Logging out / ending my Gluu session using oxD ALMOST works, BUT...

By: Steve Sobol user 26 Jul 2016 at 12:28 a.m. CDT

15 Responses
Steve Sobol gravatar
So, upon your recommendation, I've started using oxD for my project which uses OpenID Connect. It definitely seems far easier than communicating directly with the Gluu server, but I'm still having issues logging out, which is the same situation that led me to talk to you, and let you to suggest oxD in the first place. There are two separate issues. **Issue #1.** Using oxD to determine the proper logout URI, I get a URI with a query string that includes a ```session_state``` query parameter. But the Gluu REST API requires the session to be passed using a parameter called ```session_id.``` This is not a big deal because after I obtain the logout URI from oxD, I can simply replace ```session_state``` with ```session_id.``` **Issue #2** is a big problem, though. When I log a user in, if I do an LDAP query, I can see the session there. ``` uniqueIdentifier=SESSION-ID,ou=session,o=CLIENT-ID,o=gluu ``` Now if I take my modified logout URI (with the ```session_id``` query parameter replacing ```session_state```), if I pull it up in a web browser, I can do another LDAP query and see that the session has, in fact, been destroyed, but instead of being redirected to my post-logout URI, I see this: ``` {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, or is otherwise malformed."} ``` But the session does get destroyed. The modified logout URI looks like this: ``` https://sso.lobosstudios.com/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=ID_TOKEN&post_logout_redirect_uri=https://360.lobosstudios.com/end_session&state=97dd60a3-bbed-4181-b234-7c940b32e257&session_id=e54f784d-a19f-445c-8e4c-1624cfdfebe3 ``` What am I missing? Thanks
U1404
closed

Answers

By Yuriy Zabrovarnyy staff 26 Jul 2016 at 5:36 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Please attach full oxd-server.log and oxauth.log (located in tomcat/logs). I assume that session is removed but you are not post redirected because Gluu Server can't validate you post_logout_redirect_uri because you didn't register it during client registration. Check this `https://github.com/GluuFederation/oxd/blob/version_2.4.3/oxd-common/src/main/java/org/xdi/oxd/common/params/RegisterSiteParams.java#L17` Thanks, Yuriy Z

By Steve Sobol user 26 Jul 2016 at 1:35 p.m. CDT

Copy
Steve Sobol gravatar
I am setting postLogoutRedirectUri. I logged in and then immediately logged out and captured the logs... *oxd-server.log:* ``` 2016-07-26 14:23:47,304 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2016-07-26 14:23:47,309 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2016-07-26 14:23:47,310 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2016-07-26 14:23:48,034 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0606, commandSize: 606 2016-07-26 14:23:48,034 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"register_site","params":{"scope":["openid","email"],"contacts":null,"authorization_redirect_uri":"https://360.lobosstudios.com/callback","post_logout_redirect_uri":"https://360.lobosstudios.com/end_session","application_type":null,"redirect_uris":null,"response_types":null,"client_id":"@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C","client_secret":"test","client_jwks_uri":null,"client_token_endpoint_auth_method":null,"client_request_uris":null,"client_logout_uris":null,"client_sector_identifier_uri":null,"ui_locales":null,"claims_locales":null,"acr_values":null,"grant_types":null}}', m_leftString=''} 2016-07-26 14:23:48,035 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"register_site","params":{"scope":["openid","email"],"contacts":null,"authorization_redirect_uri":"https://360.lobosstudios.com/callback","post_logout_redirect_uri":"https://360.lobosstudios.com/end_session","application_type":null,"redirect_uris":null,"response_types":null,"client_id":"@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C","client_secret":"test","client_jwks_uri":null,"client_token_endpoint_auth_method":null,"client_request_uris":null,"client_logout_uris":null,"client_sector_identifier_uri":null,"ui_locales":null,"claims_locales":null,"acr_values":null,"grant_types":null}} 2016-07-26 14:23:48,536 INFO [org.xdi.oxd.server.op.RegisterSiteOperation] Creating site configuration ... 