By: Julien Chezeaux user 30 Jun 2020 at 2:55 p.m. CDT

4 Responses
Julien Chezeaux gravatar
Hello, I'm trying to use the oxTrust REST API described [here](https://gluu.org/docs/gluu-server/api-guide/oxtrust-api). I had success adding an OpenID Scope, and changing some attributes. However I'm currently stuck with 3 API requests: - Changing the SMTP configuration with /api/v1/configuration/smtp. All the configuration is correct, except the password, which is not defined (it is displayed as "blank field" when I access the SMTP configuration through the web interface) - Creating an OpenID client with /api/v1/clients. The client can be created, but without a secret (also displayed as blank field in the web interface). Its seems that it expects an "encodedClientSecret", but how is it encoded? - Creating an user with /api/v1/users. The user can be created, but how can I add other "gluuPerson" attributes? In these 3 API requests, I get a 200 or 201 response, and the object is created or modified, but not fully. This leads me to some more general questions: - Do I use the right APIs? I choose the oxTrust API because it seemed to be the more complete in the doc (it can alter system configuration, OpenID configuration, and manage internal LDAP users). The point is not having neither a too complex API (I'm currently scripting with bash, meaning I don't have access to a complete client library to use a complex API), nor having to manage different API systems for different tasks - Did I miss some documentation? I checked the official doc mentionned, this support portal, and dove into the source code of oxTrust, OxTrust-API and OxCore, but I still can make this work. I also went playing with /opt/opendj/bin/encode-password but realized that SMTP config stored in LDAP was not using any of the supported scheme... - Do you offer other ways to automate the setup of a Gluu system? The goal is to integrate Gluu into our Dockerized application. I've already replaced the reverse-proxy by ours, managed to distribute the HTTPS certificates to oxtrust/oxauth... Getting a functional Gluu system is OK for our basic authentication needs (for now), but automate the installation to be able to deploy an instance of our application in seconds is another thing! So I'd be glad to get your view on this topic (both for the detail and the general approach). Thanks.

By Michael Schwartz staff 05 Jul 2020 at 4:01 p.m. CDT

Michael Schwartz gravatar
Maybe you should setup a call to discuss your requirements. This sounds like a project for a commerical costumer. Gluu is a business, not a charity for large organizations who want free software, and free technical support. We'd be happy to chat, and if there us a potential business opportunity, we can assign your questions to an engineer. If there is no business opportunity, and you just want "free", then I suggest you read the docs and code on GitHub, and post your answers here so others in the community can benefit in the future.

By Julien Chezeaux user 06 Jul 2020 at 5:06 a.m. CDT

Julien Chezeaux gravatar
Ok, I've scheduled a meeting to discuss business opportunity.

By Michael Schwartz staff 06 Jul 2020 at 10:36 a.m. CDT

Michael Schwartz gravatar
I see it. Thanks for scheduling.

By Michael Schwartz staff 08 Jul 2020 at 9:27 a.m. CDT

Michael Schwartz gravatar
For user management you need [SCIM](https://tools.ietf.org/html/rfc7644#section-3.2) For example: https://your-server/identity/restv1/scim/v2/Users You can see the scim endpoints on the config url: https://your-server/.well-known/scim-configuration There is a [node client](https://github.com/GluuFederation/SCIM-Node) Also, please read the docs: [https://gluu.org/docs/gluu-server/4.1/user-management/scim2/](https://gluu.org/docs/gluu-server/4.1/user-management/scim2/) 2. My recommendation is not to use the built-in password reset. The risk of priviledge escalation is too high. For example, if there is an attack against `/identity` and the hacker can escalate privledge, then the hack could configure the OpenID or SAML components. First, you could build your own reset mechanism and use SCIM to set the data. Second, there is a [registration](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/registration) and [forgot password](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/forgot_password) custom authn script you can look at. For example, when you send an [OpenID Authn Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) use the `acr_values` param, which corresponds to the name of the script. 3. I think oxAuth has an SMTP server also. It might not have an API for config in oxTrust, in which case you could also write the config using LDIF and an ldapmodify command.