Hi Floris, Which OP are you using? Thanks, Will

hi Floris, 1. Please provide oxd-server.log file from old server and from new server. Hopefully we will notice what is the difference. In general response from `get_authorization_url` command must be the same (it's first place that has to be checked). 2. what oxd-client are you using? After migration to new oxd-server, did you take new client? 3. If you need to update any information for rp/site you can always do it via `update_site_registration` command 4. There is possibility to switch persistence from H2 db to redis, just in case you find it more convenient https://gluu.org/docs/oxd/3.1.1/configuration/ Thanks, Yuriy Z

Ad 1 See this link: https://docs.google.com/document/d/1yaXKip2zvScP_JiLjERpaiHELBcHTv75bhG3kYktfvQ/edit# for info regarding of logs of registration of OXD-server client on the new server and logs of working config on old server. It seems that the authorizationURL is emtpy on the new server. Weird fact: I am unable to register the client for our OP provider oidc.surfconext.nl with the normal URL. There is no prompt for clientID and secret. If I use the well-know endpoint: I get prompted for clientID and secret and client registration is successful! However, authorization URL is empty. Ad 2 On new server: latest version On old server: I don't know exactly: I installed OXD client on March 2017 so it is an older version Ad 3 Thanks: I will use that Ad 4 I I switch to Redis, will I be able to edit the client configs more easily? For example: I would like to look through the database records and change values like authorization url or token. This was easy on the old server, because all configs were stored in json files. I was able to play with the values in these files to get things working... Now I am kind of lost as to where to change / update client configs. I hope you can help me through these final steps! Maybe I can change / hardcode the authorization URL somewhere? Kind regards... Floris

Hi Floris, Looks like some issue in your Op Provider oidc.surfconext.nl . Though it has a registration_endpoint but seems it does not allow dynamic client registration. And throw "Forbidden error". You may need to check why your op provider's registration_endpoint (https://oidc.surfconext.nl/register) throws "Forbidden error". The oxd Wordpress Plugin does not ask for Client ID and Client secret because it finds registration_endpoint in the OP's .well-known/openid-configuration endpoint and trying for Dynamic Registration which gets "You don't have permission to access /register on this server." as response from the OP. If you have admin access to your OP Provider oidc.surfconext.nl, you may disable registration_endpoint after which oxd Wordpress plugin will ask to manually enter ClientId and Client Secret. We may need to modify the plugin, if you have no admin access to the Op Provider to disable "registration_endpoint" or Investigate/fix why "registration_endpoint" throws Forbidden error. **Regarding your log files from Google Doc** - **Step 2: register OXD client with OP URL: well know endpoint** The OP host url you have provided is not a valid Op Host url. And it got Sucessfully registered because application tried to search registration_endpoint from https://ophosturl/well-known/openid-configuration (https://oidc.surfconext.nl/.well-known/openid-configuration/well-known/openid-configuration) And as the plugin could not find the registration_end point from https://oidc.surfconext.nl/.well-known/openid-configuration/well-known/openid-configuration, it considered that OP does not support dynamic registration and asked for Client ID and Client Secret. So in Summary step -2 in the Google doc , will never work due to invalid Op host url - **Regarding - Working config on old server** Have you tried to Register Site using old oxd server and Op Host URL https://oidc.surfconext.nl ? If you try to register Site using old oxd-server and Op Host URL https://oidc.surfconext.nl you will get same "Forbidden" error due to some settings in your OP. Thanks, Jajati

Thanks for your answers. I will discuss this with the OP provider and will update the ticket when I have new info. Kind regards, Floris

Ok, I have discussed this with our OP provider and they can confirm the issue that you have described: the OP host has a registration_endpoint but it does not allow dynamic client registration and throws "Forbidden error". However, they will not be able to fix this on a short term. So my next question would be: can we try out the solution you have suggested: "We may need to modify the plugin, if you have no admin access to the Op Provider to disable "registration_endpoint"? What do we need to change in order to be able to register a client trough Wordpress plugin within the OXD server with a client key and secret, but without dynamic registration on OP host? Our client has already been registered manually by OP provider. Thanks in advance!

Hi Floris, Because the OP provider has a registration_endpoint, the current plugin does not ask for ClientID and Client Secret. We may need to modify the plugin for this kind of situation. Kind Regards, Jajati

Thanks, what needs to be changed? If it is a few lines of code I can do it myself.

Hi Floris, I will check this with our plugin developer and will get back to you ASAP. Kind Regards, Jajati

Hi, I have update some of my config settings and have some new information: my client seems to be functioning properly now, but I there is a problem with the access_token hash. Can you please check out the information in this link? https://docs.google.com/document/d/19PXzgtwF0J_zsmlmWVcDj1RKrO2F_1Ebf37XL4ir00Q/edit This file contains our OP provider details, our OXD-server and OXD-client configs and the OXD-server logs. I have marked red the error in the log where the authentication process seems to fail. Thanks in advance! Kind regards, Floris