2016-07-26 14:23:48,539 INFO [org.xdi.oxd.server.op.RegisterSiteOperation] Site configuration created: SiteConfiguration{acrValues=[], oxdId='130c97a7-0125-4e91-9af0-3822f5f25ba9', authorizationRedirectUri='https://360.lobosstudios.com/callback', applicationType='web', sectorIdentifierUri='null', redirectUris=null, responseTypes=[code, id_token, token], clientId='@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C', clientSecret='test', scope=[openid, email], uiLocales=[en], claimsLocales=[en], grantType=null, contacts=null} 2016-07-26 14:23:48,539 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9"}} 2016-07-26 14:23:48,540 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2016-07-26 14:23:48,540 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2016-07-26 14:23:48,705 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0112, commandSize: 112 2016-07-26 14:23:48,705 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_authorization_url","params":{"oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9","acr_values":null}}', m_leftString=''} 2016-07-26 14:23:48,706 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_authorization_url","params":{"oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9","acr_values":null}} 2016-07-26 14:23:49,207 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"authorization_url":"https://sso.lobosstudios.com/oxauth/authorize?response_type=code+id_token+token&client_id=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C&client_secret=test&redirect_uri=https://360.lobosstudios.com/callback&scope=openid+email&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&acr_values="}} 2016-07-26 14:23:49,207 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2016-07-26 14:23:49,208 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2016-07-26 14:23:49,336 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2016-07-26 14:23:49,336 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2016-07-26 14:23:57,259 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2016-07-26 14:23:57,262 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2016-07-26 14:23:57,262 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2016-07-26 14:23:57,262 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0164, commandSize: 164 2016-07-26 14:23:57,262 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_tokens_by_code","params":{"code":"a96483ab-d3ba-4c2a-9028-7871080a8cc3","state":null,"scopes":null,"oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9"}}', m_leftString=''} 2016-07-26 14:23:57,262 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_tokens_by_code","params":{"code":"a96483ab-d3ba-4c2a-9028-7871080a8cc3","state":null,"scopes":null,"oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9"}} 2016-07-26 14:23:57,764 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2016-07-26 14:23:58,194 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"access_token":"1fafb247-99c7-4a69-abe1-1c59642d1a0d","expires_in":299,"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NTYxMDM3LCJpYXQiOjE0Njk1NTc0MzcsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5NTU3NDM2LCJhdF9oYXNoIjoidFZhMWRnaktad2s1M1ljX2RFYVJTUSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vc3NvLmxvYm9zc3R1ZGlvcy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJzdGV2ZUBsb2Jvc3N0dWRpb3MuY29tIiwiaW51bSI6IkAhMjkyMC5GQUQyLkZCMzguOUJDNSEwMDAxITkyMjcuMEUzRCEwMDAwIUNGMDcuOEZFRSIsInN1YiI6ImE5NmJkNTczLWI3ODUtNGU3MC05MTViLTkzZTU3YzBiYmE1MCJ9.cPWh4I0Dp0tz_BDy9K3e0_pOjqROajwl0sUxcTws9GL4Thovs0RSurqLPWugE8xH8ErMPhkyHyFRNzS3daV7Bq6ot7q9Hy7DJPAkrO72inWssOxPRpxi24Gs-4FIgmNZt1j-zDefYtwvfgq3p9LeqnxP_FT5Ekj46NY_2aXgvbp_fsYn8NW4pWODWB8oanrAs7xJ1k0T4lJMsJAA3tTVb_e7XJ4FkEFU5zuDTxU_Dx5umEb7Q4sT_oL3FnelhxDApmRJBwdGdfD-_LhD1Hgo8JtRUGoNKrD_hMqC6Jjw-qXnzedhmNMFWKbS73UhMLEBjqdrDA0l3vl2zBs5yUpGxQ","refresh_token":"ba2f9f34-033c-485e-b4e3-7da8b8d62b06","id_token_claims":{"auth_time":["1469557436"],"oxValidationURI":["https://sso.lobosstudios.com/oxauth/opiframe"],"exp":["1469561037"],"sub":["a96bd573-b785-4e70-915b-93e57c0bba50"],"inum":["@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0000!CF07.8FEE"],"email":["steve@lobosstudios.com"],"at_hash":["tVa1dgjKZwk53Yc_dEaRSQ"],"nonce":["n-0S6_WzA2Mj"],"aud":["@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C"],"iss":["https://sso.lobosstudios.com"],"oxOpenIDConnectVersion":["openidconnect-1.0"],"iat":["1469557437"]}}} 2016-07-26 14:23:58,194 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2016-07-26 14:23:58,196 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2016-07-26 14:23:58,348 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 1334, commandSize: 1334 2016-07-26 14:23:58,348 