-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic Client Registration #70
Comments
Hi Mike, The |
Ok, now its registering. Also my redirect URI was not in the protected folder. Does the redirect_uri actually need to exist on the file system? If so, what should be in this file? I see some other weird problems now. The first time I logged in, it worked, and I could see the sub value populated as the REMOTE_USER variable. However, on subsequent access attempts, I was seeing 500 errors. I see these logs:
I'll try to reproduce this exact scenario. I was trying it from both Chrome and Internet Explorer. |
In the docs here https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf#L8 it is explained that the redirect URI does not need to exist. The Another reason may be that cookie path/domain settings don't add up but I believe this situation would have been caught by the configuration checks at startup. |
Hans, Not trying the back button B-) When I hit the protected URL from Chrome, it works. Although when I return to the protected site, it re-prompts me for discovery. However, when I GET the URL from Internet Explorer 11, I see a 500 Internal Server Error. The logs are below:
|
I put my notes here if anyone is interested... http://gluu.co/mod_auth_oidc_notes |
The default Discovery page does not leverage a cookie to store a previous selection and reuse that. I expect that noone will use the default Discovery page in production because of its look-and-feel so it is merely for testing. A custom Discovery page can be created as documented in: https://github.com/pingidentity/mod_auth_openidc/wiki#12-how-can-i-customize-the-idp-discovery-or-initial-login-page. I will have to look in to IE 11's behaviour. It looks like it doesn't send the state cookie to mod_auth_openidc. If you have a browser trace (i.e. Fiddler) that would be convenient, otherwise I will have to find a Windows machine... |
I tested with IE 11 ( |
@nynymike do you still have this issue? if so, any browser trace that you could paste? |
Will let you know. Thanks for the link! On 2015-06-23 16:00, Hans Zandbelt wrote:
|
I was trying to get Dynamic Client registration to work. Here is the scenario:
I have two local VM's: one running the Gluu Server CE edition (hostname in my example ce.gluu.info), the other running apache (hostname: apache.gluu.info). I configured apache
in my OIDCMetadataDir folder, I have one file
ce.gluu.info.client
:When I navigate to https://apache.gluu.info/protected, I am asked to enter my email address:
I wonder why this is necessary. If there is only one entry in the OIDCMetadataDir, why does it need to ask me? If I enter a new email address, it doesn't seem to create a new client entry in the OIDCMetadataDir
So anyway, after entering
mike@ce.gluu.info
, I just get redirected tohttps://apache.gluu.info/?target_link_uri=https%3A%2F%2Fapache.gluu.info%2Fprotected&iss=admin%40ce.gluu.info
Note: I don't see any dynamic client registration request on my Gluu VM, ce.gluu.info.
I was sort of hoping that the mod_auth_oidc would register in my OP, and that when I navigated to
https://apache.gluu.info/protected
... I would be redirected to the Gluu Server login page... and then redirected back to the protected folder with thesub
claim populated.The text was updated successfully, but these errors were encountered: