By: Floris Leurink user 26 Jan 2018 at 3:41 p.m. CST

10 Responses
Floris Leurink gravatar
Hi, I am trying to migrate some Wordpress applications from one server to another. On the old server, I have installed OXD-server, with working OXD-clients. I am able to authenticate with the Wordpress plugin. This is an older OXD version: the client configurations are stored in json format: e.g. 1234252-125532532-2232323-32623632.json. I am trying to migrate these clients to the new server. However: a newer version of OXD is installed there and the configuration seems to be stored in H2 in db file. I copied the json of the client to a migration folder and I checked the logs and can verify that the RPs have been migrated. However, I am unable to see the Login with OpenID provider button in de Worpdress login screen with all settings identical to the clients on the older working version. I really need some help to be able to register a working OpenID client. Can you answer the following questions for me: my OP does not support dynamic client registration. I have a clientID and a secret ID and configuration endpoint. But it is impossible to register this client with the OP url, because there is no option to enter clientID and secret (this is possible when I register accounts.google.com). When I enter the custom OP host, there is no option to enter client id / secret. How do you suggest I proceed in the case? I cannot edit the client configs manually, because they are stored in the H2 db file. In the wordpress table, I have manually entered the correct OXD client ID and config but the login with OpenID provider button is not showing up? Thanks in advance! Kind regards Floris The Netherlands

By William Lowe staff 26 Jan 2018 at 3:49 p.m. CST

William Lowe gravatar
Hi Floris, Which OP are you using? Thanks, Will

By Yuriy Zabrovarnyy staff 27 Jan 2018 at 2:12 a.m. CST

Yuriy Zabrovarnyy gravatar
hi Floris, 1. Please provide oxd-server.log file from old server and from new server. Hopefully we will notice what is the difference. In general response from `get_authorization_url` command must be the same (it's first place that has to be checked). 2. what oxd-client are you using? After migration to new oxd-server, did you take new client? 3. If you need to update any information for rp/site you can always do it via `update_site_registration` command 4. There is possibility to switch persistence from H2 db to redis, just in case you find it more convenient https://gluu.org/docs/oxd/3.1.1/configuration/ Thanks, Yuriy Z

By Floris Leurink user 27 Jan 2018 at 9:35 a.m. CST

Floris Leurink gravatar
Ad 1 See this link: https://docs.google.com/document/d/1yaXKip2zvScP_JiLjERpaiHELBcHTv75bhG3kYktfvQ/edit# for info regarding of logs of registration of OXD-server client on the new server and logs of working config on old server. It seems that the authorizationURL is emtpy on the new server. Weird fact: I am unable to register the client for our OP provider oidc.surfconext.nl with the normal URL. There is no prompt for clientID and secret. If I use the well-know endpoint: I get prompted for clientID and secret and client registration is successful! However, authorization URL is empty. Ad 2 On new server: latest version On old server: I don't know exactly: I installed OXD client on March 2017 so it is an older version Ad 3 Thanks: I will use that Ad 4 I I switch to Redis, will I be able to edit the client configs more easily? For example: I would like to look through the database records and change values like authorization url or token. This was easy on the old server, because all configs were stored in json files. I was able to play with the values in these files to get things working... Now I am kind of lost as to where to change / update client configs. I hope you can help me through these final steps! Maybe I can change / hardcode the authorization URL somewhere? Kind regards... Floris

By Jajati Badu Account Admin 27 Jan 2018 at 12:51 p.m. CST

Jajati Badu gravatar
Hi Floris, Looks like some issue in your Op Provider oidc.surfconext.nl . Though it has a registration_endpoint but seems it does not allow dynamic client registration. And throw "Forbidden error". You may need to check why your op provider's registration_endpoint (https://oidc.surfconext.nl/register) throws "Forbidden error". The oxd Wordpress Plugin does not ask for Client ID and Client secret because it finds registration_endpoint in the OP's .well-known/openid-configuration endpoint and trying for Dynamic Registration which gets "You don't have permission to access /register on this server." as response from the OP. If you have admin access to your OP Provider oidc.surfconext.nl, you may disable registration_endpoint after which oxd Wordpress plugin will ask to manually enter ClientId and Client Secret. We may need to modify the plugin, if you have no admin access to the Op Provider to disable "registration_endpoint" or Investigate/fix why "registration_endpoint" throws Forbidden error. **Regarding your log files from Google Doc** - **Step 2: register OXD client with OP URL: well know endpoint** The OP host url you have provided is not a valid Op Host url. And it got Sucessfully registered because application tried to search registration_endpoint from https://ophosturl/well-known/openid-configuration (https://oidc.surfconext.nl/.well-known/openid-configuration/well-known/openid-configuration) And as the plugin could not find the registration_end point from https://oidc.surfconext.nl/.well-known/openid-configuration/well-known/openid-configuration, it considered that OP does not support dynamic registration and asked for Client ID and Client Secret. So in Summary step -2 in the Google doc , will never work due to invalid Op host url - **Regarding - Working config on old server** Have you tried to Register Site using old oxd server and Op Host URL https://oidc.surfconext.nl ? If you try to register Site using old oxd-server and Op Host URL https://oidc.surfconext.nl you will get same "Forbidden" error due to some settings in your OP. Thanks, Jajati

By Floris Leurink user 31 Jan 2018 at 3:48 a.m. CST

Floris Leurink gravatar
Thanks for your answers. I will discuss this with the OP provider and will update the ticket when I have new info. Kind regards, Floris

By Floris Leurink user 06 Feb 2018 at 4:23 a.m. CST

Floris Leurink gravatar
Ok, I have discussed this with our OP provider and they can confirm the issue that you have described: the OP host has a registration_endpoint but it does not allow dynamic client registration and throws "Forbidden error". However, they will not be able to fix this on a short term. So my next question would be: can we try out the solution you have suggested: "We may need to modify the plugin, if you have no admin access to the Op Provider to disable "registration_endpoint"? What do we need to change in order to be able to register a client trough Wordpress plugin within the OXD server with a client key and secret, but without dynamic registration on OP host? Our client has already been registered manually by OP provider. Thanks in advance!

By Jajati Badu Account Admin 06 Feb 2018 at 6:52 a.m. CST

Jajati Badu gravatar
Hi Floris, Because the OP provider has a registration_endpoint, the current plugin does not ask for ClientID and Client Secret. We may need to modify the plugin for this kind of situation. Kind Regards, Jajati

By Floris Leurink user 06 Feb 2018 at 6:57 a.m. CST

Floris Leurink gravatar
Thanks, what needs to be changed? If it is a few lines of code I can do it myself.

By Jajati Badu Account Admin 06 Feb 2018 at 8:30 a.m. CST

Jajati Badu gravatar
Hi Floris, I will check this with our plugin developer and will get back to you ASAP. Kind Regards, Jajati

By Floris Leurink user 14 Feb 2018 at 11:02 a.m. CST

Floris Leurink gravatar
Hi, I have update some of my config settings and have some new information: my client seems to be functioning properly now, but I there is a problem with the access_token hash. Can you please check out the information in this link? https://docs.google.com/document/d/19PXzgtwF0J_zsmlmWVcDj1RKrO2F_1Ebf37XL4ir00Q/edit This file contains our OP provider details, our OXD-server and OXD-client configs and the OXD-server logs. I have marked red the error in the log where the authentication process seems to fail. Thanks in advance! Kind regards, Floris