When I go by authorization url, it is calling twice. (version 2.4.4)

When I use logout protocol, i give a message internal error.
Test result.
2015-12-03 15:06:11,563 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor...
2015-12-03 15:06:11,563 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling...
2015-12-03 15:06:11,563 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage:
2015-12-03 15:06:11,569 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 1247, commandSize: 1247
2015-12-03 15:06:11,569 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='
{"command":"logout",
"params": {
"oxd_id":"9c4f789f-062d-418b-809a-0bdaac44c4fe",
"id_token":"eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6IjRjMWM3MzA1LTA2MzMtNGU4OS04NWMzLWY1NmYzZWIzMzE3NiJ9.eyJpc3MiOiJodHRwczovL2NlLWRldi5nbHV1LmluZm8iLCJhdWQiOiJAITVEREIuRUM4OC43RTZFLkM0M0UhMDAwMSE2OUI0LjZERjAhMDAwOCFDOEE3LjM1NzgiLCJleHAiOjE0NDkxNDQzNjksImlhdCI6MTQ0OTE0MDc2OSwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJhdXRoX3RpbWUiOjE0NDkxMzk3MTgsImF0X2hhc2giOiJSMHlpLXhJZGtUMmpCRnBEWUNIXzBRIiwib3hWYWxpZGF0aW9uVVJJIjoiaHR0cHM6Ly9jZS1kZXYuZ2x1dS5pbmZvL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImludW0iOiJAITVEREIuRUM4OC43RTZFLkM0M0UhMDAwMSE2OUI0LjZERjAhMDAwMCFBOEYyLkRFMUUuRDdGQiIsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJnaXZlbl9uYW1lIjoiQWRtaW4iLCJzdWIiOiJAITVEREIuRUM4OC43RTZFLkM0M0UhMDAwMSE2OUI0LjZERjAhMDAwMCFBOEYyLkRFMUUuRDdGQiJ9.KvyszHKVKIbRxs3fu8VpzDXPZYZw50qcfFBEmFhK4CBRhh7dC6oP3i_DfRgZKBRxiqTSZMXxMRXl2TbzV5JUol1ZUWZWCl7LNmw3l95dJs0CCSQ7FkhiZW-DcfDRFlypydxFbOBVlom_LSbX7D2Xudnp_fFJ5NG1Pj5Me2F85UQ1uVmD8ghISnMyQpv0bZJ2bnayipxKmtpwJlbe9haEsmoOloecjLijXzgz_ENvGMukGGpvCLAca9wG6iodnuehiEgOxoCclaLdCqK86G3JxyQ0v5fkEFlMjaBZC-EHEqC4sE2e_s2nbpIAKLmn9yEEu_SW1HLxtIMjzhZs9H6pkQ",
"http_based_logout":false
}
}', m_leftString=''}
2015-12-03 15:06:11,569 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"logout","params":{"oxd_id":"9c4f789f-062d-418b-809a-0bdaac44c4fe","id_token":"eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6IjRjMWM3MzA1LTA2MzMtNGU4OS04NWMzLWY1NmYzZWIzMzE3NiJ9.eyJpc3MiOiJodHRwczovL2NlLWRldi5nbHV1LmluZm8iLCJhdWQiOiJAITVEREIuRUM4OC43RTZFLkM0M0UhMDAwMSE2OUI0LjZERjAhMDAwOCFDOEE3LjM1NzgiLCJleHAiOjE0NDkxNDQzNjksImlhdCI6MTQ0OTE0MDc2OSwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJhdXRoX3RpbWUiOjE0NDkxMzk3MTgsImF0X2hhc2giOiJSMHlpLXhJZGtUMmpCRnBEWUNIXzBRIiwib3hWYWxpZGF0aW9uVVJJIjoiaHR0cHM6Ly9jZS1kZXYuZ2x1dS5pbmZvL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImludW0iOiJAITVEREIuRUM4OC43RTZFLkM0M0UhMDAwMSE2OUI0LjZERjAhMDAwMCFBOEYyLkRFMUUuRDdGQiIsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJnaXZlbl9uYW1lIjoiQWRtaW4iLCJzdWIiOiJAITVEREIuRUM4OC43RTZFLkM0M0UhMDAwMSE2OUI0LjZERjAhMDAwMCFBOEYyLkRFMUUuRDdGQiJ9.KvyszHKVKIbRxs3fu8VpzDXPZYZw50qcfFBEmFhK4CBRhh7dC6oP3i_DfRgZKBRxiqTSZMXxMRXl2TbzV5JUol1ZUWZWCl7LNmw3l95dJs0CCSQ7FkhiZW-DcfDRFlypydxFbOBVlom_LSbX7D2Xudnp_fFJ5NG1Pj5Me2F85UQ1uVmD8ghISnMyQpv0bZJ2bnayipxKmtpwJlbe9haEsmoOloecjLijXzgz_ENvGMukGGpvCLAca9wG6iodnuehiEgOxoCclaLdCqK86G3JxyQ0v5fkEFlMjaBZC-EHEqC4sE2e_s2nbpIAKLmn9yEEu_SW1HLxtIMjzhZs9H6pkQ","http_based_logout":false}}
2015-12-03 15:06:11,582 ERROR [org.xdi.oxd.server.op.LogoutOperation] Failed to get response from oxauth client.
2015-12-03 15:06:11,582 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","error_description":"Internal server error occurs."}}
2015-12-03 15:06:11,582 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command.