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_logout_uri","params":{"state":"6c9d8278-702e-4f12-a295-5fedba1067c6","oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9","id_token_hint":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NTYxMDM3LCJpYXQiOjE0Njk1NTc0MzcsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5NTU3NDM2LCJhdF9oYXNoIjoidFZhMWRnaktad2s1M1ljX2RFYVJTUSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vc3NvLmxvYm9zc3R1ZGlvcy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJzdGV2ZUBsb2Jvc3N0dWRpb3MuY29tIiwiaW51bSI6IkAhMjkyMC5GQUQyLkZCMzguOUJDNSEwMDAxITkyMjcuMEUzRCEwMDAwIUNGMDcuOEZFRSIsInN1YiI6ImE5NmJkNTczLWI3ODUtNGU3MC05MTViLTkzZTU3YzBiYmE1MCJ9.cPWh4I0Dp0tz_BDy9K3e0_pOjqROajwl0sUxcTws9GL4Thovs0RSurqLPWugE8xH8ErMPhkyHyFRNzS3daV7Bq6ot7q9Hy7DJPAkrO72inWssOxPRpxi24Gs-4FIgmNZt1j-zDefYtwvfgq3p9LeqnxP_FT5Ekj46NY_2aXgvbp_fsYn8NW4pWODWB8oanrAs7xJ1k0T4lJMsJAA3tTVb_e7XJ4FkEFU5zuDTxU_Dx5umEb7Q4sT_oL3FnelhxDApmRJBwdGdfD-_LhD1Hgo8JtRUGoNKrD_hMqC6Jjw-qXnzedhmNMFWKbS73UhMLEBjqdrDA0l3vl2zBs5yUpGxQ","post_logout_redirect_uri":"https://360.lobosstudios.com/end_session","session_state":"019ee9b1-9c8c-4756-82fa-84184cae60b0"}}', m_leftString=''} 2016-07-26 14:23:58,348 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_logout_uri","params":{"state":"6c9d8278-702e-4f12-a295-5fedba1067c6","oxd_id":"130c97a7-0125-4e91-9af0-3822f5f25ba9","id_token_hint":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NTYxMDM3LCJpYXQiOjE0Njk1NTc0MzcsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5NTU3NDM2LCJhdF9oYXNoIjoidFZhMWRnaktad2s1M1ljX2RFYVJTUSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vc3NvLmxvYm9zc3R1ZGlvcy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJzdGV2ZUBsb2Jvc3N0dWRpb3MuY29tIiwiaW51bSI6IkAhMjkyMC5GQUQyLkZCMzguOUJDNSEwMDAxITkyMjcuMEUzRCEwMDAwIUNGMDcuOEZFRSIsInN1YiI6ImE5NmJkNTczLWI3ODUtNGU3MC05MTViLTkzZTU3YzBiYmE1MCJ9.cPWh4I0Dp0tz_BDy9K3e0_pOjqROajwl0sUxcTws9GL4Thovs0RSurqLPWugE8xH8ErMPhkyHyFRNzS3daV7Bq6ot7q9Hy7DJPAkrO72inWssOxPRpxi24Gs-4FIgmNZt1j-zDefYtwvfgq3p9LeqnxP_FT5Ekj46NY_2aXgvbp_fsYn8NW4pWODWB8oanrAs7xJ1k0T4lJMsJAA3tTVb_e7XJ4FkEFU5zuDTxU_Dx5umEb7Q4sT_oL3FnelhxDApmRJBwdGdfD-_LhD1Hgo8JtRUGoNKrD_hMqC6Jjw-qXnzedhmNMFWKbS73UhMLEBjqdrDA0l3vl2zBs5yUpGxQ","post_logout_redirect_uri":"https://360.lobosstudios.com/end_session","session_state":"019ee9b1-9c8c-4756-82fa-84184cae60b0"}} 2016-07-26 14:23:58,849 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"uri":"https://sso.lobosstudios.com/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NTYxMDM3LCJpYXQiOjE0Njk1NTc0MzcsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5NTU3NDM2LCJhdF9oYXNoIjoidFZhMWRnaktad2s1M1ljX2RFYVJTUSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vc3NvLmxvYm9zc3R1ZGlvcy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJzdGV2ZUBsb2Jvc3N0dWRpb3MuY29tIiwiaW51bSI6IkAhMjkyMC5GQUQyLkZCMzguOUJDNSEwMDAxITkyMjcuMEUzRCEwMDAwIUNGMDcuOEZFRSIsInN1YiI6ImE5NmJkNTczLWI3ODUtNGU3MC05MTViLTkzZTU3YzBiYmE1MCJ9.cPWh4I0Dp0tz_BDy9K3e0_pOjqROajwl0sUxcTws9GL4Thovs0RSurqLPWugE8xH8ErMPhkyHyFRNzS3daV7Bq6ot7q9Hy7DJPAkrO72inWssOxPRpxi24Gs-4FIgmNZt1j-zDefYtwvfgq3p9LeqnxP_FT5Ekj46NY_2aXgvbp_fsYn8NW4pWODWB8oanrAs7xJ1k0T4lJMsJAA3tTVb_e7XJ4FkEFU5zuDTxU_Dx5umEb7Q4sT_oL3FnelhxDApmRJBwdGdfD-_LhD1Hgo8JtRUGoNKrD_hMqC6Jjw-qXnzedhmNMFWKbS73UhMLEBjqdrDA0l3vl2zBs5yUpGxQ&post_logout_redirect_uri=https://360.lobosstudios.com/end_session&state=6c9d8278-702e-4f12-a295-5fedba1067c6&session_state=019ee9b1-9c8c-4756-82fa-84184cae60b0"}} 2016-07-26 14:23:58,850 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2016-07-26 14:23:58,850 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2016-07-26 14:23:58,972 TRACE [org.xdi.oxd.common.CoreUtils] End of stream. Quit. 2016-07-26 14:23:58,972 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. ```

By Steve Sobol user 26 Jul 2016 at 1:36 p.m. CDT

Copy
Steve Sobol gravatar
*oxauth.log:* ``` 2016-07-26 18:23:56,425 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. SessionUser: SessionState, dn='uniqueIdentifier=019ee9b1-9c8c-4756-82fa-84184cae60b0,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu', id='019ee9b1-9c8c-4756-82fa-84184cae60b0', lastUsedAt=Tue Jul 26 18:23:56 UTC 2016, userDn='inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0000!CF07.8FEE,ou=people,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu', authenticationTime=Tue Jul 26 18:23:56 UTC 2016, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={response_type=code id_token token, scope=openid email, redirect_uri=https://360.lobosstudios.com/callback, nonce=n-0S6_WzA2Mj, state=af0ifjsldkj, auth_step=1, client_id=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, acr=internal, acr_values=}, persisted=true} 2016-07-26 18:23:56,430 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. User: org.xdi.oxauth.model.common.User@aa8415c 2016-07-26 18:23:56,437 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for User: 'test' 2016-07-26 18:23:57,898 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for Client: '@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C' ``` Note that there are no errors logged in oxauth.log when I log out.

