Can you post the ldif for this client and the scopes? ``# /opt/bin/opendj/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <pass> -b "o=gluu" 'inum=@12345.5248.B148'`` > /opt/opendj/ldif/b148_client.ldif Also the respective scopes: ``# /opt/bin/opendj/ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w <pass> -b "o=gluu" 'objectclass=oxAuthCustomScope'`` > /opt/opendj/ldif/scopes.ldif Also, please paste in the oxAuth logs (i.e. use tail -f when you authenticate to capture the snippet). BTW, one of our engineers is also testing mod_auth_oidc

Thank you for the response. OpenID client details on Gluu oxAuth: Inum: <inum_value> Display Name_: openid-client1 Application Type_: Web Algorithm_: RS256 Pre-Authorization_:Enabled Authentication method: client_secret_basic Redirect Login URIs: https://localhost/example/redirect_uri Redirect Logout URIs: **Scopes:** email openid phone profile user_name **Response Type:** Authorization Code Grant Type ID Token Implicit Grant Type I will post the remaining details

**content of b148_client.ldif:** dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0008!C61C.6381,ou=clients,o=@!46D6 .5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthScope: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!764C,ou=scopes,o=@!4 6D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthScope: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!F0C4,ou=scopes,o=@!4 6D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthScope: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!D491,ou=scopes,o=@!4 6D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthScope: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!43F1,ou=scopes,o=@!4 6D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthScope: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!10B2,ou=scopes,o=@!4 6D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthAppType: web oxAuthResponseType: code oxAuthResponseType: id_token oxAuthResponseType: token oxLastAccessTime: 20150526204011.805Z oxAuthClientSecret: 2sTKgvS7Ez115G/C0mzjoAS04ran12wK objectClass: oxAuthClient objectClass: top oxAuthTokenEndpointAuthMethod: client_secret_basic oxAuthRedirectURI: https://localhost/example/redirect_uri oxLastLogonTime: 20150526204011.805Z oxAuthTrustedClient: true displayName: openid-client1 oxAuthIdTokenSignedResponseAlg: RS256 inum: @12345.5248.B148 --- **content of scopes.ldif:** dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!F0C4,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!29DA,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: A persistent but non-identifiable correlation key released by your OpenID Provider. defaultScope: true displayName: openid inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!F0C4 dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!10B2,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!42E0,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: Your local username in the Gluu Server defaultScope: false displayName: user_name inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!10B2 dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!764C,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!8F88,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!CAE3,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: Your email address and whether its verified. defaultScope: false displayName: email inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!764C dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!D491,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!570B,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!B17A,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: Your phone number defaultScope: false displayName: phone inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!D491 dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!43F1,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!2B29,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!0C85,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!B4B0,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!A0E8,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!5EC6,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!B52A,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!64A0,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!EC3A,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!3B47,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!3692,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!98FC,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!A901,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!36D9,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu oxAuthClaim: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0005!BE64,ou=attributes,o =@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: This information includes: name, family_name, given_name, middle_na me, nickname, preferred username, picture, website, gender, birthdate, zoneinfo , locale and when the profile was last updated. defaultScope: false displayName: profile inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!43F1 dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!6D98,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: Obtain UMA AAT displayName: uma_authorization defaultScope: true inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!6D98 dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!6D99,ou=scopes,o=@!46D6.5248. B148.6D99!0001!6CD6.AEF4,o=gluu objectClass: oxAuthCustomScope objectClass: top description: Obtain UMA PAT displayName: uma_protection defaultScope: true inum: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0009!6D99

I re-assigned this issue to an engineer who is also working on testing mod_auth_oidc.

