Client is not receiving the data, can I see a log of the Gluu responses which is returning the claim data?

By: Neemesh Patel user 28 Oct 2016 at 10:55 a.m. CDT

7 Responses
Neemesh Patel gravatar
This is related to the two tickets I previously raised: - [3285](https://support.gluu.org/single-sign-on/3285/logging-temporarily-the-information-released-to-a-relying-party/) - [3372](https://support.gluu.org/other/3372/releasing-an-organisation-name-to-the-client/) A very short sumary of the issues is "We believe a scope has been released to a client, but the client is saying they are not seeing the response when requesting the scope". I am trying to release the organization name to one of our clients. As far as I know, I have configured Gluu to do so but the system administrator for the client, is saying they're not seeing any information for that claim on their side. So ideally I need to see the JSON responses from Gluu to the client that has all the release information to see if we are or are not sending data. We have other scopes being released to them which are coming through, so it's just this particular one that seems to not be working. In ticket #3285 I was pointed at the logs documentation, but the ticket was closed quickly and I didn't really have a chance to try what I was pointed at. I eventually figured out the problem in that instance which was I wasn't releasing the openid scope, so I didn't think too much about the log changes needed (until now where I have a similar problem on another scope and have the need agains to try and look at the information being sent to them). I have set the log4j.xml file to an "ALL" log level, but I don't seem to see where the JSON responses are being logged even after changing that and restarting the gluu server. A snippet below is included of the log4j.xml lines I changed from a log level of "INFO" to "ALL". Have I set what is needed to log JSON responses or is there another method I should be using? If I have changed the log correctly, which log file should contain this information as I can't seem to see them (I basically need to see if there is any orgname data getting back to them)? I can only see the initial authorize along with the scope names being requested (i.e. "scope=openid+orgname"), not the actual JSON response to that request that is sent back to them. ``` <!-- ================ --> <!-- OX loggers --> <!-- ================ --> <logger name="org.xdi.oxauth.service.status.ldap" additivity="false"> <level value="ALL"/> <appender-ref ref="OX_PERSISTENCE_LDAP_STATISTICS_FILE" /> </logger> <logger name="org.xdi.service.PythonService" additivity="false"> <level value="ALL"/> <appender-ref ref="OX_SCRIPT_LOG_FILE" /> </logger> <logger name="org.xdi.service.custom.script" additivity="false"> <level value="ALL"/> <appender-ref ref="OX_SCRIPT_LOG_FILE" /> </logger> <logger name="org.xdi.oxauth.service.custom" additivity="false"> <level value="ALL"/> <appender-ref ref="OX_SCRIPT_LOG_FILE" /> </logger> ``` In regards to how I've set up the "orgname" scope and the client:- - In the attributes there is an existing "o" attribute (which has a display name of "Organization i-number"). This is active, the view type is set to admin & user, the edit type is admin. - In the openID connect scopes, I created a new scope (as an existing one didn't look to exist that pointed to the "o" attribute). I called this "orgname", set the scope type to Openid, Default scope = false, and the added the claim "Organization i-number". - In the client configuration I added the scope "orgname". Any help or advice is appreciated
U1404
closed

Answers

By Michael Schwartz Account Admin 28 Oct 2016 at 10:59 a.m. CDT

Copy
Michael Schwartz gravatar
It is very unusual. It does look like you are doing everything right. Can you post the request and response?