By Steve Sobol user 26 Jul 2016 at 1:39 p.m. CDT

Copy
Steve Sobol gravatar
Ignore the difference in time zones, too, please. The server currently running oxD is not going to be where I ultimately run oxD once I have all the bugs worked out, and I didn't set the proper time zone on that server.

By Yuriy Zabrovarnyy staff 27 Jul 2016 at 2:41 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
I don't see validation logs in your oxauth.log. `https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/xdi/oxauth/service/RedirectionUriService.java#L117` It seems log level for your oxauth is set to INFO. Please change it to TRACE and run scenario again, it should print trace logs in oxauth.log. For Gluu Server 2.4.3 ``` 1. service gluu-server-2.4.3 login 2. service tomcat stop 3. vi /opt/tomcat/webapps/oxauth/WEB-INF/classes/log4j.xml 4. change log level from INFO to TRACE <category name="org.xdi.oxauth"> <priority value="TRACE"></priority> </category> 5. service tomcat start ``` In addition to that can you check your client ldif for `"client_id":"@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C"` Thanks, Yuriy Z

By Yuriy Zabrovarnyy staff 27 Jul 2016 at 2:58 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
I see you specified client_id which means you avoid new client registration. Would you please try to omit client_id and secret so oxd will register new client for you? ``` "client_id":"@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C","client_secret":"test" ``` Of course ldif of `@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C` would clarify situation. Thanks, Yuriy Z

By Steve Sobol user 28 Jul 2016 at 11:20 p.m. CDT

Copy
Steve Sobol gravatar
``` dn: inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu objectClass: oxAuthClient objectClass: top oxAuthScope: inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0009!764C,ou=scopes,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu oxAuthScope: inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0009!F0C4,ou=scopes,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu oxPersistClientAuthorizations: true oxLastLogonTime: 20160727061716.007Z oxAuthResponseType: code oxAuthResponseType: token oxAuthResponseType: id_token oxAuthLogoutSessionRequired: true oxAuthAppType: web oxAuthTrustedClient: false oxAuthClientSecret: (client secret) oxAuthRequireAuthTime: true oxAuthSubjectType: pairwise oxLastAccessTime: 20160727061716.007Z oxAuthTokenEndpointAuthMethod: client_secret_basic oxAuthRedirectURI: https://360.lobosstudios.com/callback oxAuthLogoURI: https://sso.lobosstudios.com/oxauth/img/sso-logo.png displayName: The Lobos 360 Client and Business Partner Portal inum: @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C ```

By Steve Sobol user 29 Jul 2016 at 2:18 a.m. CDT

Copy
Steve Sobol gravatar
Ok. One thing at a time. :) More detailed logs, with log4j.xml set to TRACE ``` 2016-07-29 07:14:21,325 TRACE [org.xdi.oxauth.service.SessionStateService] Found session_state cookie: '3cdf831b-edb2-4927-bf67-d526d4093363' 2016-07-29 07:14:21,362 DEBUG [org.xdi.oxauth.service.AppInitializer] Created ldapAuthEntryManager1: org.gluu.site.ldap.persistence.LdapEntryManager@7f7e089a 2016-07-29 07:14:21,376 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Executing python 'getPageForStep' authenticator method 2016-07-29 07:14:21,380 TRACE [org.xdi.oxauth.service.SessionStateService] Generated new session, id = 'c4a749a2-a324-40e9-a52a-46db30902bcd', state = 'unauthenticated', persisted = 'false' 2016-07-29 07:14:21,463 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] Session 'c4a749a2-a324-40e9-a52a-46db30902bcd' persisted to LDAP 2016-07-29 07:14:21,577 TRACE [org.xdi.oxauth.service.SessionStateService] Found session_state cookie: 'c4a749a2-a324-40e9-a52a-46db30902bcd' 2016-07-29 07:14:21,602 TRACE [org.xdi.oxauth.service.SessionStateService] Try to get session by id: c4a749a2-a324-40e9-a52a-46db30902bcd ... 2016-07-29 07:14:21,602 TRACE [org.xdi.oxauth.service.SessionStateService] Session dn: uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:21,609 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Validating auth_mode: 'internal' 2016-07-29 07:14:21,610 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Executing python 'isValidAuthenticationMethod' authenticator method 2016-07-29 07:14:21,612 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Executing python 'prepareForStep' authenticator method 2016-07-29 07:14:21,613 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Executing python 'getExtraParametersForStep' authenticator method 2016-07-29 07:14:22,635 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,638 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,639 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,642 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,642 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,645 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,645 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,648 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,648 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,651 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,651 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,705 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,706 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:22,717 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:22,717 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:35,194 TRACE [org.xdi.oxauth.service.SessionStateService] Found session_state cookie: 'c4a749a2-a324-40e9-a52a-46db30902bcd' 2016-07-29 07:14:35,207 TRACE [org.xdi.oxauth.service.SessionStateService] Try to get session by id: c4a749a2-a324-40e9-a52a-46db30902bcd ... 