Hi, Kirill. For the service's authentication, you may opt to [client's credentials grant](https://gluu.org/docs/ce/2.4.4/admin-guide/oauth2/#when-should-the-client-credentials-flow-be-used) Example request: ``` POST /oxauth/restv1/token HTTP/1.1 Host: idpqa.jemstep.com Content-Type: application/x-www-form-urlencoded Authorization: Basic CLIENT_CREDS_BASE64ENCODED= Cache-Control: no-cache Content-Length: 71 grant_type=client_credentials&scope=openid+profile+email+uma_protection ``` It offers limited functionality, though. Other option is to [employ UMA](https://gluu.org/docs/ce/3.1.3/admin-guide/uma/) which is specifically designed for API protection. oxd server [supports UMA](https://gluu.org/docs/oxd/3.1.3/api/#uma-2-authorization) as well.

Thank you very much for the reply. Unfortunately I'm struggling to get basic auth working. When I try basic auth via api, I get response: ``` _HTTP/1.1 401 Unauthorized [Date: Fri, 22 Jun 2018 13:50:55 GMT, Server: Jetty(9.4.9.v20180320), X-Xss-Protection: 1; mode=block, X-Content-Type-Options: nosniff, Strict-Transport-Security: max-age=31536000; includeSubDomains, WWW-Authenticate: Basic realm="oxAuth", Content-Type: application/json;charset=iso-8859-1, Content-Length: 586, Keep-Alive: timeout=5, max=100, Connection: Keep-Alive] ResponseEntityProxy{[Content-Type: application/json;charset=iso-8859-1,Content-Length: 586,Chunked: false]}_ ``` While debugging oxAuth, I see that AuthenticationFilter.processBasicAuth() can't lookup user by the same username I successfully use to log into oxd web interface. in oxAuth debugger I see the following lines are invoked: ``` Client client = clientService.getClient(username); //returns null if (client == null || AuthenticationMethod.CLIENT_SECRET_BASIC != client.getAuthenticationMethod()) {throw new Exception("The Token Authentication Method is not valid.");} ``` [https://ibb.co/mnk2QT ](https://ibb.co/mnk2QT) When I log into the oxd web console while debugging oxAuth, I see some generated username and password inside ``` AuthenticationFilter.processBasicAuth() ```. Username starts with @! In this case authentication works. [https://ibb.co/gnbns8 ](https://ibb.co/gnbns8) I tried using basic auth with Inum of the user instead the username, but it also didn't work.

Basically my question is where do I obtain credentials for basic auth? My admin username/email/inum + password didn't work.

Hi, Kirill. If you try to employ client's credentials grant flow as was suggested before, for basic auth (Authorization header) you use combination of client's id and its secret. For resource owner's credentials flow you use uid and password of the corresponding user. I don't think oxd supports both of those, officially it's only authorization code flow which is supported. So you'll have to add some custom code which does this.

Hello Aliaksandr. Thank you very much for the reply. Did I understand correctly that it's currently not possible with gluu to use some persistent [id/username...] and [password/secret...] that I as a server administrator could obtain and use from client(backend) code indefinitely to get an access token? If it is possible, where exactly do I get these credentials? I have doubts about whether we want UMA because of requests overhead it implies.

>Did I understand correctly that it's currently not possible with gluu to use some persistent [id/username...] and [password/secret...] that I as a server administrator could obtain and use from client(backend) code indefinitely to get an access token? Not quite. You can use both client credentials and resource owner credentials grants flows, but not with oxd. You will need to write some code which sends request and parses response yourself, or use another software which supports those flows (though can't recommend anything in particular). Luckily, it's just a simple HTTP request/response thingy and shouldn't be big problem. > where exactly do I get these credentials? You can search Gluu's LDAP directory and dump your client's metadata. It will contain its secret, reversibly encrypted. 1. Open the client's properties in web UI and copy its "Inum" value 2. Move into Gluu's container 3. Put your LDAP password in `/tmp/.dpw` (it's the same as default admin's password was right after installation) 4. Dump the client's properties: `# /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -T -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 3 '&(objectclass=oxauthclient)(inum=__YOUR_INUM__)'` 5. Take the value of `oxAuthClientSecret` and use it in next command: `# /opt/gluu/bin/encode.py -d __ENCRYPTED_SECRET__` For user entries it's not possible to recover its passwords as only hashes are stored, and you shoulnd't need to do this actually, most of the time.

Also, if you register a particular client with oxd, and want to use its credentials for such flow, you should be able to find it in the response to "register_site" command.

Thank you, Aliaksandr. The steps to recover credentials worked. With your help I managed to pass oxAuth AuthenticationFilter. Now I investigate further. ``` curl -i -k -H "Authorization: Basic QCE4MkU0LjM1MkYuMERFNy5CQzVBITAwMDEhNkYzRC5BNkI0ITAwMDghRTZGQy5GM0E0LjM1QzcuRjM0ODpzYWZl" -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "grant_type=client_credentials&scope=openid+profile+email+uma_protection" https://sso/oxauth/restv1/token HTTP/1.1 400 Bad Request Date: Thu, 28 Jun 2018 09:48:58 GMT Server: Jetty(9.4.9.v20180320) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store Content-Type: application/json Pragma: no-cache Content-Length: 213 Connection: close {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."} ``` As for the register site. I found only oxd id in that response. I Didn't find other references to register site in gluu documentation, except in oxd docs. [https://gluu.org/docs/oxd/api/#register-site ](https://gluu.org/docs/oxd/api/#register-site) ``` { "status":"ok", "data":{ "oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF" } } ``` With the help of debugger found that client was missing scopes and grant type client_credentials. After adding them with oxd... ``` HTTP/1.1 200 OK Date: Thu, 28 Jun 2018 11:13:15 GMT Server: Jetty(9.4.9.v20180320) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store Content-Type: application/json Pragma: no-cache Content-Length: 135 {"access_token":"1ceca015-1813-4e9d-a721-37cae8318d5e","token_type":"bearer","expires_in":299,"scope":"openid user_name profile email"} ```