Hi, Just learning how to use the Gluu server specifically the OAuth/UMA/OpenID connect support. Still a little muddled about which standard is used for what and how they play together. Therefore I decided to create a driving script for the OpenID and UMA APIs so I could learn. The script does this... * Gets the endpoints using .well-known/openid-configuration. * Registers a client * Obtains an access token for the registered client. I cannot get step 3 to work. It doesn't matter what I try. I either get this error.... ``` {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed."} ``` or this....(if I change the client to use `client_secret_basic`) ``` {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."} ``` I'm guessing I'm doing something fundamentally wrong because most changes I make do nothing. Also is there an example of using the APIs to register a client, obtain an access token, and use UMA to protect access to some resources? Here is the script... ``` clear CLIENT_NAME=$(env LC_CTYPE=C tr -dc "a-zA-Z0-9-_\$\?" < /dev/urandom | head -c 12) CLIENT_NAME="csadmin-$CLIENT_NAME" echo "client name: $CLIENT_NAME" cat csadmin-client.json.in | sed "s/\$CLIENT_NAME/$CLIENT_NAME/" > /tmp/csadmin-client.json regep=$(curl --silent --insecure https://gluu/.well-known/openid-configuration | jshon -e registration_endpoint | sed 's/"//g') tokenep=$(curl --silent --insecure https://gluu/.well-known/openid-configuration | jshon -e token_endpoint | sed 's/"//g') \# Register a client echo -e "\n$regep" curl --silent --insecure -XPOST $regep -d@/tmp/csadmin-client.json -H"Content-Type: application/json" | tee /tmp/client-response$$ CLIENT_ID=$(cat /tmp/client-response$$ | jshon -e "client_id" | sed 's/"//g' | tr '[:lower:]' '[:upper:]') CLIENT_SECRET=$(cat /tmp/client-response$$ | jshon -e "client_secret" | sed 's/"//g') echo "Registered client ID: $CLIENT_ID, Secret $CLIENT_SECRET" \# Obtain an access token echo -e "\n$tokenep" set -x echo "grant_type=authorization_code&scope=openid&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET" > /tmp/postdata$$ curl -v -k -d@/tmp/postdata$$ $tokenep ``` Here is the client json file... ``` { "application-type": "web", "redirect_uris": [ "https://client.example.org/callback", "https://client.example.org/callback2" ], "client_name": "$CLIENT_NAME", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code","token","id_token"], "grant_types": ["authorization_code","implicit","refresh_token","client_credentials"] } ``` Any help would be grately appreciated. I'm trying to understand how to use OAuth,OpenID, and UMA to protect user resources on a SaaS offering. Regards, Jeff.