2016-07-29 07:14:35,207 TRACE [org.xdi.oxauth.service.SessionStateService] Session dn: uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:35,210 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Executing python 'authenticate' authenticator method 2016-07-29 07:14:35,218 DEBUG [org.xdi.oxauth.service.AuthenticationService] Authenticating user with LDAP: username: test 2016-07-29 07:14:35,240 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to find userDN by primary key: 'uid' and key value: 'test' 2016-07-29 07:14:35,241 DEBUG [org.xdi.oxauth.service.AuthenticationService] Getting user information from LDAP: attributeName = 'uid', attributeValue = 'test' 2016-07-29 07:14:35,282 DEBUG [org.xdi.oxauth.service.AuthenticationService] Found '1' entries 2016-07-29 07:14:35,291 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to authenticate userDN: inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0000!CF07.8FEE,ou=people,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:35,295 DEBUG [org.xdi.oxauth.service.AuthenticationService] User authenticated: inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0000!CF07.8FEE,ou=people,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:35,295 DEBUG [org.xdi.oxauth.service.AuthenticationService] Attempting to find userDN by local primary key: uid 2016-07-29 07:14:35,297 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: attributeName = 'uid', attributeValue = 'test' 2016-07-29 07:14:35,306 DEBUG [org.xdi.oxauth.service.UserService] Found '1' entries 2016-07-29 07:14:35,331 DEBUG [org.xdi.oxauth.auth.Authenticator] Authentication result for user 'test'. auth_step: '1', result: 'true' 2016-07-29 07:14:35,333 DEBUG [org.xdi.oxauth.service.external.ExternalAuthenticationService] Executing python 'getCountAuthenticationSteps' authenticator method 2016-07-29 07:14:35,371 TRACE [org.xdi.oxauth.service.SessionStateService] Authenticated session, id = 'c4a749a2-a324-40e9-a52a-46db30902bcd', state = 'authenticated', persisted = 'true' 2016-07-29 07:14:35,373 DEBUG [org.xdi.oxauth.auth.Authenticator] Sending event to trigger user redirection: 'test' 2016-07-29 07:14:35,377 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. SessionUser: SessionState, dn='uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu', id='c4a749a2-a324-40e9-a52a-46db30902bcd', lastUsedAt=Fri Jul 29 07:14:35 UTC 2016, userDn='inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0000!CF07.8FEE,ou=people,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu', authenticationTime=Fri Jul 29 07:14:35 UTC 2016, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={response_type=code id_token token, scope=openid email, redirect_uri=https://360.lobosstudios.com/callback, nonce=n-0S6_WzA2Mj, state=af0ifjsldkj, auth_step=1, client_id=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, acr=internal, acr_values=}, persisted=true} 2016-07-29 07:14:35,383 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. User: org.xdi.oxauth.model.common.User@2c837b0b 2016-07-29 07:14:35,384 TRACE [org.xdi.oxauth.service.AuthenticationService] Logged in successfully! User: org.xdi.oxauth.model.common.User@2c837b0b, page: /authorize.xhtml, map: {scope=openid email, response_type=code id_token token, nonce=n-0S6_WzA2Mj, redirect_uri=https://360.lobosstudios.com/callback, state=af0ifjsldkj, client_id=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, acr_values=} 2016-07-29 07:14:35,429 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for User: 'test' 2016-07-29 07:14:35,430 TRACE [org.xdi.oxauth.auth.Authenticator] Authentication successfully for 'test' 2016-07-29 07:14:35,599 TRACE [org.xdi.oxauth.service.SessionStateService] Found session_state cookie: 'c4a749a2-a324-40e9-a52a-46db30902bcd' 2016-07-29 07:14:35,631 TRACE [org.xdi.oxauth.service.SessionStateService] Try to get session by id: c4a749a2-a324-40e9-a52a-46db30902bcd ... 2016-07-29 07:14:35,632 TRACE [org.xdi.oxauth.service.SessionStateService] Session dn: uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:35,639 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:35,640 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:35,643 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:35,643 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:35,644 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, redirectionUri = https://360.lobosstudios.com/callback, found = 1 2016-07-29 07:14:35,645 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://360.lobosstudios.com/callback == https://360.lobosstudios.com/callback 2016-07-29 07:14:35,660 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] checkPermissionGranted, user = org.xdi.oxauth.model.common.User@f2b52bd 2016-07-29 07:14:35,703 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:35,704 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:35,869 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] permissionGranted, redirectTo: seam/resource/restv1/oxauth/authorize?scope=openid+email&response_type=code+id_token+token&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2F360.lobosstudios.com%2Fcallback&state=af0ifjsldkj&client_id=%40%212920.FAD2.FB38.9BC5%210001%219227.0E3D%210008%219EC6.7B6C 2016-07-29 07:14:36,020 TRACE [org.xdi.oxauth.service.SessionStateService] Found session_state cookie: 'c4a749a2-a324-40e9-a52a-46db30902bcd' 2016-07-29 07:14:36,059 TRACE [org.xdi.oxauth.service.SessionStateService] Try to get session by id: c4a749a2-a324-40e9-a52a-46db30902bcd ... 