add parameter to get_authorization_url to append prompt=login if needed

add http based logout

oxd-server build should provides zip with all dependent libs

[09/09/2016 00:09:13] Gluu - Michael Schwartz: couldn't it create an in-memory hash table with previously requested states.
[09/09/2016 00:09:25] Gluu - Michael Schwartz: and when the user requests token
[09/09/2016 00:09:32] Gluu - Michael Schwartz: includes the state
[09/09/2016 00:09:41] Gluu - Michael Schwartz: and if it's a state that no one has registered...
[09/09/2016 00:09:47] Gluu - Michael Schwartz: it is discarded.
[09/09/2016 00:12:25] Gluu - Michael Schwartz: I think it should be required for get_tokens

added ablity to register multiple logout_uri for one client. This rely on oxAuth implementation.

Introduce Guice (or Spring) IoC framework

One more request on oxd... can we send a list of requested acr's? These need to be sent space delimited to the OP.

{
"op_host": "https://ce-dev.gluu.org",
"redirect_uris" : [ "https://www.myapplication.com/welcome" ],
"logout_redirect_uri" : "https://www.myapplication.com/logout",
"scope" : [ "openid", "profile"],
"acr_values" : [ "basic", "duo","u2f","gplus", "oxpush2" ]
}
[19:24:26] Gluu - Michael Schwartz: here's what I think the minimum config I'd need
[19:24:29] Gluu - Michael Schwartz: 1) where is oxd...
[19:24:40] Gluu - Michael Schwartz: 2) what are my clients login / logout URIs
[19:24:43] Gluu - Michael Schwartz: 3) scopes requested
[19:24:47] Gluu - Michael Schwartz: 4) acrs...

when I send request by register_site protocol, in gluu-server added 2 clients, I think it is bug.

oxd jenkins build : read test parameters from profiles to be able dynamically switch test server (ce-dev, ce-dev2)

when I am sending new scopes in scopes (without openid and profile) for example address, email, mobile_phone, phone or new custom scopes, response is empty without openid and profile response parameters, but when i am adding new parameters in scope profile (for example email, phone and etc.) response already ok, but I need to be it work multiple, what i send with arc_value if in gluu server it is exist and switched on it sent me response, what I want

We need a command line program that enables you to generate two things

1. jwks document (published by client somewhere the OP can reach it)
2. jks that can be registered by client : stored in folder where oxauth has access to it or alternately, created and stored via oxEleven

The above would enable client private key authentication.

oxd runs into different concurrency issues with direct file read/write operations. We need simple embedded database to resolve concurrency and transaction issues.

Clients may need discovery info. If oxd is using the default op host, there is no way the client can form the discovery URL. A quick fix would be to return the op host on registration.

