Did you read the [documentation page](https://gluu.org/docs/integrate/ubuntu-installation/) My suggestion is to start with dynamic registration. Let mod_auth_openidc create sample config files for you, and then modify from there.

Hi, Manuel. Could you provide more details, like actual request url provided to Gluu's authorization endpoint, or may be even captured HTTP requests/responses for the initial steps of OIDC flow? Please also follow Michael's suggestion and resort to using dynamic registration (which `mod_auth_openidc` handles pretty well) for your first attempts.

I'm attaching the relevant fragment of my apache log. Regarding the dynamic client registration, I already opened another ticket because I get failures there too. ``` [Fri Oct 07 11:37:10.609463 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(143): [client 141.250.2.118:41862] oidc_get_browser_state_hash: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.609730 2016] [auth_openidc:debug] [pid 7157] src/util.c(806): [client 141.250.2.118:41862] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_state_zOe4PS-el_qKU-xZhg7K0sX2Bgw=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..uwLa_9QnZW_flweg.fcsxFWGZoI6tDhvBHCrtPavwiKyv3LGUSGNkcqTzNT9Fe6Udiw0wQklEKAddNzxgwNSBsglblEoGplZbC6pqnWXsV4-mC7v7A5zslDHy5coOCSmsVG-Z8N7TN2fP3diqjTtbVc5GBv66gFogC1Gn-rrE93GpTwMX1tmn_95sihg1-fWz4fhdHihF5R6sYfTavD1VlrQky1S-X3tUm8Sys17p1EkXrwjrMVYeq5AvDko1IembuzSJOeqij4V8wzD5HCBGNN5fPcM5FhN5qf_5Eyi996RblGlnZzHxrriKgKpT8UC8RAlJhiRSpkIG3ueFuKLMUqrcZ69u12a2fcIT-LzXk8Y_ReJDHR_Gy0UD0Hd9krFodi4JiULIjcvR8_ukCIOKeGgMnOxtwtDMr0aS1-II6f0-OVk2k1-8p_lz-IvMjcKrN3fxlmu8nDXlp6eeZfMKXjFBYenwLjOzXHCD.kyGFAZgN9UlnGKTP7PHEZQ;Path=/;HttpOnly, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.609765 2016] [auth_openidc:debug] [pid 7157] src/proto.c(76): [client 141.250.2.118:41862] oidc_proto_authorization_request: enter, issuer=https://gluu-server, redirect_uri=http://141.250.2.118/cmsmesos/token.html, state=zOe4PS-el_qKU-xZhg7K0sX2Bgw, proto_state={"nonce": "gyT3iaQqGaxJ02fPdnnBwJQfX4OYEsPDy6ZLmV782MI", "original_url": "http://141.250.2.118/cmsmesos/login.php", "response_type": "code", "timestamp": 1475833030, "original_method": "get", "issuer": "https://gluu-server"}, code_challenge=(null), referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.609853 2016] [auth_openidc:debug] [pid 7157] src/proto.c(181): [client 141.250.2.118:41862] oidc_proto_authorization_request: adding outgoing header: Location: https://gluu-server/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&scope=openid%20email%20profile&client_id=%40%212E9E.C082.33F9.C8E4%210001%210171.87CF%210008%213AFE.D346&state=zOe4PS-el_qKU-xZhg7K0sX2Bgw&redirect_uri=http%3A%2F%2F141.250.2.118%2Fcmsmesos%2Ftoken.html&nonce=gyT3iaQqGaxJ02fPdnnBwJQfX4OYEsPDy6ZLmV782MI, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720266 2016] [authz_core:debug] [pid 7157] mod_authz_core.c(802): [client 141.250.2.118:41862] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720295 2016] [authz_core:debug] [pid 7157] mod_authz_core.c(802): [client 141.250.2.118:41862] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720304 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(2769): [client 141.250.2.118:41862] oidc_check_user_id: incoming request: "/cmsmesos/token.html?session_state=19c63724-760a-486f-9643-8e6267d194ba&scope=email+openid+profile&state=zOe4PS-el_qKU-xZhg7K0sX2Bgw&code=de2156af-79fc-495c-941a-ce552928971f", ap_is_initial_req(r)=1, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720317 2016] [auth_openidc:debug] [pid 7157] src/util.c(846): [client 