2016-07-29 07:14:36,060 TRACE [org.xdi.oxauth.service.SessionStateService] Session dn: uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:36,091 TRACE [org.xdi.oxauth.service.SessionStateService] Try to get session by id: c4a749a2-a324-40e9-a52a-46db30902bcd ... 2016-07-29 07:14:36,091 TRACE [org.xdi.oxauth.service.SessionStateService] Session dn: uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:14:36,093 TRACE [org.xdi.oxauth.auth.Authenticator] authenticateBySessionState, sessionState = 'c4a749a2-a324-40e9-a52a-46db30902bcd', session = 'SessionState, dn='uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu', id='c4a749a2-a324-40e9-a52a-46db30902bcd', lastUsedAt=Fri Jul 29 07:14:35 UTC 2016, userDn='inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0000!CF07.8FEE,ou=people,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu', authenticationTime=Fri Jul 29 07:14:35 UTC 2016, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@781798b6, sessionAttributes={response_type=code id_token token, scope=openid email, redirect_uri=https://360.lobosstudios.com/callback, nonce=n-0S6_WzA2Mj, state=af0ifjsldkj, auth_step=1, client_id=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, acr=internal, acr_values=}, persisted=false}', state= 'authenticated' 2016-07-29 07:14:36,170 TRACE [org.xdi.oxauth.auth.AuthenticationFilter] Process Session Auth, sessionState = c4a749a2-a324-40e9-a52a-46db30902bcd, requireAuth = false 2016-07-29 07:14:36,207 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: responseType = code id_token token, clientId = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, scope = openid email, redirectUri = https://360.lobosstudios.com/callback, nonce = n-0S6_WzA2Mj, state = af0ifjsldkj, request = null, isSecure = true, requestSessionState = null, sessionState = null 2016-07-29 07:14:36,213 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] Attempting to request authorization: acrValues = null, amrValues = null, originHeaders = null, codeChallenge = {5}, codeChallengeMethod = {6} 2016-07-29 07:14:36,222 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:36,229 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:36,237 DEBUG [org.xdi.oxauth.model.authorize.ScopeChecker] Checking scopes policy for: openid email 2016-07-29 07:14:36,293 DEBUG [org.xdi.oxauth.model.authorize.ScopeChecker] Granted scopes: [email, openid] 2016-07-29 07:14:36,295 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:36,296 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:36,296 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Validating redirection URI: clientIdentifier = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C, redirectionUri = https://360.lobosstudios.com/callback, found = 1 2016-07-29 07:14:36,297 DEBUG [org.xdi.oxauth.service.RedirectionUriService] Comparing https://360.lobosstudios.com/callback == https://360.lobosstudios.com/callback 2016-07-29 07:14:36,437 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:36,824 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:36,837 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:36,842 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:36,854 DEBUG [org.xdi.oxauth.model.authorize.ScopeChecker] Checking scopes policy for: openid email 2016-07-29 07:14:36,868 DEBUG [org.xdi.oxauth.model.authorize.ScopeChecker] Granted scopes: [email, openid] 2016-07-29 07:14:36,884 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:36,890 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:36,896 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:37,991 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:37,995 DEBUG [org.xdi.oxauth.service.ClientService] Authenticating Client with LDAP: clientId = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:37,996 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:37,996 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:38,000 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:38,000 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:38,019 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for Client: '@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C' 2016-07-29 07:14:38,019 TRACE [org.xdi.oxauth.auth.Authenticator] Authentication successfully for '@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C' 2016-07-29 07:14:38,028 DEBUG [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] Attempting to request access token: grantType = authorization_code, code = 17cf4a7e-36be-4829-aa4b-e519e1802638, redirectUri = https://360.lobosstudios.com/callback, username = null, refreshToken = null, clientId = null, ExtraParams = {scope=[Ljava.lang.String;@661f76d9, grant_type=[Ljava.lang.String;@1bb3d4f0, redirect_uri=[Ljava.lang.String;@3b60e6c5, code=[Ljava.lang.String;@56ceadf7}, isSecure = true, codeVerifier = null 2016-07-29 07:14:38,041 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: userId = test 2016-07-29 07:14:38,046 DEBUG [org.xdi.oxauth.service.UserService] Found 1 entries for user id = test 2016-07-29 