RPT token experition time is very little (5-10 min). when I want to use rpt token (for a long time) always need to get new rpt token for continueing .

add new implicit_flow command

The OpenID Connect spec for client metadata [1] describes the redirect urls using the parameter redirect_uris.

redirect_uris
REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request, with the matching performed as described in Section 6.2.1 of RFC3986 - (Simple String Comparison.

But oxD communication protocol for client registration [2] uses redirect_url - a string as the parameter.

This inconsistency between the OIDC spec and oxD implementation should be rectified.

[1] http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
[2] http://ox.gluu.org/doku.php?id=oxd:communication_protocol#register_client

When I send request by get_autorization_url pratacol (without acr_value), acr_value get default "acr_value" value from oxd-default-site-config.json.
I think need to return authorization_url with OP default value or url without acr_values parameter

{"command":"get_authorization_url","params":{"oxd_id":"db0e5d41-855a-430e-a3c9-06e5faa91962","acr_values":null,"prompt":null,"scope":null}}
{"status":"ok","data":{"authorization_url":"https://ce-dev2.gluu.org/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!40EA.D454.9D4F.E876!0001!ECE8.BBEF!0008!55EF.A80C&redirect_uri=https://gluu.loc/index.php?option=oxdOpenId&scope=org_name+uma_authorization+profile+imapData+uma_protection+mt_scope+phone+mobile_phone+work_phone+user_name+email+clientinfo+address+openid&state=l2u1kn5njn7ctbefq7ji6rqfim&nonce=itdf5f3irn17evu85rf6vblqj9&acr_values=basic"}}

I think need to add "email" scope in oxd-default-site-config.json too, becouse if OP doesnt support "email" scope that OP we can not use for plugins

need to create luarocks for kong plugins

Validate nonce

When I change grant_type in oxd-default-site-config.json and then usenig register_site protocol, in gluu server Response Type is not changed, alweys accept Authorization Code Grant Type ,Implicit , Grant Type, ID Toke.
@yuriyz , If You remember I talked to You about it.

oxd-server.txt

Look at file, line 352

This requires additional development. oxd creates so called "site
files" which is actually session. If kong node1 communicates with oxd1
and kong node2 with oxd2 then we have problem if request served by
node1 will go to node2.

For this case I think we need to push oxd "site json" to cassandra in
the same way as kong does it.

See this https://getkong.org/docs/0.6.x/clustering/

In case we keep oxd data in cassandra we are on safe side then:

1. each kong node can have own oxd or can even share oxd between nodes
2. all data are replicated among nodes by cassandra.

We have to bring to client real message/root of the erorr via error handling.

if on next license generation (24 hours)
oxd fails to communicate License Server I propose to start re-try
function with count 3 and interval 3 hours (9 hours in total).

1. after 24 hours -> fail to gen license
2. oxd starts retry 1 -> 27 hours
3. oxd starts retry 2 -> 30 hours
4. oxd starts retry 3 -> 33 hours

If after third retry license is still not there then force to stop oxd.

1. Does oxd check state? If the client doesn't check the state, then an
   attacker could make a request to the client's redirect_uri, and trigger
   it to obtain a token.

Provide UMA statefull commands

for example, if you call
[20:24:47] Gluu - Michael Schwartz: custom_req_param = {"prompt": "login"}
[20:25:05] Gluu - Michael Schwartz: For Get authorization url
[20:25:11] Gluu - Michael Schwartz: it adds this to the parameter...
[20:25:28] Gluu - Michael Schwartz: This way, if there was some feature you needed, you wouldn't have to implement everything in oxd
[20:25:54] Gluu - Michael Schwartz: The reason I'm asking is because we need this "prompt=login" param for the credential management app we are working on.

