By: Scott Moree user 24 Jan 2019 at 1:25 p.m. CST

18 Responses
Scott Moree gravatar
Missing claim : (email). Please talk to your organizational system administrator. error when logging in with open id provider. I am using the WP gluu openID Connect plugin, i edited the client in the gluu OP and insured it has email as a scope. email is set as a default yet im getting this error. Anyhelp would be hugely appreciated.

By William Lowe staff 24 Jan 2019 at 1:41 p.m. CST

William Lowe gravatar
Can you post links to screenshots of all your configuration pages for the plugin and in Gluu? Thanks,. Will

By Scott Moree user 24 Jan 2019 at 1:52 p.m. CST

Scott Moree gravatar
Gluu WP Plugin: https://cdn.discordapp.com/attachments/538081577016492044/538081611770495006/unknown.png https://cdn.discordapp.com/attachments/538081577016492044/538081811104792598/unknown.png oxd JSON from client-side oxd installation: oxd-default-site-condif.json ``` { "op_host": "https://login.datasciencedojo.com", "op_discovery_path": "", "response_types": [ "code" ], "grant_type": [ "authorization_code" ], "acr_values": [ "" ], "scope": [ "openid", "profile", "email" ], "ui_locales": [ "en" ], "claims_locales": [ "en" ], "contacts": [ "stmoree@gmail.com, ahsan@datasciencedojo.com" ] } ``` oxd-conf.json ``` { "port":8099, "localhost_only":true, "time_out_in_seconds":0, "use_client_authentication_for_pat":true, "trust_all_certs":true, "trust_store_path":"", "trust_store_password":"", "crypt_provider_key_store_path":"", "crypt_provider_key_store_password":"", "crypt_provider_dn_name":"", "support-google-logout":false, "state_expiration_in_minutes":5, "nonce_expiration_in_minutes":5, "public_op_key_cache_expiration_in_minutes":60, "protect_commands_with_access_token":false, "uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client":true, "migration_source_folder_path":"", "storage":"h2", "storage_configuration": { "dbFileLocation":"/opt/oxd-server/data/oxd_db" } } ``` Gluu server (OP): https://cdn.discordapp.com/attachments/538081577016492044/538082686288527360/unknown.png https://cdn.discordapp.com/attachments/538081577016492044/538083114749001730/unknown.png https://cdn.discordapp.com/attachments/538081577016492044/538083382639460358/unknown.png I do see two clientID's from the web app im trying to link here, however ive added email scope to both and only the one that matches the clientid of the plugin i assume matters(?)

By William Lowe staff 24 Jan 2019 at 1:59 p.m. CST

William Lowe gravatar
I quickly notice that in your plugin, the site login uri field is empty.. that should be your wordpress admin url , e.g. `https://mysite.com/wp-admin` You can fix that and try again. It shouldnt affect the email claim being passed though but it might. Everything else looks right to me.

By Scott Moree user 24 Jan 2019 at 2:04 p.m. CST

Scott Moree gravatar
Updated to include the site login uri; same result however.

By William Lowe staff 24 Jan 2019 at 2:09 p.m. CST

William Lowe gravatar
hmm ok , I will ask the developer to take a look. Stay tuned.

By Jajati Badu Account Admin 25 Jan 2019 at 7:39 a.m. CST

Jajati Badu gravatar
Hi Scott, Can you please upload the oxd server log file

By Scott Moree user 25 Jan 2019 at 11:06 a.m. CST

Scott Moree gravatar
Oxd log for yesterday is here : https://cdn.discordapp.com/attachments/538081577016492044/538402699322851341/oxd-server.log.2019-01-24 Inccidently if i use OpenID Connect debugger @ https://oidcdebugger.com It and send form, I get sent to the OP, enter credentials, then im simple in the admin UI of the OP and not directed to the redirect URI(dont know if this is relevant, or expected as i need to define a Sector Identifier - the documentation no longer matches current UI so its a bit confusing.

By Scott Moree user 25 Jan 2019 at 11 p.m. CST

Scott Moree gravatar
Not sure why it is reflecting that i am closing the ticket in the history, I am not, I still need assistance :)

By Jajati Badu Account Admin 25 Jan 2019 at 11:40 p.m. CST

Jajati Badu gravatar
Hi Scott , From oxd logs I can see some unknow error happened .Can you please send the oxAuth log file from Gluu server for the same date ?

By Scott Moree user 25 Jan 2019 at 11:49 p.m. CST

Scott Moree gravatar
https://cdn.discordapp.com/attachments/538081577016492044/538596116598620171/oxAughtLog-1-24-19.txt Here it is.

By Jajati Badu Account Admin 25 Jan 2019 at 11:59 p.m. CST

Jajati Badu gravatar
Thanks for the logs, The basic and required scope for OIDC is openid but as per your below screenshot you have not added Openid as a scope https://cdn.discordapp.com/attachments/538081577016492044/538083382639460358/unknown.png So openid scope has to be added to the OIDC client in Gluu server.

