By: Benedikt Schmeitz user 11 Feb 2018 at 3:36 p.m. CST

6 Responses
Benedikt Schmeitz gravatar
Problem: can not connect oxd-python with pre registered client. I pre-registred an OpenID connect client from the gluu GUI. Using the exposed Inum as client_id within the oxd-python configuration, as mentioned [here](https://github.com/GluuFederation/oxd-python/blob/master/sample.cfg), results in : 1. (dynamicRegistrationEnabled: false) internal server error 2. (dynamicRegistrationEnabled: true) registers new dynamic client. -> can not access scopes with "Allow for dynamic registration: false" Questions: A: How to retrieve the client_id from gluu GUI? B: How to approve a dynamicly registred clien?

By Michael Schwartz staff 11 Feb 2018 at 8:16 p.m. CST

Michael Schwartz gravatar
A few suggestions: 1. view the client in oxTrust (openid / clients menu), and make sure you explicitly release the desired scopes. 2. You don't need to register a client unless you are using oxd-web. If you are running oxd on localhost, it uses sockets, and you won't need to present an OAuth client=grant access token to call the oxd APIs. 3. The python demo app has moved to a new project [oxd-python-demo-app](https://github.com/GluuFederation/oxd-python-demo-app)

By Jajati Badu Account Admin 12 Feb 2018 at 2:17 a.m. CST

Jajati Badu gravatar
Hi Benedikt, I can see you are using Gluu serve 3.1.2 and oxd server 3.1.2 is not yet released. If you are using oxd-server v3.1.1, We need to check if oxd-server 3.1.1 is compatible with Gluu server 3.1.2 Also could you please share the oxd-server log file to investigate the issue ? Location /var/log/oxd-server.log Kind Regards, Jajati

By Benedikt Schmeitz user 12 Feb 2018 at 6:04 a.m. CST

Benedikt Schmeitz gravatar
Thanks for those fast answers. Dynamic client registration works fine, but I'm not able to access user attributes with "Allow for dynamic registration: false". This seems to be the intended behavior. What I tried: ### add those scopes via gluu GUI (like @Michael mentioned in 1.) my oxd-python config file ``` [oxd] host = localhost port = 8099 id = d42912b6-632b-4392-8ccb-7a0ee287b610 [client] authorization_redirect_uri = http://localhost:8000/my_userview/callback/ post_logout_redirect_uri = http://localhost:8000/my_userview/hallo/ ; scope = openid,profile,uma_protection,email,address,clientinfo client_name = dynamic client test february 12 ``` What happend: 1.1. oxd-python config scope commented out - this works perfect. 1.2. oxdpython config scope given. - overrides the scopes manual configured via gluu GUI. - **I think this is a bug. ** The client should not have the permission to override my manual gluu GUI configuration. ### manual registered a client - oxd-python with client_id = client Inum (from gluu GUI) - I'm not able to connect. oxd-python dynamicly registers new client or raises internal error (if dynamicRegistrationEnable: false)

By Jajati Badu Account Admin 12 Feb 2018 at 8:21 a.m. CST

Jajati Badu gravatar
Hi Benedikt, This issue is not reproducible for us. On more note Your client application url should be https and a host name like https://client.example.com (Allow for dynamic registration: false) 1- Created OpenId Client in Gluu server with 3 scopes 2- Entered ClienId , Client secret and 5 scopes in oxd-python configuration file 4- When I registered the client, the registration in oxd-server was success. But Gluu server scopes were same. Just 3 scopes like before. 5- Tried to update the scopes using Update site method. But that threw error because OP's (OpenID Provider) Dynamic registration was disabled. In Summary, If your OP's Dynamic Registration is enabled, and when you try to register a client using oxd-python/oxd-server . The process will create one entry in oxd server and one entry (Create Client) in Gluu server. If OP's Dynamic Registration is disabled , You need to manually enter ClientId, Client secret in configuration file. And Register client will create one entry in oxd-server only. There will be no communication to OP. Could you please provide us the log file and steps to reproduce the issue you are having ? Kind Regards, Jajati

By Benedikt Schmeitz user 12 Feb 2018 at 12:12 p.m. CST

Benedikt Schmeitz gravatar
From your last answer I noticed my mistake. configuring oxd-python needs: - client_id = Inum from Gluu GUI - client_secret = secret from Gluu GUI - authorization_redirect_uri = one of the configured authorization_redirect_uris from the Gluu GUI - [optinal] scopes = ... I missed the entry client_secret. This results in a new entry in oxd server and one entry in Gluu server. What I expected was only a new entry in oxd server + error code missing/invalid client_secret. This might be intended for security reasons? But kind of unexpected for me. I would love a pre_registered_client = true flag + verbose error log for this situation. Maybe I just missed the documentation for oxd-python and pre-registred clients. Does it exist?

By William Lowe staff 12 Feb 2018 at 12:57 p.m. CST

William Lowe gravatar
Thanks for the recommendation, Benedikt. [New issue opened](https://github.com/GluuFederation/oxd/issues/155) and we will add support in oxd 3.1.2