By: Cory Carter user 13 Apr 2018 at 10:34 a.m. CDT

21 Responses
Cory Carter gravatar
Hello, I've just created a user in GLUU, but for some reason unable to login to GLUU after. I'm seeing the following in identity: ``` 2018-04-13 10:20:50,976 INFO [qtp1689843956-10] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:386) - scopes : openid user_name profile email 2018-04-13 10:20:50,977 INFO [qtp1689843956-10] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:389) - clientID : @!1139.1FC4.2032.A087!0001!52AD.5DFF!0008!ADE1.25F2 2018-04-13 10:20:50,977 INFO [qtp1689843956-10] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:419) - Sending request to token endpoint 2018-04-13 10:20:50,977 INFO [qtp1689843956-10] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:421) - redirectURI : https://csidp-int.cspire.net/identity/authentication/authcode 2018-04-13 10:20:51,034 INFO [qtp1689843956-10] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:436) - Session validation successful. User is logged in 2018-04-13 10:20:51,099 ERROR [qtp1689843956-10] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:447) - User info response doesn't contains uid claim ``` Can anyone help? Thanks, Cory

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 11:03 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Cory**, The error: ``` User info response doesn't contains uid claim ``` mean that the Openid client configuration in Gluu server is not setup to released `username` scope. Please release that scope and try again. see example [here](https://pasteboard.co/HgrCGu0.png). Thanks, Gasmyr.

By Cory Carter user 13 Apr 2018 at 11:21 a.m. CDT

Cory Carter gravatar
Gasmyr, ``` Openid client configuration in Gluu server is not setup to released username scope. ``` Shouldn't this be done by default in GLUU server in order to access oxTrust? I thought that Admin GUI immediately had these scopes out of box. ``` Please release that scope and try again. ``` Is there anyway to do this outside of the GUI (as this has essentially locked me out) through the likes of either jXplorer or the likes?

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 11:29 a.m. CDT

Thomas Gasmyr Mougang gravatar
The documentation contains all information you may need. When you just open a ticket without a description of what you want to achieve, it is impossible for us to help. Gluu server ship with some default scopes and you can add a custom one if you want.

By Cory Carter user 13 Apr 2018 at 11:49 a.m. CDT

Cory Carter gravatar
Gasmyr, I'm not sure I follow. This does not include a custom client of any sort. [Events in chronological order] 1.) I created a user in GLUU 2.) I restarted the server. 3.) I'm no longer able to login with ANY (including default admin) profile via oxTrust's GUI. 4.) After viewing identity logs, I saw the above-mentioned error in identity. 5.) In reply your response, I asked is there any way to make the correction you suggested outside of the GUI, as this error has effectively locked me out. I can still login and authenticate via LDAP backends. I apologize for the confusion, if any.

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 11:53 a.m. CDT

Thomas Gasmyr Mougang gravatar
Okay, the description is clear now. Gimme some minutes.

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 12:33 p.m. CDT

Thomas Gasmyr Mougang gravatar
Sets to follow: 1. Use a ldap browser like jxplorer to connect to LDAP 1. ckeck the client with id *@!1139.1FC4.2032.A087!0001!52AD.5DFF!0008!ADE1.25F2* 1. provide a screnshot of that client(all parameters) 1. Check the **Appliances** block 1. Set the attribute ** oxTrustAuthenticationMode ** value to **auth_ldap_server** 1. Save change 1.restart identity service and try again Illustration: [here](https://pasteboard.co/HgsdB6F.png).

By Cory Carter user 13 Apr 2018 at 2:26 p.m. CDT

Cory Carter gravatar
Gasmyr, [Changes Made, Configuration here](https://pasteboard.co/HgsWs55.png)

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 2:31 p.m. CDT

Thomas Gasmyr Mougang gravatar
have you change the **oxTrustAuthenticationMode** attribute value in appliances section? If so can you login now?

By Cory Carter user 13 Apr 2018 at 2:35 p.m. CDT

Cory Carter gravatar
The oxTrustAuthenticationMode parameter was set to auth_ldap_server by default. I still cannot login after restart, however.

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 2:52 p.m. CDT

Thomas Gasmyr Mougang gravatar
Can you provide a screenshot of users entry in ldap. See [this](https://pasteboard.co/Hgt7X5S.png) for example.

By Cory Carter user 13 Apr 2018 at 3:13 p.m. CDT

Cory Carter gravatar
[Here you are](https://pasteboard.co/HgtguyT.png "enter image title here")

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 3:27 p.m. CDT

Thomas Gasmyr Mougang gravatar
You can see from your screenshot that is an essential attribute that is missing. The **uid** attribute is not present. This mean that you have done something that remove that attribute and may be some others. How to fix uid attribute: From jxplorer you can can an attribute to an specific user. I your case add an attribute name **uid** to john's entry and set the value to **john**. Then restart identity service and try to login using username **john** .

By Cory Carter user 13 Apr 2018 at 3:34 p.m. CDT

Cory Carter gravatar
I see a "uid" attribute in the screenshot [scimTest3]. Am I looking at the wrong attribute?

By Thomas Gasmyr Mougang staff 13 Apr 2018 at 3:38 p.m. CDT

Thomas Gasmyr Mougang gravatar
Cory, Please check your ldap entries and fix it.

By Cory Carter user 13 Apr 2018 at 3:55 p.m. CDT

Cory Carter gravatar
Gasmyr, There already is a "uid" ldap entry in the above screenshot. [[I've Circled it for you](https://pasteboard.co/HgtxuIP.jpg)]

By Cory Carter user 16 Apr 2018 at 11:07 a.m. CDT

Cory Carter gravatar
Gasmyr, We have found the root of the issue: The "oxAuthClientPassword" had been deleted from JSON configuration mistakenly. In regards to this, is there a way to replace this password via a hashing algorithm of some sort?

By Thomas Gasmyr Mougang staff 16 Apr 2018 at 1:21 p.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Cory**, We haven't see such behavior yet. Can you please provide more details about which Ldap entry is concerned, may be screenshot also. Thanks, Gasmyr.

By Chris Blanton user 16 Apr 2018 at 1:30 p.m. CDT

Chris Blanton gravatar
Cory, Do you mean the `oxAuthClientSecret` for the `oxTrust Admin GUI`?

By Cory Carter user 16 Apr 2018 at 1:33 p.m. CDT

Cory Carter gravatar
Gasmyr, This value was deleted due to testing mishap, and is of no fault of GLUU itself. Here is the [value](https://pasteboard.co/HgUTLjy.png) itself, found in oxTrust Configuration

By Thomas Gasmyr Mougang staff 16 Apr 2018 at 2:25 p.m. CDT

Thomas Gasmyr Mougang gravatar
Log into Gluu server container and run the below to recover the `oxAuthClientSecret`: ``` cat /install/community-edition-setup/setup.properties.last | grep oxauthClient_pw | cut -d "=" -f 2 | xargs python /opt/gluu/bin/encode.py ``` This command will print the encode **oxAuthClientSecret**. You can use **jxplorer** to insert that attribute value since you don't have access to oxTrust Admin UI. Thanks, Gasmyr.

By Cory Carter user 16 Apr 2018 at 2:50 p.m. CDT

Cory Carter gravatar
Works like a charm!!! Thanks guys!!!