Hi Paul, Can you please check if your client is available in your Gluu server? Here is [how](http://www.gluu.org/docs/admin-guide/oxTrust/oauth2/) you can check that.

My Client is definitely setup: ======================================================================================== Inum @!A561.3AD5.2A5B.C236!0001!3392.EE0C!0008!EDE1.0E9D Display Name* plugintestmanualSubmit Application Type* Web Algorithm* HS256 Pre-Authorization* Enabled <~(not entirely sure what this means) Authentication method client_secret_basic Redirect Login URIs: http://staging.lds.net/plugintest/wp-admin/admin-ajax.php?action=openidconn-callback https://seed.gluu.org/oxauth-rp/home.seam http://staging.lds.net/plugintest/wp-admin/admin-ajax.php Redirect Logout URIs: <none yet> Scopes: email openid phone user_name Response Type: Authorization Code Grant Type Implicit Grant Type ID Token Authorized Groups: Gluu Manager Group testGroup ======================================================================================== And here is what I am having my PHP spit out when it encounters the error: The Request: request=https://auth.rubenator.com/oxauth/seam/resource/restv1/oxauth/token::Array ( [code] => 72f80e52-6a7d-4656-9231-70b10f35ee5e [client_id] => @!A561.3AD5.2A5B.C236!0001!3392.EE0C!0008!EDE1.0E9D [client_secret] => test [redirect_uri] => http://staging.lds.net/plugintest/wp-admin/admin-ajax.php?action=openidconn-callback [grant_type] => authorization_code ) The Response: result=Array ( [headers] => Array ( [date] => Mon, 23 Feb 2015 17:43:14 GMT [server] => Apache/2.4.7 (Ubuntu) [www-authenticate] => Basic realm="oxAuth" [content-type] => application/json;charset=ISO-8859-1 [content-length] => 586 [set-cookie] => JSESSIONID=F2B022FB18AC1CB138D62752C7CAB69E; Path=/oxauth/; Secure; HttpOnly;HttpOnly [connection] => close ) [body] => {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."} [response] => Array ( [code] => 401 [message] => Unauthorized ) [cookies] => Array ( [0] => WP_Http_Cookie Object ( [name] => JSESSIONID [value] => F2B022FB18AC1CB138D62752C7CAB69E [expires] => [path] => /oxauth/ [domain] => auth.rubenator.com [secure] => [httponly] => ) ) [filename] => )

>> {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."} Interesting... you have client in IDP and you are getting "invalid_client" in response. I will talk to some folks here for more suggestion...

Is there a log I can/should look at? Which one?

Its because I'm sending the client and secret over a post. Changing the authentication method to clien_secret_post fixed this problem.

Oh great!! Learned a new thing. Thanks a bunch for sharing, Paul. Please keep testing and let us know the problem if you face any. Your suggestion is really valuable for us. Kind regards, Zico