By Neemesh Patel user 31 Oct 2016 at 5:44 a.m. CDT

Copy
Neemesh Patel gravatar
Hi Mike, I'm afraid I don't know where in the logs I can see the openID response. Could you point me at how I can see those responses on the Gluu server? In regards to the request, below is from var/logs/apache2/other_vhosts_access.log which shows the scopes being requested. Would this be enough information or would another log snippet from another location provide you with more information? - "mycompany.co.uk" is the identity provider - "auth.sandbox.client.info" is the client connecting and requesting the scopes Thanks ``` mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:31 +0000] "GET /oxauth/seam/resource/restv1/oxauth/authorize?nonce=KFChJXyzAJwbLaGFYrhTYH7w-x55q9e4UQsRKV9eY61Y&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJjbGllbnRfaWQiOiI4OWJhM2U3Mi03NjhmLTRkZGItOTUyZC1lMGJiNzMwNWUyYzciLCJmbG93IjoibG9naW4iLCJhdXRoX3Byb3ZpZGVyX2lkIjo1MDE3LCJleHAiOjE0Nzc5MTA2MDQsImNvbnRpbnVlX3RvIjpbIi92Mi9vYXV0aDIvYXV0aG9yaXplP2NsaWVudF9uYW1lPWdsb2J1c193ZWJhcHAmc3RhdGU9dHZvdjZiMnFycG8mcmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGc2FuZGJveC5nbG9idXNjcy5pbmZvJTJGYXBwJTJGbG9naW4mcmVzcG9uc2VfdHlwZT10b2tlbiZjbGllbnRfaWQ9ODliYTNlNzItNzY4Zi00ZGRiLTk1MmQtZTBiYjczMDVlMmM3JnNjb3BlPXVybiUzQWdsb2J1cyUzQWF1dGglM0FzY29wZSUzQWF1dGguZ2xvYnVzLm9yZyUzQXZpZXdfaWRlbnRpdGllcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FuZXh1cy5hcGkuZ2xvYnVzLm9yZyUzQWdyb3Vwcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0F0cmFuc2Zlci5hcGkuZ2xvYnVzLm9yZyUzQWFsbCZyZWRpcmVjdF9uYW1lPUdsb2J1cytXZWIrQXBwIl19.nPuzG3Syo5goxj1Zvmg58fkfAWxrm4Gb3c_R-1HyHkI&redirect_uri=https%3A%2F%2Fauth.sandbox.client.info%2Fp%2Fauthenticate%2Fcallback&response_type=code&client_id=%40%21DF5D.95BC.627B.BEB6%210001%219A77.81F1%210008%21C952.1A2B&scope=openid+user_name+email+display_name+orgname&access_type=online HTTP/1.0" 302 3123 "https://auth.sandbox.client.info/p/login?client_name=globus_webapp&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJmbG93IjoibG9naW4iLCJjb250aW51ZV90byI6WyIvdjIvb2F1dGgyL2F1dGhvcml6ZT9jbGllbnRfbmFtZT1nbG9idXNfd2ViYXBwJnN0YXRlPXR2b3Y2YjJxcnBvJnJlZGlyZWN0X3VyaT1odHRwcyUzQSUyRiUyRnNhbmRib3guZ2xvYnVzY3MuaW5mbyUyRmFwcCUyRmxvZ2luJnJlc3BvbnNlX3R5cGU9dG9rZW4mY2xpZW50X2lkPTg5YmEzZTcyLTc2OGYtNGRkYi05NTJkLWUwYmI3MzA1ZTJjNyZzY29wZT11cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FhdXRoLmdsb2J1cy5vcmclM0F2aWV3X2lkZW50aXRpZXMrdXJuJTNBZ2xvYnVzJTNBYXV0aCUzQXNjb3BlJTNBbmV4dXMuYXBpLmdsb2J1cy5vcmclM0Fncm91cHMrdXJuJTNBZ2xvYnVzJTNBYXV0aCUzQXNjb3BlJTNBdHJhbnNmZXIuYXBpLmdsb2J1cy5vcmclM0FhbGwmcmVkaXJlY3RfbmFtZT1HbG9idXMrV2ViK0FwcCJdLCJleHAiOjE0Nzc5MTA2MDR9.YywrMY6U4qBBG7SlBZbLebTamHwX3GyHlpkOgv034oQ&redirect_uri=https%3A%2F%2Fsandbox.client.info%2Fapp%2Flogin&response_type=token&client_id=89ba3e72-768f-4ddb-952d-e0bb7305e2c7&scope=urn%3Aglobus%3Aauth%3Ascope%3Aauth.globus.org%3Aview_identities+urn%3Aglobus%3Aauth%3Ascope%3Anexus.api.globus.org%3Agroups+urn%3Aglobus%3Aauth%3Ascope%3Atransfer.api.globus.org%3Aall&redirect_name=Globus+Web+App" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:31 +0000] "GET /oxauth/authorize?scope=openid+user_name+email+display_name+orgname&response_type=code&nonce=KFChJXyzAJwbLaGFYrhTYH7w-x55q9e4UQsRKV9eY61Y&redirect_uri=https%3A%2F%2Fauth.sandbox.client.info%2Fp%2Fauthenticate%2Fcallback&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJjbGllbnRfaWQiOiI4OWJhM2U3Mi03NjhmLTRkZGItOTUyZC1lMGJiNzMwNWUyYzciLCJmbG93IjoibG9naW4iLCJhdXRoX3Byb3ZpZGVyX2lkIjo1MDE3LCJleHAiOjE0Nzc5MTA2MDQsImNvbnRpbnVlX3RvIjpbIi92Mi9vYXV0aDIvYXV0aG9yaXplP2NsaWVudF9uYW1lPWdsb2J1c193ZWJhcHAmc3RhdGU9dHZvdjZiMnFycG8mcmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGc2FuZGJveC5nbG9idXNjcy5pbmZvJTJGYXBwJTJGbG9naW4mcmVzcG9uc2VfdHlwZT10b2tlbiZjbGllbnRfaWQ9ODliYTNlNzItNzY4Zi00ZGRiLTk1MmQtZTBiYjczMDVlMmM3JnNjb3BlPXVybiUzQWdsb2J1cyUzQWF1dGglM0FzY29wZSUzQWF1dGguZ2xvYnVzLm9yZyUzQXZpZXdfaWRlbnRpdGllcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FuZXh1cy5hcGkuZ2xvYnVzLm9yZyUzQWdyb3Vwcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0F0cmFuc2Zlci5hcGkuZ2xvYnVzLm9yZyUzQWFsbCZyZWRpcmVjdF9uYW1lPUdsb2J1cytXZWIrQXBwIl19.nPuzG3Syo5goxj1Zvmg58fkfAWxrm4Gb3c_R-1HyHkI&client_id=%40%21DF5D.95BC.627B.BEB6%210001%219A77.81F1%210008%21C952.1A2B HTTP/1.0" 302 486 "https://auth.sandbox.client.info/p/login?client_name=globus_webapp&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJmbG93IjoibG9naW4iLCJjb250aW51ZV90byI6WyIvdjIvb2F1dGgyL2F1dGhvcml6ZT9jbGllbnRfbmFtZT1nbG9idXNfd2ViYXBwJnN0YXRlPXR2b3Y2YjJxcnBvJnJlZGlyZWN0X3VyaT1odHRwcyUzQSUyRiUyRnNhbmRib3guZ2xvYnVzY3MuaW5mbyUyRmFwcCUyRmxvZ2luJnJlc3BvbnNlX3R5cGU9dG9rZW4mY2xpZW50X2lkPTg5YmEzZTcyLTc2OGYtNGRkYi05NTJkLWUwYmI3MzA1ZTJjNyZzY29wZT11cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FhdXRoLmdsb2J1cy5vcmclM0F2aWV3X2lkZW50aXRpZXMrdXJuJTNBZ2xvYnVzJTNBYXV0aCUzQXNjb3BlJTNBbmV4dXMuYXBpLmdsb2J1cy5vcmclM0Fncm91cHMrdXJuJTNBZ2xvYnVzJTNBYXV0aCUzQXNjb3BlJTNBdHJhbnNmZXIuYXBpLmdsb2J1cy5vcmclM0FhbGwmcmVkaXJlY3RfbmFtZT1HbG9idXMrV2ViK0FwcCJdLCJleHAiOjE0Nzc5MTA2MDR9.YywrMY6U4qBBG7SlBZbLebTamHwX3GyHlpkOgv034oQ&redirect_uri=https%3A%2F%2Fsandbox.client.info%2Fapp%2Flogin&response_type=token&client_id=89ba3e72-768f-4ddb-952d-e0bb7305e2c7&scope=urn%3Aglobus%3Aauth%3Ascope%3Aauth.globus.org%3Aview_identities+urn%3Aglobus%3Aauth%3Ascope%3Anexus.api.globus.org%3Agroups+urn%3Aglobus%3Aauth%3Ascope%3Atransfer.api.globus.org%3Aall&redirect_name=Globus+Web+App" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:31 +0000] "GET /oxauth/login HTTP/1.0" 200 14834 "https://auth.sandbox.client.info/p/login?client_name=globus_webapp&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJmbG93IjoibG9naW4iLCJjb250aW51ZV90byI6WyIvdjIvb2F1dGgyL2F1dGhvcml6ZT9jbGllbnRfbmFtZT1nbG9idXNfd2ViYXBwJnN0YXRlPXR2b3Y2YjJxcnBvJnJlZGlyZWN0X3VyaT1odHRwcyUzQSUyRiUyRnNhbmRib3guZ2xvYnVzY3MuaW5mbyUyRmFwcCUyRmxvZ2luJnJlc3BvbnNlX3R5cGU9dG9rZW4mY2xpZW50X2lkPTg5YmEzZTcyLTc2OGYtNGRkYi05NTJkLWUwYmI3MzA1ZTJjNyZzY29wZT11cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FhdXRoLmdsb2J1cy5vcmclM0F2aWV3X2lkZW50aXRpZXMrdXJuJTNBZ2xvYnVzJTNBYXV0aCUzQXNjb3BlJTNBbmV4dXMuYXBpLmdsb2J1cy5vcmclM0Fncm91cHMrdXJuJTNBZ2xvYnVzJTNBYXV0aCUzQXNjb3BlJTNBdHJhbnNmZXIuYXBpLmdsb2J1cy5vcmclM0FhbGwmcmVkaXJlY3RfbmFtZT1HbG9idXMrV2ViK0FwcCJdLCJleHAiOjE0Nzc5MTA2MDR9.YywrMY6U4qBBG7SlBZbLebTamHwX3GyHlpkOgv034oQ&redirect_uri=https%3A%2F%2Fsandbox.client.info%2Fapp%2Flogin&response_type=token&client_id=89ba3e72-768f-4ddb-952d-e0bb7305e2c7&scope=urn%3Aglobus%3Aauth%3Ascope%3Aauth.globus.org%3Aview_identities+urn%3Aglobus%3Aauth%3Ascope%3Anexus.api.globus.org%3Agroups+urn%3Aglobus%3Aauth%3Ascope%3Atransfer.api.globus.org%3Aall&redirect_name=Globus+Web+App" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:32 +0000] "GET /oxauth/stylesheet/company_theme.css HTTP/1.0" 304 287 "https://mycompany.co.uk/oxauth/login" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:47 +0000] "GET /identity/ HTTP/1.0" 200 624 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:52 +0000] "POST /oxauth/login HTTP/1.0" 302 1540 "https://mycompany.co.uk/oxauth/login" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:55 +0000] "GET /oxauth/authorize?response_type=code&scope=openid+user_name+email+display_name+orgname&redirect_uri=https%3A%2F%2Fauth.sandbox.client.info%2Fp%2Fauthenticate%2Fcallback&nonce=KFChJXyzAJwbLaGFYrhTYH7w-x55q9e4UQsRKV9eY61Y&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJjbGllbnRfaWQiOiI4OWJhM2U3Mi03NjhmLTRkZGItOTUyZC1lMGJiNzMwNWUyYzciLCJmbG93IjoibG9naW4iLCJhdXRoX3Byb3ZpZGVyX2lkIjo1MDE3LCJleHAiOjE0Nzc5MTA2MDQsImNvbnRpbnVlX3RvIjpbIi92Mi9vYXV0aDIvYXV0aG9yaXplP2NsaWVudF9uYW1lPWdsb2J1c193ZWJhcHAmc3RhdGU9dHZvdjZiMnFycG8mcmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGc2FuZGJveC5nbG9idXNjcy5pbmZvJTJGYXBwJTJGbG9naW4mcmVzcG9uc2VfdHlwZT10b2tlbiZjbGllbnRfaWQ9ODliYTNlNzItNzY4Zi00ZGRiLTk1MmQtZTBiYjczMDVlMmM3JnNjb3BlPXVybiUzQWdsb2J1cyUzQWF1dGglM0FzY29wZSUzQWF1dGguZ2xvYnVzLm9yZyUzQXZpZXdfaWRlbnRpdGllcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FuZXh1cy5hcGkuZ2xvYnVzLm9yZyUzQWdyb3Vwcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0F0cmFuc2Zlci5hcGkuZ2xvYnVzLm9yZyUzQWFsbCZyZWRpcmVjdF9uYW1lPUdsb2J1cytXZWIrQXBwIl19.nPuzG3Syo5goxj1Zvmg58fkfAWxrm4Gb3c_R-1HyHkI&client_id=%40%21DF5D.95BC.627B.BEB6%210001%219A77.81F1%210008%21C952.1A2B HTTP/1.0" 302 1655 "https://mycompany.co.uk/oxauth/login" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:55 +0000] "GET /oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&scope=openid+user_name+email+display_name+orgname&redirect_uri=https%3A%2F%2Fauth.sandbox.client.info%2Fp%2Fauthenticate%2Fcallback&nonce=KFChJXyzAJwbLaGFYrhTYH7w-x55q9e4UQsRKV9eY61Y&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZnAiOiJJRUx3ZXRJR0RNMFp4ZHNvNW9oMFBfSEMiLCJjbGllbnRfaWQiOiI4OWJhM2U3Mi03NjhmLTRkZGItOTUyZC1lMGJiNzMwNWUyYzciLCJmbG93IjoibG9naW4iLCJhdXRoX3Byb3ZpZGVyX2lkIjo1MDE3LCJleHAiOjE0Nzc5MTA2MDQsImNvbnRpbnVlX3RvIjpbIi92Mi9vYXV0aDIvYXV0aG9yaXplP2NsaWVudF9uYW1lPWdsb2J1c193ZWJhcHAmc3RhdGU9dHZvdjZiMnFycG8mcmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGc2FuZGJveC5nbG9idXNjcy5pbmZvJTJGYXBwJTJGbG9naW4mcmVzcG9uc2VfdHlwZT10b2tlbiZjbGllbnRfaWQ9ODliYTNlNzItNzY4Zi00ZGRiLTk1MmQtZTBiYjczMDVlMmM3JnNjb3BlPXVybiUzQWdsb2J1cyUzQWF1dGglM0FzY29wZSUzQWF1dGguZ2xvYnVzLm9yZyUzQXZpZXdfaWRlbnRpdGllcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0FuZXh1cy5hcGkuZ2xvYnVzLm9yZyUzQWdyb3Vwcyt1cm4lM0FnbG9idXMlM0FhdXRoJTNBc2NvcGUlM0F0cmFuc2Zlci5hcGkuZ2xvYnVzLm9yZyUzQWFsbCZyZWRpcmVjdF9uYW1lPUdsb2J1cytXZWIrQXBwIl19.nPuzG3Syo5goxj1Zvmg58fkfAWxrm4Gb3c_R-1HyHkI&client_id=%40%21DF5D.95BC.627B.BEB6%210001%219A77.81F1%210008%21C952.1A2B&cid=36 HTTP/1.0" 302 1396 "https://mycompany.co.uk/oxauth/login" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:56 +0000] "POST /oxauth/seam/resource/restv1/oxauth/token HTTP/1.0" 200 1910 "-" "python-requests/2.11.1" mycompany.co.uk:443 192.41.10.40 - - [31/Oct/2016:10:13:56 +0000] "GET /oxauth/seam/resource/restv1/oxauth/userinfo HTTP/1.0" 200 729 "-" "python-requests/2.11.1" ```