I noticed that the params here:
https://oxd.gluu.org/docs/oxdserver/#register-site

Do not match the config docs:
https://oxd.gluu.org/docs/conf#oxd-default-site-configjson

{
"command":"get_authorization_url",
"params":{
"oxd_id":"e43e3086-2be1-4e12-9ed9-8670aa434d55",
"acr_values":["basic"]
}
}
{
"status":"ok",
"data": {
"authorization_url":"https://ce-dev.gluu.info/oxauth/authorize? response_type=code&client_id=@!2011.5771.5AD8.33F5!0001!7BD9.4822!0008!9BA8.6FCD&client_secret=c2ffb487-bf6a-4757-be9c-59346e804a44&redirect_uri=https://client.example.com/login&scope=openid+profile&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj"
}
}

BUG - On each uma_rs_check_access call new PAT is obtained (lead to significant delays in kong)

UMA 2 spec :

• https://docs.kantarainitiative.org/uma/ed/oauth-uma-grant-2.0-04.html
• https://docs.kantarainitiative.org/uma/ed/oauth-uma-federated-authz-2.0-04.html
  (There can be updated version of specs, just navigate to this folder and look up manually.

Changes are required for UMA RP commands. All UMA RS Commands are left as is. No changes for uma_rs_check_access and uma_rs_protect commands.

Changes:

UMA RP - Get RPT

If claim_token parameter is provided then claim_token_format must be provided too.
For now we support only claims_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken

Request

{
    "command":"uma_rp_get_rpt",
    "params": {
         "oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF",  <- REQUIRED
         "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de",     <- REQUIRED
         "claim_token": "eyj0f9b9...",                      <- OPTIONAL
         "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
         "pct": "c2F2ZWRjb25zZW50",                  <- OPTIONAL                                                      
         "rpt": "SSJHBSUSSJHVhjsgvhsgvshgsv",       <- OPTIONAL
         "scope":["read"],                           <- OPTIONAL,
         "state": "af0ifjsldkj",   <- OPTIONAL state that is returned from uma_rp_get_claims_gathering_url command
         "protection_access_token": "ejt3425"     <- OPTIONAL, required if oxd-http is used          
    }
}

Success Response

{
     "status":"ok",
     "data":{
         "access_token":"SSJHBSUSSJHVhjsgvhsgvshgsv",
         "token_type":"Bearer",
         "pct":"c2F2ZWRjb25zZW50",
         "upgraded":true
     }
}

Needs Info Error Response

{
     "status":"error",
     "data":{
         "error":"need_info",
         "error_description":"The authorization server needs additional information in order to determine whether the client is authorized to have these permissions.",
         "details": {  
             "error":"need_info",
             "ticket":"ZXJyb3JfZGV0YWlscw==",
             "required_claims":[  
                 {  
                     "claim_token_format":[  
                         "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
                     ],
                     "claim_type":"urn:oid:0.9.2342.19200300.100.1.3",
                     "friendly_name":"email",
                     "issuer":["https://example.com/idp"],
                     "name":"email23423453ou453"
                }
             ],
             "redirect_user":"https://as.example.com/rqp_claims?id=2346576421"
         }
     }
}

Invalid ticket error

{
    "status":"error",
    "data":{
        "error":"invalid_ticket",
        "error_description":"Ticket is not valid (outdated or not present on Authorization Server)."
    }
}

Internal oxd server error

{
    "status":"error",
    "data":{
        "error":"internal_error",
        "error_description":"oxd server failed to handle command. Please check logs for details."
    }
}

UMA RP - Get Claims-Gathering URL

ticket parameter for this command MUST be newest, in 90% cases it is from need_info error.

Request

{
    "command":"uma_rp_get_claims_gathering_url",
    "params": {
        "oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF",  <- REQUIRED
        "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de",      <- REQUIRED
        "claims_redirect_uri":"https://client.example.com/cb",        <- REQUIRED
        "protection_access_token": "ejt3425"     <- OPTIONAL, required if oxd-http is used
    }
}

Success Response

{
    "status":"ok",
    "data":{
        "url":"https://as.com/restv1/uma/gather_claims
              ?client_id=@!1736.179E.AA60.16B2!0001!8F7C.B9AB!0008!AB77!1A2B
              &ticket=4678a107-e124-416c-af79-7807f3c31457
              &claims_redirect_uri=https://client.example.com/cb
              &state=af0ifjsldkj",
        "state":"af0ifjsldkj" 
    }
}

After redirect to claims-gathering url user pass Claims-Gathering Flow and if it is success user is redirected back to claims_redirect_uri with new ticket which should be provided with next uma_rp_get_rpt call.

