By: Alex Moniatovsky user 02 Nov 2017 at 5:43 p.m. CDT

6 Responses
Alex Moniatovsky gravatar
Hello, I am investigating SCIM API and experiencing an issue with User end-point authentication. I have enabled scimTestMode and after that, as I got from this [dock](https://gluu.org/docs/ce/2.4.4/admin-guide/scim-uma/), scimTestModeAccessToken should be generated, but this field is still blank, so I have updated this field with the self-created token value(0f13ae5a-135e-4b01-a290-7bbe62e7d40f), then save oxTrust config. Then I tried to access User endpoint by this URL: <host>/identity/restv1/scim/v2/Users?access_token=0f13ae5a-135e-4b01-a290-7bbe62e7d40f, but I get 503 response: { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status": "503", "scimType": "", "detail": "Invalid token" }, I also tried to add Authorization header with token value and in this case I get "Invalid token 0f13ae5a-135e-4b01-a290-7bbe62e7d40f" Then I shifted to UMA access, I tried to access oxauth/restv1/token/ to get the access token, but it returns 403 (Forbidden) response. Could you please explain how should I use UMA endpoint to get access token? And also, could you please point me up where did I go wrong with scimTestMode? Thank you in advance, Alex

By Jose Gonzalez staff 03 Nov 2017 at 8:50 a.m. CDT

Jose Gonzalez gravatar
Hi Alex, If you are hitting `<host>/identity/restv1/scim/v2/Users` it means you are using Gluu Server 3.1.x - but still trying to read the docs for 2.4.4... For security concerns we have [changed test mode](https://www.gluu.org/docs/ce/user-management/scim2/#differences-between-current-31x-and-older-test-mode) and revamped our SCIM [docs](https://www.gluu.org/docs/ce/user-management/scim2/) where you will find a thorough explanation. We raised this [issue](https://github.com/GluuFederation/oxTrust/issues/759) to remove the access token text field from the admin UI, it's not needed anylonger. Feel free to reply here if you are still in trouble. In the Scim-Client project you can check this [class](https://github.com/GluuFederation/SCIM-Client/blob/version_3.1.1/src/main/java/gluu/scim2/client/TestModeScimClient.java) (if you are familiar to Java) for a concrete example of how to get an access token in test mode. Regards.

By Alex Moniatovsky user 07 Nov 2017 at 7:24 p.m. CST

Alex Moniatovsky gravatar
Hi Jose, Thank you for the response, it helps a lot, but I am still in trouble. Actually, I am looking for UMA authorization scenario, I have configured my client-side application(Java based) according to the [docs](https://www.gluu.org/docs/ce/user-management/scim2/#testing-with-the-scim-client-uma) you have provided The first issue I have faced is that example say nothing about clientKeyId, it supposed to be empty, but in this case **UmaScimClient** class throws exception: ``` if (StringHelper.isEmpty(keyId)) { throw new ScimInitializationException("UMA keyId is empty"); } ``` I have investigated SCIM-client(3.1.1.Final) sources, it looks like it should be filled with one of the aliases from **scim-rp.jks** key store: ``` String keyId = this.umaAatClientKeyId; if (StringHelper.isEmpty(keyId)) { List<String> aliases = cryptoProvider.getKeyAliases(); if (aliases.size() > 0) { keyId = (String)aliases.get(0); } } ``` **OxAuthCryptoProvider** has been created without any issues, but call **getKeyAliases()** on it returns zero aliasses for **scim-rp.jks** (I have opened it with KeyStore Explorer tool, it has 6 aliasses). I can't figure out what is wrong, could you please help me with this issue? **P.S.** I have also tried to set keyId value manually, it this case I have obtained a token, but then SCIM client fails while calling: ``` UmaTokenResponse rptResponse = tokenService.requestJwtAuthorizationRpt(ClientAssertionType.JWT_BEARER.toString(), tokenRequest.getClientAssertion(), GrantType.OXAUTH_UMA_TICKET.getValue(), ticket, (String)null, (String)null, (String)null, (String)null, (String)null); ``` due to anauthorized response: > 03:17:30.730 [main] DEBUG org.apache.http.wire - << "{"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."}" Caused by: org.jboss.resteasy.client.ClientResponseFailure: Error status 401 Unauthorized returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:570) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:561) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:555) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:37) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:125) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy42.requestJwtAuthorizationRpt(Unknown Source) at gluu.scim2.client.UmaScimClient.getAuthorizedRpt(UmaScimClient.java:158) Thank you in advance, Alex