07:14:38,061 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:14:38,068 TRACE [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] PKCE validation, code_verifier: null, code_challenge: null, method: null 2016-07-29 07:14:38,092 DEBUG [xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl] Issuing access token: 29e1bcb4-f728-4a41-95a1-ac2585bdb29e 2016-07-29 07:14:38,113 DEBUG [org.xdi.oxauth.model.authorize.ScopeChecker] Checking scopes policy for: openid email 2016-07-29 07:14:38,133 DEBUG [org.xdi.oxauth.model.authorize.ScopeChecker] Granted scopes: [email, openid] 2016-07-29 07:14:38,161 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,175 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,186 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,202 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,219 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,248 TRACE [org.xdi.oxauth.service.AttributeService] Get attribute from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0005!8F88,ou=attributes,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:38,249 TRACE [org.xdi.oxauth.service.AttributeService] Get attribute from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0005!CAE3,ou=attributes,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:38,274 TRACE [org.xdi.oxauth.service.AttributeService] Get attribute from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0005!29DA,ou=attributes,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:14:38,417 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,430 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,443 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,456 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,470 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,482 TRACE [org.xdi.oxauth.model.common.AuthorizationGrant] Saving grant: 6203d26c-bf9c-498f-806f-9bbaeb5e73d3, code_challenge: null 2016-07-29 07:14:38,559 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: 17cf4a7e-36be-4829-aa4b-e519e1802638 2016-07-29 07:14:38,619 DEBUG [xdi.oxauth.jwk.ws.rs.JwkRestWebServiceImpl] Attempting to request JWK, Is Secure = true 2016-07-29 07:15:16,046 DEBUG [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] Attempting to end session, idTokenHint: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NzgwMDc4LCJpYXQiOjE0Njk3NzY0NzgsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5Nzc2NDc1LCJhdF9oYXNoIjoiV0ZCSTBFcE5NM19TVzhrRTZOTVR4QSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vc3NvLmxvYm9zc3R1ZGlvcy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJzdGV2ZUBsb2Jvc3N0dWRpb3MuY29tIiwiaW51bSI6IkAhMjkyMC5GQUQyLkZCMzguOUJDNSEwMDAxITkyMjcuMEUzRCEwMDAwIUNGMDcuOEZFRSIsInN1YiI6ImE5NmJkNTczLWI3ODUtNGU3MC05MTViLTkzZTU3YzBiYmE1MCJ9.WOz2bG6PaZwMoFEpL0d73EyuXFsPFkF2ynlUFpykoGlp90KBSn6d9K3F87JJIwy3Z4cHTH8yw3lcOebwx8Pj5aHO1ARyDoi0hwQoBi1mwPkYcyEtkUz2aaZoIXVNVAVqSVlsmJgKMQP-sm3hSOyMiXWahPFVY-60pyGa4T6eXmpy2JIAwEBLgZ9dW8WhAfbcOcegWzktaSkwLUDKfjRsfFTcgofZbLTqAl3whUAyGQ7AmyBfYfNUZ2TUoKao0siVUMA6v9n9umjfx6FjzJ15AZezMkU6LuQ87mWWszy8DmRqvnNjVfefGrkcVL2KWurNg3G0eOEZ4-MB383LVC-Wwg, postLogoutRedirectUri: https://360.lobosstudios.com/end_session, sessionState: null, Is Secure = true 2016-07-29 07:15:16,058 DEBUG [org.xdi.oxauth.service.UserService] Getting user information from LDAP: userId = test 2016-07-29 07:15:16,065 DEBUG [org.xdi.oxauth.service.UserService] Found 1 entries for user id = test 2016-07-29 07:15:16,074 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:15:16,075 TRACE [org.xdi.oxauth.service.SessionStateService] Found session_state cookie: 'c4a749a2-a324-40e9-a52a-46db30902bcd' 2016-07-29 07:15:16,086 TRACE [org.xdi.oxauth.service.SessionStateService] Try to get session by id: c4a749a2-a324-40e9-a52a-46db30902bcd ... 2016-07-29 07:15:16,087 TRACE [org.xdi.oxauth.service.SessionStateService] Session dn: uniqueIdentifier=c4a749a2-a324-40e9-a52a-46db30902bcd,ou=session,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu 2016-07-29 07:15:16,140 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NzgwMDc4LCJpYXQiOjE0Njk3NzY0NzgsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5Nzc2NDc1LCJhdF9oYXNoIjoiV0ZCSTBFcE5NM19TVzhrRTZOTVR4QSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vc3NvLmxvYm9zc3R1ZGlvcy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJzdGV2ZUBsb2Jvc3N0dWRpb3MuY29tIiwiaW51bSI6IkAhMjkyMC5GQUQyLkZCMzguOUJDNSEwMDAxITkyMjcuMEUzRCEwMDAwIUNGMDcuOEZFRSIsInN1YiI6ImE5NmJkNTczLWI3ODUtNGU3MC05MTViLTkzZTU3YzBiYmE1MCJ9.WOz2bG6PaZwMoFEpL0d73EyuXFsPFkF2ynlUFpykoGlp90KBSn6d9K3F87JJIwy3Z4cHTH8yw3lcOebwx8Pj5aHO1ARyDoi0hwQoBi1mwPkYcyEtkUz2aaZoIXVNVAVqSVlsmJgKMQP-sm3hSOyMiXWahPFVY-60pyGa4T6eXmpy2JIAwEBLgZ9dW8WhAfbcOcegWzktaSkwLUDKfjRsfFTcgofZbLTqAl3whUAyGQ7AmyBfYfNUZ2TUoKao0siVUMA6v9n9umjfx6FjzJ15AZezMkU6LuQ87mWWszy8DmRqvnNjVfefGrkcVL2KWurNg3G0eOEZ4-MB383LVC-Wwg 2016-07-29 07:15:16,155 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: a9c43d0f-c0a2-42a4-b560-9d718a2a66bf 2016-07-29 07:15:16,172 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: 29e1bcb4-f728-4a41-95a1-ac2585bdb29e 2016-07-29 07:15:16,190 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: 12016b9c-0a53-4227-9576-0c721eb904b1 2016-07-29 07:15:16,204 TRACE [org.xdi.oxauth.service.GrantService] Removed