Yuriy can you take a look at this? Any thoughts?

Would you be so kind to attach `oxd-server.log` file and your `oxd-conf.json` so we can check in detail?

Hello, Here is the oxd-conf.json ``` { "server_name":"My OXD 2", "port":8099, "localhost_only":false, "time_out_in_seconds":0, "use_client_authentication_for_pat":true, "trust_all_certs":true, "trust_store_path":"", "trust_store_password":"", "crypt_provider_key_store_path":"", "crypt_provider_key_store_password":"", "crypt_provider_dn_name":"", "license_id":"", "public_key":"", "public_password":"", "license_password":"", "support-google-logout":true, "state_expiration_in_minutes":5, "nonce_expiration_in_minutes":5, "public_op_key_cache_expiration_in_minutes":60, "protect_commands_with_access_token":false, "uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client":true, "migration_source_folder_path":"", "storage":"redis", "storage_configuration": { "servers":"redis:6379", }, "remove_expired_clients":false } ``` Here is the oxd-https.log WHEN I don't put protection_access_token ``` java.lang.IllegalArgumentException: Status code of the supplied response [403] is not from the required status code family "SERVER_ERROR". at javax.ws.rs.WebApplicationException.validate(WebApplicationException.java:308) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at javax.ws.rs.ServerErrorException.<init>(ServerErrorException.java:78) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.gluu.oxd.RestResource.validateAccessToken(RestResource.java:192) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.gluu.oxd.RestResource.getAuthorizationUrl(RestResource.java:97) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131] at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) ~[oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:471) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:425) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:383) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:336) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:223) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at io.dropwizard.jetty.NonblockingServletHolder.handle(NonblockingServletHolder.java:49) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:83) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:300) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at io.dropwizard.jetty.BiDiGzipFilter.doFilter(BiDiGzipFilter.java:132) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at io.dropwizard.servlets.ThreadNameFilter.doFilter(ThreadNameFilter.java:29) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at io.dropwizard.jersey.filter.AllowedMethodsFilter.handle(AllowedMethodsFilter.java:43) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at io.dropwizard.jersey.filter.AllowedMethodsFilter.doFilter(AllowedMethodsFilter.java:38) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at com.codahale.metrics.jetty9.InstrumentedHandler.handle(InstrumentedHandler.java:240) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at io.dropwizard.jetty.RoutingHandler.handle(RoutingHandler.java:51) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:95) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:159) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.Server.handle(Server.java:499) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [oxd-https-extension-3.1.3.Final.jar:3.1.3.Final] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131] ``` Here is the oxd-server.log when I put protection_access_token ``` 2018-07-22 14:47:26,884 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0158, commandSize: 158 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"params": {"oxd_id": "f236a025-f009-448e-94e3-835f1b055402", "protection_access_token": "564fd928-89ce-4488-97b4-49d71fdf166b"}, "command": "get_logout_uri"}', m_leftString=''} 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.server.Processor] Command: {"params": {"oxd_id": "f236a025-f009-448e-94e3-835f1b055402", "protection_access_token": "564fd928-89ce-4488-97b4-49d71fdf166b"}, "command": "get_logout_uri"} 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.server.service.ValidationService] Introspect token with rp: Rp{oxdId='be3e0ef1-40f7-400f-be0b-16757df6217b', opHost='https://mysso.com', opDiscoveryPath='null', idToken='null', accessToken='null', authorizationRedirectUri='https://app-gluu.novobi.cloud:2087/login_callback/', postLogoutRedirectUri='https://app.mysso.com:2087/post_logout/', applicationType='web', redirectUris=[https://app-gluu.novobi.cloud:2087/login_callback/], claimsRedirectUri=[], responseTypes=[code], clientId='@!45CA.AE06.1470.E5A7!0001!98B4.59D2!0008!A3CC.D1CF.AAF2.E80B', clientSecret='221d4ca6-ba99-447f-9caa-e554dd0213af', clientRegistrationAccessToken='564fd928-89ce-4488-97b4-49d71fdf166b', clientRegistrationClientUri='https://mysso.com/oxauth/restv1/register?client_id=@!45CA.AE06.1470.E5A7!0001!98B4.59D2!0008!A3CC.D1CF.AAF2.E80B', clientIdIssuedAt=Sun Jul 22 09:39:11 UTC 2018, clientSecretExpiresAt=Mon Jul 23 09:39:11 UTC 2018, clientName='null', sectorIdentifierUri='null', clientJwksUri='', setupClient='true', setupOxdId='null', setupClientId='null', scope=[openid, profile, email, uma_authorization, uma_protection, user_name, clientinfo, dermalogica_info], uiLocales=[en], claimsLocales=[en], acrValues=[], grantType=[authorization_code, client_credentials, uma_ticket], contacts=[], userId='null', userSecret='null', pat='144699e1-4ecf-422e-a832-9ba6db4b6cb7', patExpiresIn=299, patCreatedAt=Sun Jul 22 14:33:54 UTC 2018, patRefreshToken='null', umaProtectedResources=[], rpt='null', rptTokenType='null', rptPct='null', rptExpiresAt=null, rptCreatedAt=null, rptUpgraded=null, oxdRpProgrammingLanguage=python} 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2018-07-22 14:47:26,888 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2018-07-22 14:47:27,060 TRACE [org.xdi.oxd.server.service.UmaTokenService] Obtained token with client authentication: UmaToken{token='b919d2b8-c344-4846-9dab-0d35c591d153', refreshToken='null', expiresIn=299} 2018-07-22 14:47:27,063 TRACE [org.xdi.service.cache.RedisStandaloneProvider] put - key: be3e0ef1-40f7-400f-be0b-16757df6217b, status: OK 2018-07-22 14:47:27,090 DEBUG [org.xdi.oxd.server.service.ValidationService] access_token is not active. 2018-07-22 14:47:27,090 ERROR [org.xdi.oxd.server.Processor] ErrorResponseException{errorResponseCode=ErrorResponseCode{value='inactive_protection_access_token', description='Inactive protection_access_token. Command is protected by protection_access_token, please provide valid token or otherwise switch off protection in configuration with protect_commands_with_access_token=false'}} at org.xdi.oxd.server.service.ValidationService.introspect(ValidationService.java:148) at org.xdi.oxd.server.service.ValidationService.validate(ValidationService.java:117) at org.xdi.oxd.server.service.ValidationService.validate(ValidationService.java:49) at org.xdi.oxd.server.Processor.process(Processor.java:74) at org.xdi.oxd.server.Processor.process(Processor.java:51) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:55) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) 2018-07-22 14:47:27,091 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"inactive_protection_access_token","details":null,"error_description":"Inactive protection_access_token. Command is protected by protection_access_token, please provide valid token or otherwise switch off protection in configuration with protect_commands_with_access_token=false"}} 2018-07-22 14:47:27,091 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... ``` P.S : I removed some private data Thank you

