form initial OIDC request to Gluu?

By melkisidek Bequengue user 05 Oct 2016 at 6:48 p.m. CDT

melkisidek Bequengue gravatar
I'm trying to get a id token using as response_type=code+id_token, but is not working. The Response is invalid_request&error_description. Its works only when i use as response_type=code. The Response is session_state and code value. I trying to understand why is not working and how can i have id-token Aliaksandr Samuseu i using postman is a rest client: https://www.getpostman.com/

By Aliaksandr Samuseu staff 05 Oct 2016 at 7:52 p.m. CDT

Aliaksandr Samuseu gravatar
Could you provide full request string you use for initial request? Capture of actual HTTP request/responses would be even better.

By Aliaksandr Samuseu staff 05 Oct 2016 at 7:59 p.m. CDT

Aliaksandr Samuseu gravatar
Is this the one? ``` https://vps296312.ovh.net/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid&response_type=code+id_token&client_id=@!21B5.88F4.D899.8B87!0001!3638.8568!0008!299A.7938&redirect_uri=https://vps296312.ovh.net/login.html ``` Why do you use `redirect_uri` located at the same machine as Gluu? Do you have your RP installed there, too? Also, >response_type=code+id_token I believe this means you are using one of hybrid flows of OIDC. I think `nonce` parameter is required in that case. Please try to add `nonce=some_random_string` to your request.

By melkisidek Bequengue user 06 Oct 2016 at 7:51 a.m. CDT

melkisidek Bequengue gravatar
Am using this one. I made some change: https://vps296312.ovh.net/login.html https://vps296312.ovh.net/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid+email+clientinfo&response_type=code&client_id=@!21B5.88F4.D899.8B87!0001!3638.8568!0008!299A.7938&redirect_uri=https://vps296312.ovh.net/userinfo.html this only works when response_type=code any other value i get error , invalid request https://vps296312.ovh.net/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid+email+clientinfo&response_type=code+id_token&client_id=@!21B5.88F4.D899.8B87!0001!3638.8568!0008!299A.7938&redirect_uri=https://vps296312.ovh.net/userinfo.html

By melkisidek Bequengue user 06 Oct 2016 at 2:28 p.m. CDT

melkisidek Bequengue gravatar
Oh yes you was right the "**NONCE**" is required, I found this tinformation on the IBM Knowledge Center, finally I got my id_token "JWT" Thanks A lot! https://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_oidc_auth_endpoint.html

By Aliaksandr Samuseu staff 06 Oct 2016 at 2:32 p.m. CDT

Aliaksandr Samuseu gravatar
AFAICR, in hybrid flows where you receive `id_token` right from authorization endpoint, `nonce` is always required, as it must be included into the `id_token` and you must be able to compare it with one you set in request. Ok, closing the ticket.