Skip to content




  • Java SE 1.7
  • Gluu oxd server - Installation docs
  • SSL certificate for the application


To write apps that use oxd-java, just add the following dependency to your pom.xml (Maven project):


If you do not use a build tool, you will have to include the jar file manually in your project, as well as a good number of jars it depends on.


There are no configuration files for oxd-java. All parameters are set in your Java code.

Sample Code#

In this repo, you can find a Java web project that showcases how to integrate the library and illustrates the step-by-step process of OpenId Authentication. Check the readme and learn how to get it up and running.

Use the hints given in the API page to determine which parameters are required for every operation listed below and to learn more about the operations intent.


There are no initialization steps for oxd-java.

Setup Client#

!!! Note: Use this operation only when communication with oxd is established via https.

The purpose of Setup Client is similar to that of Register Site: registering a new OpenID Client at your OP and retrieving an "oxd_id" (an identifier that must be passed when calling the rest of operations except Get Client Token).

Setup Client additionally returns a client_id and a client_secret. These two pieces of data are needed when calling the Get Client Token operation.

If your OP does not support dynamic registration (e.g. Google), you will need to obtain a client_id and a client_secret yourself and supply those as parameters of this operation. This will make oxd skip the attempt to register a new client.

To learn about the parameters supported by this operation check the API page and the "Client Metadata" section of OpenID Connect Dynamic Client Registration 1.0.

A working example can be found at sample project: See method doRegistrationHttps in class OxdService.

Recall that Setup Client is a one-time task.

SetupClientParams cmdParams = new SetupClientParams();

cmdParams.setClientName("Sample client");
cmdParams.setScope("openid, uma_protection");

SetupClientResponse setup = restResponse(cmdParams, "setup-client", null, SetupClientResponse.class);

Get Client Token#

!!! Note: Use this operation only when communication with oxd is established via https.

When you use the oxd https extension, all operations of the API (except Setup Client) must be protected by an access token. Get Client Token allows you to obtain such "protection API token" very easily: Just provide the client_id and client_secret you obtained in the call to Setup Client.

Besides a token this operation will give you additional information such as an expiration period in seconds. Once the expiration time has elapsed, the access token is no longer valid and you should request a new one by using this operation or by a call to Get Access Token by Refresh Token.

To learn more about the input and output of this operation check the API page.

A working example can be found at sample project: See method getPAT in class OxdService. There, for simplicity a new PAT is requested every time an operation is called (expiration time not being used).

GetClientTokenParams cmdParams = new GetClientTokenParams();

cmdParams.setScope("openid, uma_protection");

GetClientTokenResponse resp = restResponse(cmdParams, "get-client-token", null, GetClientTokenResponse.class);
String token = resp.getAccessToken();

Register Site#

!!! Note: You can skip this operation if already used Setup Client

Think of this operation as a means to introduce your website (app) to oxd. It returns an identifier that must be passed when calling any API operation (except for the two listed above). This is called the "oxd_id".

This operation will attempt to register a new OpenID Client at your OP. Remember that if your OP does not support dynamic registration (e.g. Google), you have to obtain a client_id and a client_secret yourself and supply those as parameters of this operation. This will make oxd skip the client registration.

To learn about the parameters supported by this operation check the API page and the "Client Metadata" section of OpenID Connect Dynamic Client Registration 1.0. Worth to mention is the authorization_redirect_uri, a URL where the OP will redirect the user's browser after successful authentication.

A working example can be found at sample project: See method doRegistrationSocket in class OxdService.

Recall that Register Site is a one-time task.

RegisterSiteParams cmdParams = new RegisterSiteParams();

cmdParams.setClientName("Sample client");
cmdParams.setScope("openid, uma_protection");

Command command = new Command(CommandType.REGISTER_SITE).setParamsObject(cmdParams);
RegisterSiteResponse site = commandClient.send(command).dataAsResponse(RegisterSiteResponse.class);

Update Site Registration#

This operation is aimed at updating a current registration. The parameters are equivalent to those of Register Site in addition to oxd_id.