By Jose Gonzalez staff 08 Nov 2017 at 8:51 a.m. CST

Jose Gonzalez gravatar
Alex, > The first issue I have faced is that example say nothing about clientKeyId It does... it reads: > You can suply an alias from scim-rp.jks for umaClientKeyId. The first key from the file is used automatically when this value is left empty. Before moving further, can you please check this: * The path to the .jks used in your application is right (accessible) and that the operating system user has read access to it. Remember that you have previously copied the jks from server to your dev machine * Your oxAuth logs are NOT showing a stack trace for the OxAuthCryptoProvider class when you are trying to run the example.

By Alex Moniatovsky user 08 Nov 2017 at 5:50 p.m. CST

Alex Moniatovsky gravatar
Thanks, Jose, I have resolved issue with certificate(it was problem with the read access) so **searchUsers** was invoked successfully, but now **createUser** operation fails. I am using user entity from [docs](https://www.gluu.org/docs/ce/user-management/scim2/#user-object) without any changes, but receive bad request(400) status, my client logs: ``` 01:33:21.077 [main] DEBUG org.apache.http.headers - >> POST /identity/restv1/scim/v2/Users HTTP/1.1 01:33:21.077 [main] DEBUG org.apache.http.headers - >> Authorization: Bearer dba2f6af-fec8-4c8f-83c4-41b0d2f11e40_59BE.E32E.8483.4E87.6667.2ECB.895C.2769 01:33:21.077 [main] DEBUG org.apache.http.headers - >> Accept: application/scim+json;charset=utf-8 01:33:21.077 [main] DEBUG org.apache.http.headers - >> Accept-Encoding: gzip, deflate 01:33:21.078 [main] DEBUG org.apache.http.headers - >> Content-Length: 1119 01:33:21.078 [main] DEBUG org.apache.http.headers - >> Content-Type: application/scim+json;charset=utf-8 01:33:21.078 [main] DEBUG org.apache.http.headers - >> Host: gluu-de.local 01:33:21.078 [main] DEBUG org.apache.http.headers - >> Connection: Keep-Alive 01:33:21.078 [main] DEBUG org.apache.http.headers - >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_144) 01:33:21.078 [main] DEBUG org.apache.http.wire - >> "{"id":null,"externalId":null,"meta":{"created":null,"lastModified":null,"location":null,"version":null,"resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"newUser_1510183994570","name":{"formatted":"Given Name Family Name","familyName":"Family Name","givenName":"Given Name","middleName":null,"honorificPrefix":null,"honorificSuffix":null},"displayName":null,"nickName":null,"profileUrl":null,"title":null,"userType":null,"preferredLanguage":"US_en","locale":null,"timezone":null,"active":true,"password":"secret","emails":[{"operation":null,"value":"a@b.com","display":"a@b.com","primary":true,"type":"work","$ref":""}],"phoneNumbers":[{"operation":null,"value":"123-456-7890","display":"123-456-7890","primary":true,"type":"work","$ref":""}],"ims":[],"photos":[],"addresses":[{"operation":null,"primary":true,"formatted":"My Formatted Address","streetAddress":"My Street","locality":"My Locality","region":"My Region","postalCode":"12345","country":"My Country","type":"work","$ref":""}],"groups":[],"entitlements":[],"roles":[],"pairwiseIdentitifers":[],"x509Certificates":[]}" 01:33:21.206 [main] DEBUG org.apache.http.wire - << "HTTP/1.1 400 Bad Request[\r][\n]" 01:33:21.206 [main] DEBUG org.apache.http.wire - << "Date: Wed, 08 Nov 2017 23:33:21 GMT[\r][\n]" 01:33:21.206 [main] DEBUG org.apache.http.wire - << "Server: Jetty(9.3.15.v20161220)[\r][\n]" 01:33:21.206 [main] DEBUG org.apache.http.wire - << "X-Xss-Protection: 1; mode=block[\r][\n]" 01:33:21.206 [main] DEBUG org.apache.http.wire - << "X-Content-Type-Options: nosniff[\r][\n]" 01:33:21.206 [main] DEBUG org.apache.http.wire - << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]" 01:33:21.207 [main] DEBUG org.apache.http.wire - << "Content-Type: application/scim+json;charset=utf-8[\r][\n]" 01:33:21.208 [main] DEBUG org.apache.http.wire - << "Connection: close[\r][\n]" 01:33:21.208 [main] DEBUG org.apache.http.wire - << "Transfer-Encoding: chunked[\r][\n]" 01:33:21.208 [main] DEBUG org.apache.http.wire - << "[\r][\n]" ``` I assumed that something wrong with user entity, I have checked oxtrust.log, there is 401 Anuthorized status from UmaPermissionService: ``` 2017-11-08 23:44:55,569 DEBUG [oxTrustScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-11-08 23:44:55,569 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:140) - Starting update of appliance status 2017-11-08 23:44:55,572 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:342) - Setting facter attributes 2017-11-08 23:44:55,595 DEBUG [oxTrustScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2017-11-08 23:44:55,595 DEBUG [oxTrustScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.UpdateScriptEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2017-11-08 23:44:55,599 DEBUG [oxTrustScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: memoryfree 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - memoryfree => 776.68 MB 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: memorysize 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - memorysize => 3.86 GB 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: swapfree 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - swapfree => 0.00 MB 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: swapsize 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - swapsize => 0.00 MB 2017-11-08 23:44:55,787 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: hostname 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - hostname => gluu-de 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: ipaddress 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - ipaddress => 172.10.3.54 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: load_average 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: bandwidth_usage 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:385) - Setting bandwidth attributes 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:465) - Setting facter param: uptime_seconds 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:485) - uptime_seconds => 1686531 2017-11-08 23:44:55,788 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:409) - Setting df attributes 2017-11-08 23:44:55,793 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:222) - Setting httpd attributes 2017-11-08 23:44:55,806 DEBUG [Thread-294748] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:198) - Appliance status update finished 2017-11-08 23:45:17,954 INFO [qtp985655350-14] [oxtrust.service.scim2.jackson.custom.UserDeserializer] (UserDeserializer.java:45) - deserialize() 2017-11-08 23:45:18,069 DEBUG [qtp985655350-14] [org.gluu.oxtrust.service.uma.UmaPermissionService] (UmaPermissionService.java:186) - Construct response: HTTP 401 (Unauthorized), ??????: '03a712ec-c649-416a-907f-582d6c9679a7' 2017-11-08 23:45:19,546 INFO [qtp985655350-13] [oxtrust.service.scim2.jackson.custom.UserDeserializer] (UserDeserializer.java:45) - deserialize() ``` Do you have any assumptions what is wrong this time? Thanks, Alex

By Jose Gonzalez staff 09 Nov 2017 at 9:13 a.m. CST

Jose Gonzalez gravatar
Hi, Not clear if you are having 400 or 401. You cannot obtain two response status codes at the same time! Since **searchUsers** worked, I think the *bad request* deserves attention now. Unfortunately, the Java code of that particular example seems a bit outdated. I hope we can fix that soon. ...Anyway, I recommend whenever possible, using Json payloads directly. It comes with some advantages: * It helps understanding the protocol better - specially when starting * It's more agile to develop that way (just edit plain files) reducing the amount of code * Most examples in gluu site are given in Json Try to use (or mimic in Java object terms) the Json data shown [here](https://www.gluu.org/docs/ce/user-management/scim2/#json-string). If I remember well, for instance, you should not pass a country name but an ISO code (e.g. US), and the impl is also expecting a non-null display name. In this [section](https://www.gluu.org/docs/ce/user-management/scim2/#creating-resources) you can find more Jsonized stuff which was fully tested. Try to study those. I think this ticket was closed because original need was solved. Open a new one if still in trouble.

By Alex Moniatovsky user 30 Nov 2017 at 6:28 p.m. CST

Alex Moniatovsky gravatar
Thanks Jose, using JSON payloads directly is working.