By Scott Moree user 28 Jan 2019 at 9:51 a.m. CST

Scott Moree gravatar
I did not see any openid scope in the list of those i can add so i created one and added it. I am however still getting the same results however. ``` 2019-01-28 15:42:43,289 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2019-01-28 15:42:43,582 ERROR [org.xdi.oxd.server.op.GetClientTokenOperation] access_token is blank in response, params: GetClientTokenParams{clientId='@!17CA.1768.35CE.95CD!0001!C610.A388!0008!A7EF.CFF0.9801.7F7F', opHost='https://login.datasciencedojo.com', opDiscoveryPath='null', scope=null, authenticationMethod='null', algorithm='null', keyId='null'}, response: org.xdi.oxauth.client.TokenResponse@440b9388 2019-01-28 15:42:43,582 ERROR [org.xdi.oxd.server.op.GetClientTokenOperation] Please check AS logs for more details (oxauth.log for CE). 2019-01-28 15:42:43,583 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","details":null,"error_description":"Unknown internal server error occurs."}} 2019-01-28 15:42:43,583 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command. 2019-01-28 15:42:43,583 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:43,594 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_user_info","params":{"oxd_id":"372b6e92-0864-4cc8-abbc-8ebba0e185f8","access_token":null,"protection_access_token":false}} 2019-01-28 15:42:43,595 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2019-01-28 15:42:43,902 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"claims":{},"refresh_token":null,"access_token":null}} 2019-01-28 15:42:43,904 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:43,904 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2019-01-28 15:42:49,394 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:49,394 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2019-01-28 15:42:52,419 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:52,419 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:52,419 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. 2019-01-28 15:42:52,419 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_client_token","params":{"op_host":"https://login.datasciencedojo.com","oxd_id":"372b6e92-0864-4cc8-abbc-8ebba0e185f8","client_id":"@!17CA.1768.35CE.95CD!0001!C610.A388!0008!A7EF.CFF0.9801.7F7F","":"6009777b-cd17-42af-973a-b4fa69bc0f2a"}} 2019-01-28 15:42:52,422 TRACE [org.xdi.oxd.server.service.RpService] Found rp by client_id: @!17CA.1768.35CE.95CD!0001!C610.A388!0008!A7EF.CFF0.9801.7F7F, rp: Rp{oxdId='793aa7a0-1bed-4e2b-a583-fe6f35309fc7', opHost='https://login.datasciencedojo.com', opDiscoveryPath='null', idToken='null', accessToken='null', authorizationRedirectUri='https://tutorials.datasciencedojo.com/index.php?option=oxdOpenId', postLogoutRedirectUri='https://tutorials.datasciencedojo.com/index.php?option=allLogout', applicationType='web', redirectUris=[https://tutorials.datasciencedojo.com/index.php?option=oxdOpenId], frontChannelLogoutUri=null, claimsRedirectUri=[], responseTypes=[code], clientId='@!17CA.1768.35CE.95CD!0001!C610.A388!0008!A7EF.CFF0.9801.7F7F', clientRegistrationAccessToken='9656e015-61f3-4f30-b41c-c3c046afd7e7', clientRegistrationClientUri='https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/register?client_id=@!17CA.1768.35CE.95CD!0001!C610.A388!0008!A7EF.CFF0.9801.7F7F', clientIdIssuedAt=Sun Jan 27 21:41:07 UTC 2019, clientSecretExpiresAt=Mon Jan 28 21:41:07 UTC 2019, clientName='null', sectorIdentifierUri='null', clientJwksUri='null', setupClient='true', setupOxdId='null', setupClientId='null', scope=[address, test, clientinfo, email, permission, user_name, profile, mobile_phone, phone, uma_protection, oxd], uiLocales=[en], claimsLocales=[en], acrValues=[], grantType=[authorization_code, client_credentials], contacts=[stmoree@gmail.com], userId='null', userSecret='null', pat='null', patExpiresIn=0, patCreatedAt=null, patRefreshToken='null', umaProtectedResources=[], rpt='null', rptTokenType='null', rptPct='null', rptExpiresAt=null, rptCreatedAt=null, rptUpgraded=null, tokenEndpointAuthSigningAlg=null, tokenEndpointAuthMethod=null, oxdRpProgrammingLanguage=null} 2019-01-28 15:42:52,422 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2019-01-28 15:42:52,724 ERROR [org.xdi.oxd.server.op.GetClientTokenOperation] access_token is blank in response, params: GetClientTokenParams{clientId='@!17CA.1768.35CE.95CD!0001!C610.A388!0008!A7EF.CFF0.9801.7F7F', opHost='https://login.datasciencedojo.com', opDiscoveryPath='null', scope=null, authenticationMethod='null', algorithm='null', keyId='null'}, response: org.xdi.oxauth.client.TokenResponse@3683002c 2019-01-28 15:42:52,724 ERROR [org.xdi.oxd.server.op.GetClientTokenOperation] Please check AS logs for more details (oxauth.log for CE). 2019-01-28 15:42:52,724 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","details":null,"error_description":"Unknown internal server error occurs."}} 2019-01-28 15:42:52,724 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command. 2019-01-28 15:42:52,724 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:52,725 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_authorization_url","params":{"oxd_id":"372b6e92-0864-4cc8-abbc-8ebba0e185f8","acr_values":null,"prompt":null,"scope":["openid","profile","email"],"hd":null,"protection_access_token":false}} 2019-01-28 15:42:52,725 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"authorization_url":"https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!17CA.1768.35CE.95CD!0001!C610.A388!0008!447A.8C55.6054.A570&redirect_uri=https://tutorials.datasciencedojo.com/index.php?option=oxdOpenId&scope=openid+profile+email&state=vif0a21v1b4t4m6iefj065s5lb&nonce=ek4tg46gms6sc15lp8amu10dii"}} 2019-01-28 15:42:52,725 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2019-01-28 15:42:52,725 TRACE [org.xdi.oxd.server.SocketProcessor] Quit. Read result is null or command string is blank. ``` ``` 2019-01-28 15:42:52,685 INFO [qtp1100439041-14] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:234) - Basic authentication failed java.lang.Exception: The Token Authentication Method is not valid. at org.xdi.oxauth.auth.AuthenticationFilter.processBasicAuth(AuthenticationFilter.java:207) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.access$300(AuthenticationFilter.java:67) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter$1.process(AuthenticationFilter.java:116) [classes/:?] at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:65) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:89) [classes/:?] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) [jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] ``` https://cdn.discordapp.com/attachments/538081577016492044/539472201200697374/unknown.png https://cdn.discordapp.com/attachments/538081577016492044/539472420717723649/unknown.png