141.250.2.118:41862] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "90be0b39-5014-4f71-bf2b-dd622589a96f", referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720322 2016] [auth_openidc:debug] [pid 7157] src/cache/shm.c(158): [client 141.250.2.118:41862] oidc_cache_shm_get: enter, section="session", key="90be0b39-5014-4f71-bf2b-dd622589a96f", referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720394 2016] [auth_openidc:debug] [pid 7157] src/util.c(949): [client 141.250.2.118:41862] oidc_util_request_matches_url: comparing "/cmsmesos/token.html"=="/cmsmesos/token.html", referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720411 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(1747): [client 141.250.2.118:41862] oidc_handle_redirect_authorization_response: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720474 2016] [auth_openidc:debug] [pid 7157] src/util.c(1214): [client 141.250.2.118:41862] oidc_util_read_form_encoded_params: parsed: 153 bytes in to 4 elements, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720509 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(1583): [client 141.250.2.118:41862] oidc_handle_authorization_response: enter, response_mode=query, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720515 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(1273): [client 141.250.2.118:41862] oidc_authorization_response_match_state: enter (state=zOe4PS-el_qKU-xZhg7K0sX2Bgw), referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720519 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(629): [client 141.250.2.118:41862] oidc_restore_proto_state: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720616 2016] [auth_openidc:debug] [pid 7157] src/util.c(846): [client 141.250.2.118:41862] oidc_util_get_cookie: returning "mod_auth_openidc_state_zOe4PS-el_qKU-xZhg7K0sX2Bgw" = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..uwLa_9QnZW_flweg.fcsxFWGZoI6tDhvBHCrtPavwiKyv3LGUSGNkcqTzNT9Fe6Udiw0wQklEKAddNzxgwNSBsglblEoGplZbC6pqnWXsV4-mC7v7A5zslDHy5coOCSmsVG-Z8N7TN2fP3diqjTtbVc5GBv66gFogC1Gn-rrE93GpTwMX1tmn_95sihg1-fWz4fhdHihF5R6sYfTavD1VlrQky1S-X3tUm8Sys17p1EkXrwjrMVYeq5AvDko1IembuzSJOeqij4V8wzD5HCBGNN5fPcM5FhN5qf_5Eyi996RblGlnZzHxrriKgKpT8UC8RAlJhiRSpkIG3ueFuKLMUqrcZ69u12a2fcIT-LzXk8Y_ReJDHR_Gy0UD0Hd9krFodi4JiULIjcvR8_ukCIOKeGgMnOxtwtDMr0aS1-II6f0-OVk2k1-8p_lz-IvMjcKrN3fxlmu8nDXlp6eeZfMKXjFBYenwLjOzXHCD.kyGFAZgN9UlnGKTP7PHEZQ", referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720632 2016] [auth_openidc:debug] [pid 7157] src/util.c(806): [client 141.250.2.118:41862] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_state_zOe4PS-el_qKU-xZhg7K0sX2Bgw=;Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;HttpOnly, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720679 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(143): [client 141.250.2.118:41862] oidc_get_browser_state_hash: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720701 2016] [auth_openidc:debug] [pid 7157] src/mod_auth_openidc.c(676): [client 141.250.2.118:41862] oidc_restore_proto_state: restored state: {"original_url": "http://141.250.2.118/cmsmesos/login.php", "nonce": "gyT3iaQqGaxJ02fPdnnBwJQfX4OYEsPDy6ZLmV782MI", "timestamp": 1475833030, "original_method": "get", "response_type": "code", "issuer": "https://gluu-server", "state": "zOe4PS-el_qKU-xZhg7K0sX2Bgw"}, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720708 2016] [auth_openidc:debug] [pid 7157] src/cache/shm.c(158): [client 141.250.2.118:41862] oidc_cache_shm_get: enter, section="provider", key="https://gluu-server/.well-known/openid-configuration", referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720950 