Reza, [This wiki page](http://ox.gluu.org/doku.php?id=mod_auth_oidc) has our documentation for configuring mod_auth_oic with the Gluu Server. Please let us know how it goes for you! Thanks, Will

Thank you William I reviewed the instructions, they are basically what I have done so far.. except my oxAuth server is not installed locally and I am not using Python but rather PHP to view the HTTP headers. Therefore instead of using: OIDCMetadataDir /var/lib/apache2/openid-client-creds I use: OIDCProviderMetadataURL https://my-gluu-server.com/.well-known/openid-configuration OIDCClientID client_ID OIDCClientSecret client_PASS The Apache module is installed properly and the Apache server starts and stops fine. Upon accessing http://localhost/example the module fetches the configuration(JSON) successfully and then redirects the browser to the oxAuth server for authentication. Once u/p are entered the browser is redirected back to the redirect_link: https://localhost/example/redirect_uri?session_id=123456-9a77-4e27-93a3-5016fb6773a3

... Upon accessing http://localhost/example the module fetches the configuration(JSON) successfully and then redirects the browser to the oxAuth server for authentication. Once u/p are entered the browser is redirected back to the redirect_link: https://localhost/example/redirect_uri?session_id=123456-9a77-4e27-93a3-5016fb6773a3&scope=openid+email+profile&state=123YEN-Bko6gBvrbfsoCqpkg8uw&code=12330610-c6cc-4a55-bb89-45457a3ad987 Once the module receives the code in query above, it makes another calls to the the token endpoint: https://my-gluu-server.com/oxauth/seam/resource/restv1/oxauth/token with the code and other parameters to receive the access token... the server then response with access_token, token_type, expires_in, refresh_token and id_token. The module makes another call to Gluu's JWK endpoint successfully. resolving id_token I can see the following key-values: { "iss": "https://my-gluu-server.com", "aud": "@12345.5248.B148", "exp": 1433276998, "iat": 1433273398, "nonce": "123qZH1lfmo0G4xH6Z2y9t127u6MrlaB4rft0R123bI", "auth_time": 1433273398, "at_hash": "i123uREhpCp05n1Gh0t123", "oxValidationURI": "https://my-gluu-server.com/oxauth/opiframe", "oxOpenIDConnectVersion": "openidconnect-1.0" } as it shows there is no **sub** key in the response. I think I had a similar issue (i.e. no sub attribute) when I tried to use another OpenID Connect client a while ago. Please note that the same Module works fine with **Google Apps** and the following config: OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration OIDCClientID appid123456.apps.googleusercontent.com OIDCClientSecret my-google-app-secret OIDCRedirectURI https://localhost/example/redirect_uri OIDOIDCSSLValidateServer OffCCryptoPassphrase crypto_pass OIDCScope "openid email" <Location /example/> AuthType openid-connect Require valid-user </Location>

Reza, I recently did some testing with this mod_auth_oidc. My notes are here: http://ox.gluu.org/doku.php?id=mod_auth_oidc I decided to use Dynamic Client Registration because I'm lazy... You might try it, and then compare the results in your <op>.client file with the directives you've set. Also, I notice in your Google config you have OIDOIDCSSLValidateServer Off I was actually going to suggest you use the same for the Gluu Server, because I'm guessing you're using a self-signed cert which you probably didn't specify as a trusted CA.

Regarding the SSL and self signed cert, I fixed the self-signed cert validation by downloading the cert and adding it to the Apache's trusted CA directory. I have also added the OIDOIDCSSLValidateServer Off to the config file in case I move the code to a different machine.

Reza, Are you still facing the problem? Have you moved forward? If yes, please respond to the issue with your present error. We may be of some help now. Thanks

You may like to have a look at: http://ox.gluu.org/doku.php?id=mod_auth_oidc_centos We'll try to resolve other issues if encountered and if within our reach.

To your client please add oxAuthSubjectIdentifier: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0008!C61C.6381 in your ldap as follows: Create a file with the following content and name it: mod.ldif > dn: inum=@!46D6.5248.B148.6D99!0001!6CD6.AEF4!0008!C61C.6381,ou=clients,o=@!46D6.5248.B148.6D99!0001!6CD6.AEF4,o=gluu > changetype: modify > add: oxAuthSubjectIdentifier > oxAuthSubjectIdentifier: @!46D6.5248.B148.6D99!0001!6CD6.AEF4!0008!C61C.6381 And run: > /opt/bin/opendj/ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w <pass> -f mod.ldif > Then try to authenticate.

Ganesh, The fix you suggested worked! thank you...so oxAuth uses oxAuthSubjectIdentifier, as opposed to inum, for the 'sub' value.

Yes, the value is same but parameter name pulled is different.