Re: can't login with cf CLI but the UAAC tool works

kyle havlovitz <kylehav@...>

Ok, thanks for the helpful links.
I replaced my config with the uaa.yml and login.yml from there and now the
uaac commands from above work and I can run 'uaac token owner get'. I still
can't login to cf with the cli though.

On Fri, Sep 4, 2015 at 4:15 PM, Filip Hanik <fhanik(a)> wrote:

Minimalist defaults are in the UAA repo (uaa.yml and login.yml)

Yaml is very sensitive to indentation. So hand crafting it may become a
bit difficult.

If you want the UAA to provide all default values (including
admin/adminsecret client and cf/<blank password> client, then don't add any
uaa.yml config file at all. Just start up UAA with it's defaults.
It will suck in client defaults from


On Fri, Sep 4, 2015 at 2:05 PM, kyle havlovitz <kylehav(a)> wrote:

is there an example somewhere of a minimalist working config for them?
I'm going through at the moment and trying to make mine resemble the config

I'm also defining a test admin user in the scim users section

On Fri, Sep 4, 2015 at 4:00 PM, Filip Hanik <fhanik(a)> wrote:

ok, that tells me that your configuration of the UAA clients is incorrect

On Fri, Sep 4, 2015 at 1:44 PM, kyle havlovitz <kylehav(a)>

ok so the 'uaac token client get' fails, and the error is 'Bad

On Fri, Sep 4, 2015 at 3:33 PM, Filip Hanik <fhanik(a)> wrote:

ok, so we can validate that

uaac target http://localhost:8080
uaac token client get admin -s <your admin client secret>
uaac clients

Should show your 'cf' client in the list

then we can do

uaac token owner get cf <username> -s "" -p <user password>

and if that works, we can take it to the next step

On Fri, Sep 4, 2015 at 1:26 PM, kyle havlovitz <kylehav(a)>

I started the uaa by building from the tagged version in cf-release
v215 and running it via tomcat with a custom config file, but I didn't
specify a database. I have both a cf and admin section in the uaa clients


id: cf
override: true
authorized-grant-types: password,implicit,refresh_token
authorities: uaa.none
secret: 'xxxxxxxxxx'


id: admin
authorized-grant-types: client_credentials
scope: read,write,password
resource-ids: clients
secret: 'xxxxxxxxxx'

On Fri, Sep 4, 2015 at 3:09 PM, Filip Hanik <fhanik(a)>

ok, so the URL you have is /oauth/token, that's fine. your trace


indicating that there is a misconfiguration somewhere, but we can
fix that later.

How did you start the UAA? Are you sure that your UAA has a client
named 'cf' in its database?

On Fri, Sep 4, 2015 at 1:05 PM, kyle havlovitz <kylehav(a)>

Running that command against /uaa/oauth/token gives just a redirect
to /login. Doing it with /oauth/token gives a 401 unauthorized, same as the
cf cli.

What do you mean by deploy it as root "/"? As in, a override the
url it hosts the endpoints at?

Join { to automatically receive all group messages.