To learn about the parameters supported by this operation check the API page

A typical use case could be extending the lifetime of a client: When using dynamic registration in Gluu Server, the client is created with an expiration time (around one day by default). If your application is a long-running one, you may like to set a value further in the future. Here is an example of how to do so:

//client should be a global variable (host and port are those of oxd-server)
CommandClient client = new CommandClient(host, port);

GregorianCalendar cal = new GregorianCalendar();
cal.add(Calendar.YEAR, 1);

UpdateSiteParams cmdParams = new UpdateSiteParams();
cmdParams.setClientSecretExpiresAt(new Date(cal.getTimeInMillis()));

Command command = new Command(CommandType.UPDATE_SITE).setParamsObject(cmdParams);
UpdateSiteResponse resp = client.send(command).dataAsResponse(UpdateSiteResponse.class);

Get Authorization URL#

This operation returns a URL to which your application must redirect the user's browser to start the authentication process at the OP.

To learn about the parameters supported by this operation check the API page

A working example can be found in the sample project: See method getAuthzUrl in class OxdService.

GetAuthorizationUrlParams cmdParams = new GetAuthorizationUrlParams();


Command command = new Command(CommandType.GET_AUTHORIZATION_URL).setParamsObject(cmdParams);
GetAuthorizationUrlResponse resp = commandClient.send(command).dataAsResponse(GetAuthorizationUrlResponse.class);
return resp.getAuthorizationUrl();

Get Tokens by Code#

After authentication, the OP sends the user's browser back to the redirect_uri page with a couple of query parameters in the URL: code and state. Use those to issue a call to this API operation.

As a response, you will get an access token (not to be confused with the token of Get Client Token operation), as well as an ID Token. The former token is used to call Get User Info operation while the latter when calling Get Logout URI.

A working example can be found at sample project: See method GetTokensByCodeResponse in class OxdService.

GetTokensByCodeParams cmdParams = new GetTokensByCodeParams();

Command command = new Command(CommandType.GET_TOKENS_BY_CODE).setParamsObject(cmdParams);
GetTokensByCodeResponse resp = commandClient.send(command).dataAsResponse(GetTokensByCodeResponse.class);

Get Access Token by Refresh Token#

The access token obtained at Get Tokens by Code has an expiration time too. If your application has the need to obtain a fresher access token, this operation is useful. Simply provide the refresh_token that you received when the call to Get Tokens by Code was made.

To learn more about the input and output of this operation, check the API page.

Here is an example of the usage of this operation using standard oxd-server (not https):

//client should be a global variable (host and port are those of oxd-server)
CommandClient client = new CommandClient(host, port);

GetAccessTokenByRefreshTokenParams cmdParams = new GetAccessTokenByRefreshTokenParams();

Command command = new Command(CommandType.GET_ACCESS_TOKEN_BY_REFRESH_TOKEN).setParamsObject(commandParams)
GetAccessTokensByRefreshTokenResponse resp = client.send(command).dataAsResponse(GetAccessTokensByRefreshTokenResponse.class);

String newAccessToken = resp.getAccessToken();
String newRefreshToken = resp.getRefreshToken();

Get User Info#

Use this operation to obtain user claims (e.g. first name, last name, e-mail, etc.) about the authenticated end-user.

To learn more about the input and output of this operation, check the API page.

The set of claims in the response depends on the access privileges associated to the access token provided. This has to do with the scopes passed in Site Registration API operation.

A working example can be found at sample project: See method getUserInfo in class OxdService.

GetUserInfoParams cmdParams = new GetUserInfoParams();

Command command = new Command(CommandType.GET_USER_INFO).setParamsObject(cmdParams);
GetUserInfoResponse resp = commandClient.send(command).dataAsResponse(GetUserInfoResponse.class);

Get Logout URI#

Use this method if you intend to log out the user of the OP. This will return a URL where you can redirect the user's browser to initiate the logout process.

To learn more about the input and output of this operation check the API page.

A working example can be found at sample project: See method getLogoutUrl in class OxdService.

GetLogoutUrlParams cmdParams = new GetLogoutUrlParams();

Command command = new Command(CommandType.GET_LOGOUT_URI).setParamsObject(cmdParams);
LogoutResponse resp = commandClient.send(command).dataAsResponse(LogoutResponse.class);

RS Protect#

send method is used for protecting resources with the Resource Server. The Resource Server is needed to construct the command which will protect the resource. The command will contain an API path, HTTP methods (POST, GET and PUT) and scopes. Scopes can be mapped with authorization policy (uma_rpt_policies). If no authorization policy is mapped, uma_rs_check_access method will always return access as granted. For more information about uma_rpt_policies you can reference this document.