Btw, just a very quick question: We are integrating in production many applications in : Python ,PHP, Java. However, I just find the SCIM Client for Java , how about Python and PHP ? Thank you

Thanks for details. Your configuration looks good. Right now oxd-server `3.1.3` skips validation if `protect_commands_with_access_token` is `false` AND if `protection_access_token` is not provided in command itself. In your case based on log above we can see that `protection_access_token` is still supplied ``` 2018-07-22 14:47:26,886 TRACE [org.xdi.oxd.server.Processor] Command: {"params": {"oxd_id": "f236a025-f009-448e-94e3-835f1b055402", "protection_access_token": "564fd928-89ce-4488-97b4-49d71fdf166b"}, "command": "get_logout_uri"} ``` For 3.1.3 version please set `protection_access_token` to blank value or `null` and oxd will skip validation. This behavior is changed in 3.1.4 (in https://github.com/GluuFederation/oxd/issues/213 ). If `protect_commands_with_access_token` is `false` in configuration then validation is skipped (no matter whether it is provided in command or not). About `java.lang.IllegalArgumentException` (when `protection_access_token` is missed), it is bug which is fixed in 3.1.4 version (https://github.com/GluuFederation/oxd/issues/212) I guess you may wish to try 3.1.4 version (which is not released yet but is very stable with many other fixes). It is available in our maven repo: - oxd-server: http://ox.gluu.org/maven/org/xdi/oxd-server/3.1.4-SNAPSHOT/ - oxd-https-extension: http://ox.gluu.org/maven/org/xdi/oxd-https-extension/3.1.4-SNAPSHOT/ About SCIM client question: We have many oxd clients available but as far as I know we support only java client for SCIM. Thanks, Yuriy Z

Hello Yuriy, I tried it but there's still error . After reviewing your code, I can see that there is some weird logic : 1 : If I don't provide protection_access_token - Python Oxd client will not put Authorization header in the request ``` if self.config.get("client", "protection_access_token"): logger.info("Protection Token available in config. Setting it to " "messenger for use in all communication") self.msgr.access_token = self.config.get("client", "protection_access_token") ``` - So, in your Oxd Https extension , the validateAccessToken method will return false , which raise me 403 HTTP code ``` public static String validateAccessToken(String authorizationParameter) { final String prefix = "Bearer "; if (StringUtils.isNotEmpty(authorizationParameter) && authorizationParameter.startsWith(prefix)) { String accessToken = authorizationParameter.substring(prefix.length()); if (StringUtils.isNotBlank(accessToken)) { return accessToken; } } LOG.debug("No access token provided in Authorization header. Forbidden."); throw new WebApplicationException(forbiddenErrorResponse(), Response.Status.FORBIDDEN); } ``` 2. So, I have to provide protection_access_token in my demosite.conf , which will raise the error : ``` OxdServerError: oxd Server Error: inactive_protection_access_token Inactive protection_access_token. Command is protected by protection_access_token, please provide valid token or otherwise switch off protection in configuration with protect_commands_with_access_token=false ``` Keep in mind that I set protect_commands_with_access_token=false in oxd-conf.json. Could you please have a careful test on your side ? Thank you

I guess there is some misunderstanding. We have : - `oxd-server` which is local service where you can switch on/off protection by `protect_commands_with_access_token`. - `oxd-https-extension` which is HTTP proxy to `oxd-server` and where protection is REQUIRED. Communication between `oxd-server` and `oxd-https-extension` is protected by `protection_access_token`. There is no way to avoid protection on `oxd-https-extension` side. If you don't need protection at all then there is no need to use `oxd-https-extension`, you can call `oxd-server` directly. Otherwise if it's required to use `oxd-https-extension` then please turn protection on. Thanks, Yuriy Z

I found the root cause now, that's my misunderstanding. To use with oxd-https-extension, I have to call ``` oxc.get_client_token() ``` after Client initialization . before any upcoming commands . Thank you very much . We can close the ticket.