Example of response

https://client.example.com/cb?ticket=e8e7bc0b-75de-4939-a9b1-2425dab3d5ec

UMA Authorize RPT - REMOVED

uma_rp_authorize_rpt - Removed.

UMA Get GAT - REMOVED

uma_rp_get_gat - Removed

register_site and setup_client commands update

register_site and setup_client commands have

• new parameter claims_redirect_uri.
• new parameter oxd_rp_programming_language. The value should be programming language that is used by oxd client, for example java, php, ruby and so on.

Stepped-up authentication

In order to support stepped-up authentication, the AS Claims-Gathering Endpoint must also be specified as valid redirect_uri.
If user is authenticated at AS it will automatically recognize it. In case user is not authenticated and Claims-Gathering scripts redirect for authentication oxd can register Claims-Gathering Endpoint as client redirect_uri, so UMA 2 engine will get control back after successful authentication. This can be enabled/disabled in oxd-conf.json configuration file with uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client.

    ...
    "uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client" : true
    ...

Renamed client_logout_uris -> client_frontchannel_logout_uris

provide key generation api

Implement refresh_token operation

@yuriyz see attached file, gluu-server-2.4.2 and oxd-server-2.4.2
oxd-server.txt

This is Oxd log of "register_client" :
2015-04-09 04:58:48,212 TRACE [org.xdi.oxd.server.Processor] Send back response:
{"status":"ok","data":{"client_id":"@!1111!0008!223B.70C3","client_secret":"79a
db8ec-8d40-40ce-862b-d9bacf74a6e4","registration_access_token":"b7cba86d-e546-4c
00-9cb7-9b98ab7d0c2e","client_secret_expires_at":1428613131000,"registration_cli
ent_uri":"https://seed.gluu.org/oxauth/seam/resource/restv1/oxauth/register?clie
nt_id=@!1111!0008!223B.70C3","client_id_issued_at":1428526731000}}

The extra zero (+000) is added in "client_secret_expires_at" and "client_id_issued_at" fields.

Check best possibility for session_state change monitoring (changed/unchanged).

add expiration date to license metadata

You can see in http://ox.gluu.org/hudson/job/oxd/361/consoleFull, there is not working too.

