What client software is this? You really want to use OpenID Connect client software, not generic OAuth2 client software. See [my Identiverse Client Development slides](https://www.gluu.co/client-slides). In any case, which JWT are you verifying? The `id_token` or `userinfo` JWT? Did you check the `JWKS_URI` as defined on the OpenID Connect discovery endpoint? (`https://hostname/.well-known/openid_configuration) Please add more info to your issue.

We are using spring security framework. We would happily use an openid connect filter if anyone had an example to follow. Every example we have seen says "Just use OAuth" which I think is a divergent topic at this point since even gluu's docs reference OAuth as the OIC negotiation process. I intercepted the OAuth calls in the debugger and noticed that the token it is getting is UUID value **NOT a Base64 encoded json object** This comes down to 3 questions at this point: 1) how do I get my JWT token in the response so I don't have to make secondary rest call to gluu to get the translate the token into a user? 2) how do I key the key pair that gluu is using to encrypt/sign the JWT 3) are there any samples **FROM GLUU** showing how to connect a standard java/spring app to the OIC service?

The Oauth2 client code in Spring Security is terrible! Our suggestion is to run an oxd service (either web or local), and then use oxd-java. We have a [Spring docs page](https://gluu.org/docs/oxd/libraries/framework/spring/) about this.

what are the answers to 1 & 2? 1) how do I get gluu openID to send the JWT in the redirect response rather than the uuid token to look it up in a secondary call? 2) where do I find the keys in gluu used to decrypt/verify the above JWT?

Hi, Matt. Please consider providing a bit more details, as it's hard to say what you experience at the moment. For example, what this means >I intercepted the OAuth calls in the debugger and noticed that the token it is getting is UUID value NOT a Base64 encoded json object Some actual example (a dump of this token, or the response(s) itself) would be useful. Otherwise, it's hard to understand the rest: >how do I get my JWT token in the response so I don't have to make secondary rest call to gluu to get the translate the token into a user? Doesn't ring a bell to me. Can you refer to a specific spec document you try to implement? Here is what you can expect to be supported in Gluu: [link](http://openid.net/specs/openid-connect-core-1_0.html) >2) how do I key the key pair that gluu is using to encrypt/sign the JWT Keys required to verify signature on JWTs oxAuth issues during OIDC flows are located at url like this: `https://host.name/oxauth/restv1/jwks`. Signing algs with "HS" prefix are symmetric ones and use client's secret to derive the key. Gluu doesn't encrypt JWTs unless you specifically configure it to do this. It's possible to use symmetric algorithm for encryption as well, for the rest you need to provide key data (JWKS) via client's registration properties at Gluu. Please also understand that we can't engage in complex tasks like development of custom clients or using non-standard flows for our community users. That's why we recommend to use a selection of supported tools for RPs. In your case [oxd server](https://gluu.org/docs/oxd/) is what seems to be the best solution.

Is it possible to pay for support by the hour?

Gluu only offers annual support contracts. If you need t&m support, we recommend contracting with a services company. Feel free to email sales@gluu.org if you would like an introduction to one of our partners.

Hi, Matt. What other questions do you still have? Do you think we need to keep this ticket open? Overall, I think you should check some OIDC presentations and try to cursory read the core spec, it differs from bare-bone oAuth2.0 significantly (it's another layer on top of it).