Re: can't login with cf CLI but the UAAC tool works


Filip Hanik
 

Minimalist defaults are in the UAA repo (uaa.yml and login.yml)
https://github.com/cloudfoundry/uaa/tree/master/uaa/src/main/resources

Yaml is very sensitive to indentation. So hand crafting it may become a bit
difficult.

If you want the UAA to provide all default values (including
admin/adminsecret client and cf/<blank password> client, then don't add any
uaa.yml config file at all. Just start up UAA with it's defaults.
It will suck in client defaults from
https://github.com/cloudfoundry/uaa/blob/feature/invitations_flow_by_email_domain/uaa/src/main/webapp/WEB-INF/spring/oauth-clients.xml#L47-L172

Filip

On Fri, Sep 4, 2015 at 2:05 PM, kyle havlovitz <kylehav(a)gmail.com> wrote:

is there an example somewhere of a minimalist working config for them? I'm
going through at the moment and trying to make mine resemble the config
here:
https://github.com/cloudfoundry/cf-release/blob/master/jobs/uaa/templates/uaa.yml.erb

I'm also defining a test admin user in the scim users section

On Fri, Sep 4, 2015 at 4:00 PM, Filip Hanik <fhanik(a)pivotal.io> wrote:

ok, that tells me that your configuration of the UAA clients is incorrect



On Fri, Sep 4, 2015 at 1:44 PM, kyle havlovitz <kylehav(a)gmail.com> wrote:

ok so the 'uaac token client get' fails, and the error is 'Bad
credentials'

On Fri, Sep 4, 2015 at 3:33 PM, Filip Hanik <fhanik(a)pivotal.io> wrote:

ok, so we can validate that

uaac target http://localhost:8080
uaac token client get admin -s <your admin client secret>
uaac clients

Should show your 'cf' client in the list

then we can do

uaac token owner get cf <username> -s "" -p <user password>

and if that works, we can take it to the next step



On Fri, Sep 4, 2015 at 1:26 PM, kyle havlovitz <kylehav(a)gmail.com>
wrote:

I started the uaa by building from the tagged version in cf-release
v215 and running it via tomcat with a custom config file, but I didn't
specify a database. I have both a cf and admin section in the uaa clients
config:

cf:

id: cf
override: true
authorized-grant-types: password,implicit,refresh_token
authorities: uaa.none
scope:
cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write
secret: 'xxxxxxxxxx'

admin:

id: admin
authorized-grant-types: client_credentials
authorities:
clients.read,clients.write,clients.secret,password.write,scim.read,uaa.admin
scope: read,write,password
resource-ids: clients
secret: 'xxxxxxxxxx'


On Fri, Sep 4, 2015 at 3:09 PM, Filip Hanik <fhanik(a)pivotal.io> wrote:

ok, so the URL you have is /oauth/token, that's fine. your trace
returns

"authorization_endpoint":"http://localhost:8080","token_endpoint":"
http://localhost:8080/uaa"

indicating that there is a misconfiguration somewhere, but we can fix
that later.

How did you start the UAA? Are you sure that your UAA has a client
named 'cf' in its database?



On Fri, Sep 4, 2015 at 1:05 PM, kyle havlovitz <kylehav(a)gmail.com>
wrote:

Running that command against /uaa/oauth/token gives just a redirect
to /login. Doing it with /oauth/token gives a 401 unauthorized, same as the
cf cli.

What do you mean by deploy it as root "/"? As in, a override the url
it hosts the endpoints at?

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.