Can't use oxauth-rp for Dynamic Client Registration

By: James Gibson user 05 Jan 2017 at 3:43 p.m. CST

4 Responses
James Gibson gravatar
Hi, I've successfully deployed a Gluu server with the optional oxauth-rp component. I can log into the server and view the admin interface. I have attempted to use the oxauth-rp component, located at /oxauth-rp/home.htm, to register a new OpenID Connect Client. I'm trying to follow the video here: https://www.gluu.org/how-to-dynamically-register-openid-connect-client/ However, when I get to click "Submit" under "Dynamic Client Registration", I get an error: ``` HTTP/1.1 400 Content-Type: application/json Cache-Control: no-store Pragma: no-cache {"error":"invalid_client_metadata","error_description":"The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a Client's Metadata."} ``` I've tried many (but not all) combinations of parameters. Is there any advice on determining which parameter is causing the issue? I have inspected all of the logs I can find under /opt/tomcat/logs and elsewhere, but cannot find any error messages that are useful.
U1404
closed

Answers

By Michael Schwartz Account Admin 05 Jan 2017 at 3:52 p.m. CST

Copy
Michael Schwartz gravatar
What is the `redirect_uri`? Does it use https? Also, can you paste the values for your `oxd-default-site-config.json` Also, which client library are you using? Java, Python, etc?

By James Gibson user 05 Jan 2017 at 3:58 p.m. CST

Copy
James Gibson gravatar
Hi Michael, thanks for the quick reply! 1. I've tried a few different redirect_uris, including localhost:3000/redirect and https://gluu.mydomain.com/oxauth-rp/home.seam as suggested in the video. 2. We might have a winner - I haven't done anything with oxd-default-site-config.json; I was (maybe wrongly) under the impression that I could use oxauth-rp to set up an OpenID Connect client that I could use with or without oxd? I haven't gotten to the point of using any client libraries, though I will be using Ruby if we decide to use oxd. I sense I may have totally missed something important when trying to read the docs.

By Michael Schwartz Account Admin 05 Jan 2017 at 4:31 p.m. CST

Copy
Michael Schwartz gravatar
1. The `redirect_uri` for a web application always must use the scheme `https://` The URL should be the path of your application--whichever handles the response from the OpenID Provider. That program will need to obtain the `code` and `state` from the response. Remember, the login and logout call use the front channel (browser), and the token and userinfo calls use the backchannel (i.e. oxd does these for you). 2. Definitely use a client library. This will make it so much easier. Usually only client developers call the API's directly. For example, if you're writing a new client for some new programming language, you'd call the API's. Otherwise, it's too much work--use the libraries!

By James Gibson user 05 Jan 2017 at 4:55 p.m. CST

Copy
James Gibson gravatar
Thanks! I think it was the HTTPS, I got it set up by manually creating a new OpenID connector. Really appreciate the help!

Post an answer