2015-12-14 14:47:00,178 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor...
2015-12-14 14:47:00,180 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling...
2015-12-14 14:47:00,181 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage:
2015-12-14 14:47:00,247 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 1217, commandSize: 1217
2015-12-14 14:47:00,247 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"logout","params":{"oxd_id":"e43e3086-2be1-4e12-9ed9-8670aa434d55","id_token":"eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6ImY4MGY1MDFlLWRiZjUtNDgxNi1iNTQ1LTNjZGM4NjRlMjBhZiJ9.eyJpc3MiOiJodHRwczovL2NlLWRldi5nbHV1LmluZm8iLCJhdWQiOiJAITIwMTEuNTc3MS41QUQ4LjMzRjUhMDAwMSE3QkQ5LjQ4MjIhMDAwOCE5QkE4LjZGQ0QiLCJleHAiOjE0NTAwOTMxNzEsImlhdCI6MTQ1MDA4OTU3MSwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJhdXRoX3RpbWUiOjE0NTAwODg2OTMsImF0X2hhc2giOiJ5RXhBRzBkWHVXT2dMS0N0OXRCMXFnIiwib3hWYWxpZGF0aW9uVVJJIjoiaHR0cHM6Ly9jZS1kZXYuZ2x1dS5pbmZvL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImludW0iOiJAITIwMTEuNTc3MS41QUQ4LjMzRjUhMDAwMSE3QkQ5LjQ4MjIhMDAwMCFBOEYyLkRFMUUuRDdGQiIsInN1YiI6IkAhMjAxMS41NzcxLjVBRDguMzNGNSEwMDAxITdCRDkuNDgyMiEwMDAwIUE4RjIuREUxRS5EN0ZCIn0.A5Ios6LsAL3LRWBUxF3PRq0YHGhmjQqhQ1f3BOvi1U_qHgDR0C_x_SovPeYOJ7JaKlTJpYoJrvfMj9VwG_Cr-SIgYYUUMxvyqKkWVw-EOx4utiSqzWYq1-yp_Plulmu3xG7Fu9gLwIY0-wrQ9SV_aZz_fvD8BNs6JrW6l2pIe2PREXzMykWNkrOdgipDr5MxepPTl1wCWPI-wJW5XnAbUpcB5rYR8Kwm7Wm7N58dU_6SKyOF0alTVf4UH9FlOKv8nOsvJ3VsFNogWV5z7dwxbmofelBo72Xmt-pARLV8LmiOyTFMHPQqnfVml7yGpdQZH8NJilHnVFagKiiBd5BizQ","post_logout_redirect_uri":"https://client.example.com/logout","http_based_logout":false}}', m_leftString=''}
2015-12-14 14:47:00,247 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"logout","params":{"oxd_id":"e43e3086-2be1-4e12-9ed9-8670aa434d55","id_token":"eyJ0eXAiOiJKV1MiLCJhbGciOiJSUzI1NiIsImtpZCI6ImY4MGY1MDFlLWRiZjUtNDgxNi1iNTQ1LTNjZGM4NjRlMjBhZiJ9.eyJpc3MiOiJodHRwczovL2NlLWRldi5nbHV1LmluZm8iLCJhdWQiOiJAITIwMTEuNTc3MS41QUQ4LjMzRjUhMDAwMSE3QkQ5LjQ4MjIhMDAwOCE5QkE4LjZGQ0QiLCJleHAiOjE0NTAwOTMxNzEsImlhdCI6MTQ1MDA4OTU3MSwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJhdXRoX3RpbWUiOjE0NTAwODg2OTMsImF0X2hhc2giOiJ5RXhBRzBkWHVXT2dMS0N0OXRCMXFnIiwib3hWYWxpZGF0aW9uVVJJIjoiaHR0cHM6Ly9jZS1kZXYuZ2x1dS5pbmZvL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImludW0iOiJAITIwMTEuNTc3MS41QUQ4LjMzRjUhMDAwMSE3QkQ5LjQ4MjIhMDAwMCFBOEYyLkRFMUUuRDdGQiIsInN1YiI6IkAhMjAxMS41NzcxLjVBRDguMzNGNSEwMDAxITdCRDkuNDgyMiEwMDAwIUE4RjIuREUxRS5EN0ZCIn0.A5Ios6LsAL3LRWBUxF3PRq0YHGhmjQqhQ1f3BOvi1U_qHgDR0C_x_SovPeYOJ7JaKlTJpYoJrvfMj9VwG_Cr-SIgYYUUMxvyqKkWVw-EOx4utiSqzWYq1-yp_Plulmu3xG7Fu9gLwIY0-wrQ9SV_aZz_fvD8BNs6JrW6l2pIe2PREXzMykWNkrOdgipDr5MxepPTl1wCWPI-wJW5XnAbUpcB5rYR8Kwm7Wm7N58dU_6SKyOF0alTVf4UH9FlOKv8nOsvJ3VsFNogWV5z7dwxbmofelBo72Xmt-pARLV8LmiOyTFMHPQqnfVml7yGpdQZH8NJilHnVFagKiiBd5BizQ","post_logout_redirect_uri":"https://client.example.com/logout","http_based_logout":false}}
2015-12-14 14:47:00,265 ERROR [org.xdi.oxd.server.op.LogoutOperation] Failed to get response from oxauth client.
2015-12-14 14:47:00,266 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","error_description":"Internal server error occurs."}}
2015-12-14 14:47:00,266 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command.

Please create new protocol for example (update_site_registration), which will update oxd client scopes in gluu server.

the hd param can be added to a Google OpenID Connect authorization request to provide a hint that this user is a member of a partiuclar hosted domain. Perhaps addtitional ad hoc request params can be specified somewhere in the config.

and in gluu server TOTAL AUTHENTICATION REQUESTS or TOTAL SUCCESSFUL LOGIN count do not added. it is bug too.
need add this bugs on your github account?

If there is a start script, there should be a stop script too. Perhaps we could use an init.d script here?

add trust store password to oxd conf

provide discovery for RP

Validate audience of the id_token