2016] [auth_openidc:debug] [pid 7157] src/proto.c(1665): [client 141.250.2.118:41862] oidc_proto_handle_authorization_response_code: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720969 2016] [auth_openidc:debug] [pid 7157] src/proto.c(1470): [client 141.250.2.118:41862] oidc_proto_validate_issuer_client_id: iss and/or client_id matched OK: (null), https://gluu-server, (null), @!2E9E.C082.33F9.C8E4!0001!0171.87CF!0008!3AFE.D346, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.720981 2016] [auth_openidc:debug] [pid 7157] src/proto.c(976): [client 141.250.2.118:41862] oidc_proto_resolve_code: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.721046 2016] [auth_openidc:debug] [pid 7157] src/util.c(686): [client 141.250.2.118:41862] oidc_util_http_post_form: post data="grant_type=authorization_code&code=de2156af-79fc-495c-941a-ce552928971f&redirect_uri=http%3A%2F%2F141.250.2.118%2Fcmsmesos%2Ftoken.html&state=zOe4PS-el_qKU-xZhg7K0sX2Bgw&client_id=%40%212E9E.C082.33F9.C8E4%210001%210171.87CF%210008%213AFE.D346&client_secret=xIU786SvB5iApxBMUe1vvk4mIVhphvB9xYWQ", referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.721055 2016] [auth_openidc:debug] [pid 7157] src/util.c(508): [client 141.250.2.118:41862] oidc_util_http_call: url=https://gluu-server/oxauth/seam/resource/restv1/oxauth/token, data=grant_type=authorization_code&code=de2156af-79fc-495c-941a-ce552928971f&redirect_uri=http%3A%2F%2F141.250.2.118%2Fcmsmesos%2Ftoken.html&state=zOe4PS-el_qKU-xZhg7K0sX2Bgw&client_id=%40%212E9E.C082.33F9.C8E4%210001%210171.87CF%210008%213AFE.D346&client_secret=xIU786SvB5iApxBMUe1vvk4mIVhphvB9xYWQ, content_type=application/x-www-form-urlencoded, basic_auth=(null), bearer_token=(null), ssl_validate_server=0, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.792185 2016] [auth_openidc:debug] [pid 7157] src/util.c(637): [client 141.250.2.118:41862] oidc_util_http_call: response={"access_token":"c5c570d4-a716-4cdc-a096-54182c3bfee9","token_type":"bearer","expires_in":299,"refresh_token":"f3c1c87b-3265-4999-ba98-8e722b4b5479"}, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.792416 2016] [auth_openidc:debug] [pid 7157] src/proto.c(1314): [client 141.250.2.118:41862] oidc_proto_validate_code_response: enter, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.792433 2016] [auth_openidc:error] [pid 7157] [client 141.250.2.118:41862] oidc_proto_validate_code_response: requested flow is "code" but no "id_token" parameter found in the code response, referer: http://141.250.2.118/html/index2.html [Fri Oct 07 11:37:10.792440 2016] [auth_openidc:error] [pid 7157] [client 141.250.2.118:41862] oidc_proto_resolve_code_and_validate_response: code response validation failed, referer: http://141.250.2.118/html/index2.html ```

Michael's point about using "https:" scheme in `redirect_uri` provided in your second ticket seems very reasonable. I see you using "http:" scheme in your configuration here too. Please verify that you will still have your issue after switching to "https:" too.

Thanks for the answer, I will try configuring https and give you an update soon. By the way, this exact same configuration (with http) is currently working with a google openid connect client.

>By the way, this exact same configuration (with http) is currently working with a google openid connect client. According to OIDC core specs, "https:" is recommended when using authz code flow, and required when using implicit flow. For hybrid flows that may vary, I guess. So that depends on type of flow you try to employ.

Thanks for the support, switching the redirect URI to https and using the dynamic client registration solved all my problems