By: Mike Hometown user 08 Jul 2020 at 7:49 a.m. CDT

12 Responses
Mike Hometown gravatar
## Expected Behaviour Followign the instructions from Gluu Gateway Docs, to add a new GG admin: https://gluu.org/docs/gg/1.0/admin-gui/#configure-role-for-user I would expect to be able to login with the user assigned the role=admin to Gluu Gateway. ## Actual Behaviour When logging in with the user having role=admin, it fails with message: Not enough permission to access GG UI. Only the user with admin role is allow. I am new to Gluu Gateway, and not sure which log file would be usefull in this case... As I could not find anything usefull in any of the mentioned logs! **Please advise?**

By Meghna Joshi staff 08 Jul 2020 at 7:57 a.m. CDT

Meghna Joshi gravatar
Hi Mike, please send the `/var/log/konga.log`. It seems like your client has not a sufficient scope so It failed to get `permission`. 1. You can find the client in Konga Config ` /opt/gluu-gateway-ui/config/local.js`. 2. Pick client id from `local.js` and check client details in Gluu CE UI oxtrust. 3. does client has `permission` scope or not? If not then add and try to login again. Best regards, Meghna Joshi

By Mike Hometown user 08 Jul 2020 at 8:17 a.m. CDT

Mike Hometown gravatar
Thanks for you response! * Checking the `local.js` file for the OIDC Client being used: `58390a6f-f182-42de-801e-f592610e469b` * The OIDC Client has `permission` scope added Attached the `/var/log/konga.log` file.

By Meghna Joshi staff 08 Jul 2020 at 8:28 a.m. CDT

Meghna Joshi gravatar
In logs I can see, userinfo has only `sub` claim. ``` userinfo: { sub: 't6tkFkUyFXlrVfKU3qWHKS8M-6LjArtGO85Co_i4W5E' } ``` 1. have you added `permission` scope using oxtrust for client `58390a6f-f182-42de-801e-f592610e469b`? 2. If this scope is already available in your client then you need to check `role` for user. Check in oxtrust in user record `User Permission: admin`. 3. Also try to login in private window

By Meghna Joshi staff 08 Jul 2020 at 8:32 a.m. CDT

Meghna Joshi gravatar
Also share the `/var/log/oxd-server/oxd-server.log` log

By Mike Hometown user 08 Jul 2020 at 8:37 a.m. CDT

Mike Hometown gravatar
1. Yes, I had used oxTrust to check this client... DId not have to add `permission` scope, as it was already there; 2. Checking in oxTrust for the `User Persmission: admin` ... it has been added; 3. Using Edge and Private Mode (had not used Edge before with this setup), same result. From the source code of Gluu Gateway UI, the part it checks for this `role=admin`, found here: https://github.com/GluuFederation/gluu-gateway-ui/blob/52a0abbb19e22e97bb03c368b0090928b22faaa3/api/controllers/AuthController.js#L265 If `userinfo` only contains the sub, I would understand why that code is throwing the error message... as it does not contain `role` values! ... Question then would be, why is it not have the role value!? (it should as the OIDC Client is confiured with it and it is requested during authentication) Any other things I could check?

By Mike Hometown user 08 Jul 2020 at 8:44 a.m. CDT

Mike Hometown gravatar
Sharing the oxd log file as requested: https://tmpfiles.org/download/60058/oxd-server.log

By Meghna Joshi staff 08 Jul 2020 at 9:38 a.m. CDT

Meghna Joshi gravatar
Every configuration is looks good to me. @Yuriy.Zabrovarnyy could you please check oxd logs once, why role is not returning by Gluu CE? which thing is missing? Between this Mike please send `oxauth.log`

By Mike Hometown user 08 Jul 2020 at 10:04 a.m. CDT

Mike Hometown gravatar
Sharing the oxAuth log file as requested: https://tmpfiles.org/download/60085/oxauth.log

By Yuriy Zabrovarnyy staff 08 Jul 2020 at 11:20 a.m. CDT

Yuriy Zabrovarnyy gravatar
> https://tmpfiles.org/download/60058/oxd-server.log Tmpfile.org says that file not found for link above > https://tmpfiles.org/download/60085/oxauth.log File is present but logger is in INFO log level. Please set it to TRACE, repeat scenario and attach log. I suspect it's something with attribute definition referenced by scope. Thus please attach LDIF of `permission` scope and LDIFs of claims referenced by it (via `oxAuthClaim`).

By Mike Hometown user 09 Jul 2020 at 2:34 a.m. CDT

Mike Hometown gravatar
> Tmpfile.org says that file not found for link above This is probably because tmpfile.org has the file available for 2 hours max, which had past already... I will need to find a better sharing files solution. > File is present but logger is in INFO log level. Please set it to TRACE, repeat scenario and attach log. Makes sense to set to DEBUG indeed, which I did for any future issues I might encounter. This issue I have resolved, see below. > I suspect it's something with attribute definition referenced by scope. This made me check the permission scope in Gluu Admin UI (which I did before), but this time you mentioned 'attribute definition' ... this was set to dynamic scope, reference the *dynamic_permission* script... I wanted to check what this script does, where I noticed it was not enabled! Once I enabled it, things started to work as expected! **Conclusion**, looks like when a default install is done for Gluu Server this permission scope is referencing a dynamic scope script which is not enabled?

By Yuriy Zabrovarnyy staff 09 Jul 2020 at 3:47 a.m. CDT

Yuriy Zabrovarnyy gravatar
I will correct it, thank for info! https://github.com/GluuFederation/community-edition-setup/issues/694 Can we close this support ticket ?

By Mike Hometown user 09 Jul 2020 at 5:01 a.m. CDT

Mike Hometown gravatar
I do have another question about Gluu Gateway, but it something different so I will create a new ticket for that. Thanks for your help, I will close this ticket.