By Aliaksandr Samuseu staff 31 Oct 2016 at 2:56 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Neemesh. I don't think there is an easy way to see all OIDC messages in Gluu logs. The most solid way so far has been to employ Apache's **mod_dumpio** module. Here is a guide that may help you (please note these steps may need adjustments, depending on Apache's version used by your instance; please consult Apache's doc portal in such case; also note those steps are for CentOS, you'll need to adjust it for Ubuntu too): 1) Check whether it's enabled: `# apachectl -M | grep dumpio`. If grep won't return a string with its name, it isn't. In such case find a section listing loaded modules in the `/etc/httpd/conf/httpd.conf` and add this string there: `LoadModule dumpio_module modules/mod_dumpio.so` 2) In the same file find section where general logging settings are provided, similar to this: ``` ErrorLog logs/error_log LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog logs/access_log combined ``` ...and add next clauses right after it: ``` DumpIOInput On DumpIOOutput On LogLevel dumpio:trace7 ``` 3) Now in the `/etc/httpd/conf.d/https_gluu.conf`, in a section defining Gluu instance's virtual host, find the place where logging is configured (should be a single string `LogLevel warn`) and add next clauses right behind it: ``` DumpIOInput On DumpIOOutput On LogLevel dumpio:trace7 ``` 4) Restart Apache More about `dumpio` [here](https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html). You either need to do these changes on both nodes of a cluster (I assume you are using one), or somehow ensure all requests for this flow (including out-of-band requests to token and userinfo endpoints which are in case of `authz code` flow are originating from the RP) will be served by the node you modified. After these changes Apache should start to dump all HTTP traffic to the `/etc/httpd/logs/error_log`. I would ask you to run your failing OIDC flow again, and provide us a full dump it will generate in the file (will be too big to post, please use attachment feature of the board)