token, code: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjZjZDBkNzY5LTMxNWQtNDVmOS04Nzk2LTczODI0M2VjOWQ0ZiJ9.eyJpc3MiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tIiwiYXVkIjoiQCEyOTIwLkZBRDIuRkIzOC45QkM1ITAwMDEhOTIyNy4wRTNEITAwMDghOUVDNi43QjZDIiwiZXhwIjoxNDY5NzgwMDc2LCJpYXQiOjE0Njk3NzY0NzYsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiwiYXV0aF90aW1lIjoxNDY5Nzc2NDc1LCJjX2hhc2giOiJjSm4xYjZwbmdtTV9VVWZCWjF4S2pRIiwiYXRfaGFzaCI6ImJVTlNtcTlWeGN6ZGJKb29tT3BDekEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL3Nzby5sb2Jvc3N0dWRpb3MuY29tL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImVtYWlsIjoic3RldmVAbG9ib3NzdHVkaW9zLmNvbSIsImludW0iOiJAITI5MjAuRkFEMi5GQjM4LjlCQzUhMDAwMSE5MjI3LjBFM0QhMDAwMCFDRjA3LjhGRUUiLCJzdWIiOiJhOTZiZDU3My1iNzg1LTRlNzAtOTE1Yi05M2U1N2MwYmJhNTAifQ.IJiMpyVGKYPldLmY9pOsL1X2IUh-teanpZwwXBwHvyS5yz55slzBKH5lL2Do1gB1PKAUBL_Xcykbpz0DRDFWjSfAOFrtNEu2UXCUmr0nuNVZNx_b-Q7Wxq3TygzD2HDGLg0cXnFL9qXbxc017jPJ-P95WwmU_w7l9iTmMByvxuQ5_sAgE2DdJoCYWerdmnlalW0UWxLCpDQFrEKQ09nGVFYf1BwH6M1evPzEbw0YPvWt_sfSEwAqiVkutHErEDzqirLe1SQFcwFgfmqmPRmePm_2-UfnRkDa9hxXPCzwkoyLNIMWPo4s7zxpj_OaFplPB7Y6at05EhOnIwQCRI0bSg 2016-07-29 07:15:16,207 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C,ou=clients,o=@!2920.FAD2.FB38.9BC5!0001!9227.0E3D,o=gluu' 2016-07-29 07:15:16,207 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C 2016-07-29 07:15:16,208 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Looking for the error with id: invalid_request 2016-07-29 07:15:16,208 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Found error, id: invalid_request ```

By Yuriy Zabrovarnyy staff 29 Jul 2016 at 9:20 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Your `@!2920.FAD2.FB38.9BC5!0001!9227.0E3D!0008!9EC6.7B6C` client ldif has missed: ``` oxAuthPostLogoutRedirectURI: https://360.lobosstudios.com/end_session ``` This is the reason why it can't validate it. There are many ways to solve it: 1) correct it by hand via LDAP modifying entry directly (not recommended) 2) specify post logout uri via admin UI (https://gluu.org/docs/integrate/openid-connect/#client-registration) 3) just omit client_id and client_secret during register_site command and oxd will register new client for you. It's up to you which way to choose but at the end your client ldif must contain ``` oxAuthPostLogoutRedirectURI: https://360.lobosstudios.com/end_session ``` Thanks, Yuriy Z

By Steve Sobol user 29 Jul 2016 at 2:55 p.m. CDT

Copy
Steve Sobol gravatar
I thought I'd logged into the admin UI and set it already. Obviously I didn't. I don't want oxd to automatically register a new client - is there a way to disable that functionality?

By Yuriy Zabrovarnyy staff 29 Jul 2016 at 3:19 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Yes, you already disabled it :). Each time you pass client_id in register_site command oxd checks it and skip new client registration (because if you passed client_id then it's indeed already registered). So in your case you just need to correct post logout uri manualy and go on passing client_id and secret into register_site command. Lets us know whether it finally works for you and if yes please close the ticket. Thanks, Yuriy Z

By Steve Sobol user 29 Jul 2016 at 3:41 p.m. CDT

Copy
Steve Sobol gravatar
Yes, I know, but I'd like to disable the functionality completely because if I introduce a bug into my code by accident, and don't pass the client_id, I end up with clutter in the LDAP database. I am also concerned about my Gluu server and my oxD server being open to the outside world and people being able to register arbitrary clients. I'm not sure how concerned I should be. At least with oxD, I can restrict incoming connections to certain IP addresses, so security probably isn't an issue there. Trying to figure out if there is anything I need to lock down on the Gluu side. I obviously can't restrict port 443. :) Will update and close the ticket once I've run some successful tests.

By Yuriy Zabrovarnyy staff 29 Jul 2016 at 4:01 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
In oxd configuration we have ``` "localhost_only":true, ``` It means that commands are accepted only from localhost (it's not possible to send command from outside until you set it to false). About new client registration on Gluu Server, you can disable it if set dynamic-registration-enabled to false (Gluu Server restart required) `https://gluu.org/docs/gluu-defaults/oxauth-properties/` Thanks, Yuriy Z

By Steve Sobol user 30 Jul 2016 at 12:42 a.m. CDT

Copy
Steve Sobol gravatar
Yay! It works! IT WORKS!!!!! :) Very glad I implemented oxD - it was easy! I'm going to blog about my experiences and will post a link to the blog post as soon as it's up. Localhost_only won't work for me, as the web servers communicating with oxD are running on separate VPSes. No worries there... iptables is your friend. (Or, at least, it's MY friend.) **I can not possibly say this enough:** the support I have received from you and the other Gluu team members has been absolutely exceptional... better than the support I have received on certain expensive, closed-source software packages! Although I can't afford a support contract right now, I am at least going to purchase the $100 annual subscription for oxD. The software itself is terrific, but the support just blows me away. You have turned this implementer into a Gluu product evangelist. Great job - and THANK YOU.

By Yuriy Zabrovarnyy staff 30 Jul 2016 at 3:18 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Glad to hear that it works! Thank you for so nice feedback!

Post an answer