By Scott Moree user 28 Jan 2019 at 11:21 a.m. CST

Scott Moree gravatar
I am assuming the root cuase of this is related to the 'openid' scope not being there. Creating a custom scope and calling it openid just isnt the same :) Why would this default scope not be listed?

By William Lowe staff 28 Jan 2019 at 11:33 a.m. CST

William Lowe gravatar
yes, definitely. openid should be released as a default scope. You indicated in this ticket that youre using Gluu 3.1.5, but from your screenshots I can see that its not actually 3.1.5. Can you confirm which version this is, and whether it's a fresh install or an upgraded instance?

By Scott Moree user 28 Jan 2019 at 11:58 a.m. CST

Scott Moree gravatar
My apologies for the inaccurate information. Welcome to your Gluu Identity Appliance 3.0.1! is what i see in the GLUU UI So that is the version we have installed :) as you can see both in the UI and the openid-configuration endpoint json there is no standard 'openid' scope showing up. { "issuer": "https://login.datasciencedojo.com", "authorization_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/authorize", "token_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/token", "userinfo_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/userinfo", "clientinfo_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/clientinfo", "check_session_iframe": "https://login.datasciencedojo.com/oxauth/opiframe", "end_session_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/end_session", "jwks_uri": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/jwks", "registration_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/register", "validate_token_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/oxauth/validate", "id_generation_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/id", "introspection_endpoint": "https://login.datasciencedojo.com/oxauth/seam/resource/restv1/introspection", "scopes_supported": [ "address", "test", "clientinfo", "email", "permission", "user_name", "profile", "mobile_phone", "phone" ], https://cdn.discordapp.com/attachments/538081577016492044/539524976038903809/unknown.png This was a fresh installation on a VM we just spun up last week.

By William Lowe staff 28 Jan 2019 at 3:01 p.m. CST

William Lowe gravatar
> This was a fresh installation on a VM we just spun up last week. You just spun up an installation of Gluu 3.0.1 ? The latest version is Gluu 3.1.5. Any reason for installing such an old version? It doesn't make sense that you don't have an OpenID scope there. Its a required scope for OpenID, which the Gluu Server has supported for many years. I think you should deploy the latest version of the server and try to re-configure the setup, making sure you fill all fields correctly, etc. from the start.

By Scott Moree user 28 Jan 2019 at 4:10 p.m. CST

Scott Moree gravatar
I was not the person who installed it (i dont have access to our cloud provider accounts) so no idea why such a old version was installed, but it was missing the standard openid scope. After realizing it was an old version i had a new machine provisioned with 3.1.4(was told he had trouble with 3.1.5 for some reason). I did exactly as i had before but this time saw the openid scope and now it is working perfectly. Thank you for your assistance.

By William Lowe staff 29 Jan 2019 at 1:13 a.m. CST

William Lowe gravatar
> with 3.1.4 (was told he had trouble with 3.1.5 for some reason). OK.. feel free to open a new ticket to let us know about the issue experiences. We haven't heard about any blocking issues with installation of 3.1.5 yet. Thanks for confirming the rest. Will