By: Matt Young user 08 Jan 2018 at 12:23 p.m. CST

8 Responses
Matt Young gravatar
I currently have one clientid with openid auth, set up. my app is redirecting to the gluu, authenticating then coming back to my app then failing to parse JWT. I think it is because I am using the public key from the old oAuth server but I don't know where to the public key used by gluu. Below is the code used to set up the oauth filter ```java OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationFilter = new OAuth2ClientAuthenticationProcessingFilter(path); oAuth2ClientAuthenticationFilter.setApplicationEventPublisher(applicationEventPublisher); oAuth2ClientAuthenticationFilter.setAuthenticationSuccessHandler(clearsenseAuthenticationSuccessHandler); OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext); oAuth2ClientAuthenticationFilter.setRestTemplate(oAuth2RestTemplate); JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setVerifierKey(client.getResource().getJwt().getKeyValue()); converter.afterPropertiesSet(); DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setTokenStore(new JwtTokenStore(converter)); oAuth2ClientAuthenticationFilter.setTokenServices(tokenServices); return oAuth2ClientAuthenticationFilter; ```

By Michael Schwartz Account Admin 08 Jan 2018 at 12:28 p.m. CST

Michael Schwartz gravatar
What client software is this? You really want to use OpenID Connect client software, not generic OAuth2 client software. See [my Identiverse Client Development slides](https://www.gluu.co/client-slides). In any case, which JWT are you verifying? The `id_token` or `userinfo` JWT? Did you check the `JWKS_URI` as defined on the OpenID Connect discovery endpoint? (`https://hostname/.well-known/openid_configuration) Please add more info to your issue.

By Matt Young user 08 Jan 2018 at 4:03 p.m. CST

Matt Young gravatar
We are using spring security framework. We would happily use an openid connect filter if anyone had an example to follow. Every example we have seen says "Just use OAuth" which I think is a divergent topic at this point since even gluu's docs reference OAuth as the OIC negotiation process. I intercepted the OAuth calls in the debugger and noticed that the token it is getting is UUID value **NOT a Base64 encoded json object** This comes down to 3 questions at this point: 1) how do I get my JWT token in the response so I don't have to make secondary rest call to gluu to get the translate the token into a user? 2) how do I key the key pair that gluu is using to encrypt/sign the JWT 3) are there any samples **FROM GLUU** showing how to connect a standard java/spring app to the OIC service?

By Michael Schwartz Account Admin 08 Jan 2018 at 4:08 p.m. CST

Michael Schwartz gravatar
The Oauth2 client code in Spring Security is terrible! Our suggestion is to run an oxd service (either web or local), and then use oxd-java. We have a [Spring docs page](https://gluu.org/docs/oxd/libraries/framework/spring/) about this.

By Matt Young user 12 Jan 2018 at 3:46 p.m. CST

Matt Young gravatar
what are the answers to 1 & 2? 1) how do I get gluu openID to send the JWT in the redirect response rather than the uuid token to look it up in a secondary call? 2) where do I find the keys in gluu used to decrypt/verify the above JWT?

By Aliaksandr Samuseu staff 12 Jan 2018 at 8:08 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Matt. Please consider providing a bit more details, as it's hard to say what you experience at the moment. For example, what this means >I intercepted the OAuth calls in the debugger and noticed that the token it is getting is UUID value NOT a Base64 encoded json object Some actual example (a dump of this token, or the response(s) itself) would be useful. Otherwise, it's hard to understand the rest: >how do I get my JWT token in the response so I don't have to make secondary rest call to gluu to get the translate the token into a user? Doesn't ring a bell to me. Can you refer to a specific spec document you try to implement? Here is what you can expect to be supported in Gluu: [link](http://openid.net/specs/openid-connect-core-1_0.html) >2) how do I key the key pair that gluu is using to encrypt/sign the JWT Keys required to verify signature on JWTs oxAuth issues during OIDC flows are located at url like this: `https://host.name/oxauth/restv1/jwks`. Signing algs with "HS" prefix are symmetric ones and use client's secret to derive the key. Gluu doesn't encrypt JWTs unless you specifically configure it to do this. It's possible to use symmetric algorithm for encryption as well, for the rest you need to provide key data (JWKS) via client's registration properties at Gluu. Please also understand that we can't engage in complex tasks like development of custom clients or using non-standard flows for our community users. That's why we recommend to use a selection of supported tools for RPs. In your case [oxd server](https://gluu.org/docs/oxd/) is what seems to be the best solution.

By Matt Young user 16 Jan 2018 at 8:27 a.m. CST

Matt Young gravatar
Is it possible to pay for support by the hour?

By William Lowe user 16 Jan 2018 at 10:05 a.m. CST

William Lowe gravatar
Gluu only offers annual support contracts. If you need t&m support, we recommend contracting with a services company. Feel free to email sales@gluu.org if you would like an introduction to one of our partners.

By Aliaksandr Samuseu staff 19 Jan 2018 at 2:44 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Matt. What other questions do you still have? Do you think we need to keep this ticket open? Overall, I think you should check some OIDC presentations and try to cursory read the core spec, it differs from bare-bone oAuth2.0 significantly (it's another layer on top of it).