OpenID Connect is a profile of OAuth. You should use OpenID Connect for SSO. We recommend using [SCIM for user registration](https://gluu.org/docs/ce/user-management/scim2/#supporting-a-user-registration-process-with-scim). Thanks, Will

Hi William, I've been trying to figure out OAuth with Laravel and it's been quite a hazzle so far. Right now trying to make Laravel's simple Socialite package communicate with Gluu. I've gotten quite for but now got to this error: Client error: `GET https://mygluuserver/oxauth/restv1/userinfo` resulted in a `403 Forbidden` response: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access to (truncated...) While the OpenID Client has all privileges, scopes and grant types. Any idea what might cause this issue? Kind regards, Arlon

Which OpenID Connect client are you using?

Hi William, I'll pause this ticket for a bit as I realized I first want to take care of a SSL issue I'm having. Will post that question somewhere else. I was trying to make the authentication work with this package: https://laravel.com/docs/5.6/socialite However, it's been quite a hazzle so far. I created a new OpenID Client (on the Gluu Admin Panel) and gave it access to basically everything and still got that error that says it doesn't have access for getting info through the /userinfo endpoint. Kind regards, Arlon

Hi, Arlon. Any particular reason you don't want to use our oxd server for this project, btw? It [provides PHP libraries](https://gluu.org/docs/oxd/3.1.3/libraries/languages/php/). In this case we could provide you a bit more of assist within the scope of Community Support. Normally we only provide consultations for integration/development projects to our paying customers. >I created a new OpenID Client (on the Gluu Admin Panel) and gave it access to basically everything and still got that error that says it doesn't have access for getting info through the /userinfo endpoint. I would suggest to add more logging instructions to your code. Ideally, it should dump all requests it tries to send to Gluu Server. You should be able to see what pieces are missing from them by comparing them to the ones in [the spec](http://openid.net/specs/openid-connect-core-1_0.html) and/or to requests generated from one of our supported OIDC clients for which we provide step-by-step docs. Here is one: [link](https://gluu.org/docs/ce/3.1.3/integration/sswebapps/openidc-rp/)

Hi Aliaksandr, I don't want to use the OXD server as I don't want to pay for this. As far as I know, anything related to OXD is paid. Kind regards, Arlon

Hi all, I reinstalled my Gluu Server, adjusted all my settings and got back to this same lovely error again. {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token."} When trying to access the /restv1/userinfo endpoint without a scope at all (as I want all scopes allowed) Is there anyone that knows how I might be able to fix this? Kind regards, Arlon

Hi, Arlon. >As far as I know, anything related to OXD is paid. That's true, but price is quite modest, imo. And it still an open-source project, as well, with all benefits of it. >I reinstalled my Gluu Server, adjusted all my settings and got back to this same lovely error again. I really very much doubt Gluu is the culprit here. Gluu offers one of the best OIDC OP implementation out there, and verifies its compliance to the specs on regular basis. If you are getting an error from `/userinfo`, in 99% of cases it's because something wrong with your request and/or client's properties. At this point I would suggest starting dumping requests and responses and comparing them to the specs step-by-step. Also to check client's registration ("OpenID Connect -> Clients" in web UI) and make sure everything as expected/in sync with client's settings at RP. You also can enable `mod_dumpio` in Gluu's Apache, this will allow you to see everything passing through it, though its output is extremely cluttered with garbage. >Is there anyone that knows how I might be able to fix this? Unfortunately, not amongst Community Support engineers, we can't afford assisting with development tasks. But other Gluu users are welcome to to lend a hand.

Hi Aliaksandr, I think I'm not really asking for help development related. I'm asking what could cause the error related to the userinfo endpoint. I'm doing a get request on the endpoint with the following get parameters / data: https://i.gyazo.com/bc8128d9d06dbc57ef1eb5c3a9ee2aa4.png The reply I get is somewhat weird to me as I expect it to just return all scopes available for that client.

>I'm asking what could cause the error related to the userinfo endpoint. Incorrectly composed request and/or not following flow set by the spec. Dump all requests your app sends to Gluu "as is" (your picture doesn't show the actual request, it's some parsed output which omits vital items) and compare them to the spec, that should help.

Hi Aliaksandr, If you provide me with an example of what info you need, I'll be able to find it. The request is made using the Guzzle Client for PHP. Kind regards, Arlon

For cases like this we encourage our free users to investigate and troubleshoot for themselves. In OIDC all communications are done using HTTP protocol. You need to dump all exchanges in the form provided below, and compare it to [the spec](http://openid.net/specs/openid-connect-core-1_0.html), step by step. ``` POST /oxauth/restv1/token HTTP/1.1 Host: mytrue.host.loc Content-Type: application/x-www-form-urlencoded Authorization: Basic QCFBRkFELjU5RDkuQjNBNC5EOTIxITAwMDEhODA1Mi5BOEQ5ITAwMDghODE4My4xM0VGLjZFM0IuNUQ1QzowYjA0NzBmYS0zMjY3LTQwOGEtODA1ZS03YmE4MTE2OWM2ZmM= Content-Length: 148 grant_type=authorization_code&code=8253f48c-5f58-4479-acac-66f7d2455cbd&redirect_uri=https://mytrue.host.loc/oxauth-rp/home.htm&code_verifier=secret ``` Also make sure your client's metadata at Gluu is compatible with what your RP actually uses during communications.