I have started to deploy a user authentication solution consisting of Gluu at authentication server side with OpenID connect, and pac4j-oidc at client. I registered the client manually. I have also put the same credentials to shiro config. Then when I try to log in - first I see the login form of Gluu server (if I am not logged in yet) and at making a query to TokenEndpoint I have an error. The error response: {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."} The tomcat log: 2015-06-28 14:37:27,584 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: '7184aac2-ef11-4394-bd18-e1f6ae149c27' 2015-06-28 14:37:27,596 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: 7184aac2-ef11-4394-bd18-e1f6ae149c27 ... 2015-06-28 14:37:27,596 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=7184aac2-ef11-4394-bd18-e1f6ae149c27,ou=session,o=@!2D47.9549.29A6.B254!0001!4D90.88A3,o=gluu 2015-06-28 14:37:27,596 TRACE [org.xdi.oxauth.auth.Authenticator] authenticateBySessionId, sessionId = '7184aac2-ef11-4394-bd18-e1f6ae149c27', session = 'SessionId [dn=uniqueIdentifier=7184aac2-ef11-4394-bd18-e1f6ae149c27,ou=session,o=@!2D47.9549.29A6.B254!0001!4D90.88A3,o=gluu, id=7184aac2-ef11-4394-bd18-e1f6ae149c27, lastUsedAt=Sun Jun 28 14:30:20 UTC 2015, userDn=inum=@!2D47.9549.29A6.B254!0001!4D90.88A3!0000!A8F2.DE1E.D7FB,ou=people,o=@!2D47.9549.29A6.B254!0001!4D90.88A3,o=gluu, authenticationTime=Sun Jun 28 00:38:25 UTC 2015, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@1376835f, sessionAttributes={response_type=code id_token, scope=openid profile email user_name, nonce=nonce, redirect_uri=https://ce.gluu.info/identity/authentication/authcode, state=k3RBIuerDd4In3yXnpSQsqDO9NHjWyBJkXqMeYsDd7U, display=page, client_id=@!2D47.9549.29A6.B254!0008!7298.458B}]', state= 'authenticated' 2015-06-28 14:37:27,615 TRACE [org.xdi.oxauth.auth.AuthenticationFilter] Process Session Auth, sessionId = 7184aac2-ef11-4394-bd18-e1f6ae149c27, requireAuth = false 2015-06-28 14:37:27,618 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: responseType = code, clientId = @!2D47.9549.29A6.B254!0001!4D90.88A3!0008!D669.6616, scope = openid profile email, redirectUri = http://localhost:11223/iv.dev/oauthCallback.html?client_name=OidcClient, nonce = null, state = gfMvUE_GrPsxjZfp_wBhjJWCMnShINY5czOSJ-36FWA, request = null, isSecure = true, requestSessionId = null, sessionId = null 2015-06-28 14:37:27,619 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: acrValues = null, amrValues = null, originHeaders = {4} 2015-06-28 14:37:27,628 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2D47.9549.29A6.B254!0001!4D90.88A3!0008!D669.6616 2015-06-28 14:37:27,629 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2D47.9549.29A6.B254!0001!4D90.88A3!0008!D669.6616,ou=clients,o=@!2D47.9549.29A6.B254!0001!4D90.88A3,o=gluu' 2015-06-28 14:37:27,629 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2D47.9549.29A6.B254!0001!4D90.88A3!0008!D669.6616 2015-06-28 14:37:27,629 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!2D47.9549.29A6.B254!0001!4D90.88A3!0008!D669.6616, redirectionUri = http://localhost:11223/iv.dev/oauthCallback.html?client_name=OidcClient, found = 1 2015-06-28 14:37:27,629 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing http://localhost:11223/iv.dev/oauthCallback.html?client_name=OidcClient == http://localhost:11223/iv.dev/oauthCallback.html?client_name=OidcClient 2015-06-28 14:37:27,655 DEBUG [org.xdi.oxauth.model.common.AbstractAuthorizationGrant] Checking scopes policy for: openid profile email 2015-06-28 14:37:27,688 DEBUG [org.xdi.oxauth.model.common.AbstractAuthorizationGrant] Granted scopes: openid profile email 2015-06-28 14:37:31,688 INFO [org.xdi.oxauth.auth.AuthenticationFilter] Basic authentication failed org.gluu.site.ldap.persistence.exception.EntryPersistenceException: Failed to find entry: inum=%40%212D47.9549.29A6.B254%210001%214D90.88A3%210008%21D669.6616,ou=clients,o=@!2D47.9549.29A6.B254!0001!4D90.88A3,o=gluu at org.gluu.site.ldap.persistence.LdapEntryManager.find(LdapEntryManager.java:230) at org.gluu.site.ldap.persistence.AbstractEntryManager.find(AbstractEntryManager.java:427) at org.gluu.site.ldap.persistence.AbstractEntryManager.find(AbstractEntryManager.java:376) at org.gluu.site.ldap.persistence.AbstractEntryManager.find(AbstractEntryManager.java:365) at org.xdi.oxauth.service.ClientService.getClientByDn(ClientService.java:166) at org.xdi.oxauth.service.ClientService.getClient(ClientService.java:119) at sun.reflect.GeneratedMethodAccessor79.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103) at org.xdi.oxauth.service.ClientService_$$_javassist_seam_10.getClient(ClientService_$$_javassist_seam_10.java) at org.xdi.oxauth.auth.AuthenticationFilter.processBasicAuth(AuthenticationFilter.java:158) at org.xdi.oxauth.auth.AuthenticationFilter.access$300(AuthenticationFilter.java:55) at org.xdi.oxauth.auth.AuthenticationFilter$1.process(AuthenticationFilter.java:85) at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:65) at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) 2015-06-28 14:37:31,692 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Looking for the error with id: invalid_client 2015-06-28 14:37:31,693 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Found error, id: invalid_client 2015-06-28 14:37:35,380 TRACE [org.xdi.service.custom.script.CustomScriptManager] Last finished time '6/28/15 2:37 PM' It seems like the client id when EntryPersistenceException happens is url-encoded - probably shouldn't be.