By Aliaksandr Samuseu staff 12 Nov 2016 at 1:19 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Neemesh. Do you still need assistance with your issue?

By Neemesh Patel user 13 Nov 2016 at 4:23 a.m. CST

Copy
Neemesh Patel gravatar
Apologies for the late reply. I wasn't able to log things on my side with apache, but in the end the third party sent me the response they were seeing from Gluu and that cleared things up. THe data was being returned, but I forgot the scope name doesn't always match the claim name. In this case they requested the scope "orgname", and the oxClaim name returned with the info was "o", but they (and I) were looking for a claim name "orgName". So with that, I think this ticket can be closed. If there is time I may retry the apache changed you suggested as we may have need for it in the future and being able to the OID responses would be very useful for troubleshooting. Thanks

By Neemesh Patel user 13 Nov 2016 at 4:23 a.m. CST

Copy
Neemesh Patel gravatar
Sorry, forgot to tick the "close this ticket" option

By Aliaksandr Samuseu staff 13 Nov 2016 at 8:09 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Sure, thanks for the update. >If there is time I may retry the apache changed you suggested as we may have need for it in the future and being able to the OID responses would be very useful for troubleshooting. Please note that mod_dumpio configuration differs slightly between different Apache versions. And Gluu uses different Apache versions, depending on package and linux distro. Steps above are for Apache 2.4. You need to update them for Apache 2.2. Also: >Prior to 2.2.4 mod_dumpio would only dump to the log when LogLevel was set to debug so it will differ slightly even for different versions of 2.2.

Post an answer