  • oxdId: oxd ID from client registration
  • resources: One or more protected resources that a resource server manages, abstractly, as a set. In authorization policy terminology, a resource set is the "object" being protected
  • protection_access_token: Generated from get_client_token method (Optional, required if oxd-https-extension is used)


final RsProtectParams commandParams = new RsProtectParams();

final RsProtectResponse resp = client
        .send(new Command(CommandType.RS_PROTECT).setParamsObject(commandParams))
return resp;



RS Check Access#

send method is used in the UMA Resource Server to check the access to the resource.


  • oxdId: oxd ID from client registration
  • rpt: Requesting Party Token
  • path: Path of the resource to be checked
  • http_method: HTTP methods (POST, GET and PUT)
  • protection_access_token: Generated from get_client_token method (Optional, required if oxd-https-extension is used)


final RsCheckAccessParams params = new RsCheckAccessParams();

final RsCheckAccessResponse response = client
        .send(new Command(CommandType.RS_CHECK_ACCESS).setParamsObject(params))

return response;


Access Granted Response:


Access Denied with Ticket Response:

        "www-authenticate_header":"UMA realm=\"example\",

Access Denied without Ticket Response:


Resource is not Protected:

        "error_description":"Resource is not protected. Please protect your resource first with uma_rs_protect command."


The method send is called in order to obtain the RPT (Requesting Party Token).


  • oxdId: oxd ID from client registration
  • ticket: Client Access Ticket generated by uma_rs_check_access method
  • claim_token: (Optional)
  • claim_token_format: (Optional)
  • pct: (Optional) Persisted Claims Token
  • rpt: (Optional) Requesting Party Token.
  • scope: (Optional) A scope is an indication by the client that it wants to access some resource provided by the OpenID Connect Provider (OP)
  • state: (Optional) state that is returned from uma_rp_get_claims_gathering_url method
  • protection_access_token: Generated from get_client_token method (Optional, required if oxd-https-extension is used)
  • host: the URL of the oxd-server
  • port: the port of the oxd-server


CommandClient client = null;
try {
    client = new CommandClient(host, port);

    RegisterSiteResponse site = RegisterSiteTest.registerSite(client, opHost, redirectUrl);

    RsProtectTest.protectResources(client, site, UmaFullTest.resourceList(rsProtect).getResources());

    final RsCheckAccessResponse checkAccess = RsCheckAccessTest.checkAccess(client, site);

    final RpGetRptParams params = new RpGetRptParams();

    final RpGetRptResponse response = client
            .send(new Command(CommandType.RP_GET_RPT).setParamsObject(params))


} finally {


Success Response:


Needs Info Error Response:

              "error_description":"The authorization server needs additional information in order to determine whether the client is authorized to have these permissions.",
              "details": {  

Invalid Ticket Error Response:

            "error_description":"Ticket is not valid (outdated or not present on Authorization Server)."

RP Get Claims Gathering URL#


  • oxdId: oxd ID from client registration
  • ticket: Client Access Ticket generated by uma_rs_check_access method
  • claims_redirect_uri: The URI to which the client wishes the authorization server to direct the requesting party’s user agent after completing its interaction
  • protection_access_token: Generated from get_client_token method (Optional, required if oxd-https-extension is used)


CommandClient client = null;
try {
    client = new CommandClient(host, port);

    RegisterSiteResponse site = RegisterSiteTest.registerSite(client, opHost, redirectUrl);

    RsProtectTest.protectResources(client, site, UmaFullTest.resourceList(rsProtect).getResources());

    final RsCheckAccessResponse checkAccess = RsCheckAccessTest.checkAccess(client, site);

    final RpGetClaimsGatheringUrlParams params = new RpGetClaimsGatheringUrlParams();

    final RpGetClaimsGatheringUrlResponse response = client
            .send(new Command(CommandType.RP_GET_CLAIMS_GATHERING_URL).setParamsObject(params))


} finally {




The test suite for oxd-java can be found at the corresponding test directory in oxd github repo.


Please report technical issues and suspected bugs on our Support Page. You can use the same credentials you created to register your oxd license to sign in on Gluu support.