Re: can't login with cf CLI but the UAAC tool works

Home Messages Hashtags Subgroups

#1527

Re: can't login with cf CLI but the UAAC tool works

kyle havlovitz <kylehav@...> #1527 Ok, I set those 2 properties to http://localhost:8080 and it looks identical; same error, same endpoints requested. Could something be wrong with the cloud controller config? toggle quoted messageShow quoted text On Fri, Sep 4, 2015 at 5:58 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: yes, this is the URL misconfiguration I was talking about. In your uaa.yml you should have two properties login.url: http://localhost:8080 uaa.url: http://localhost:8080 set those two, and let's see that trace again On Fri, Sep 4, 2015 at 2:58 PM, kyle havlovitz <kylehav(a)gmail.com> wrote: The CLI seems to be able to get a token now though, it's failing for a different reason: cf login API endpoint: http://localhost:8181 REQUEST: [2015-09-04T20:46:51Z] GET /v2/info HTTP/1.1 Host: localhost:8181 Accept: application/json Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux RESPONSE: [2015-09-04T20:46:51Z] HTTP/1.1 200 OK Content-Length: 406 Connection: keep-alive Content-Type: application/json;charset=utf-8 Server: thin X-Content-Type-Options: nosniff X-Vcap-Request-Id: d44503ef-3b2c-4340-9958-ad91daf3706c {"name":"vcap","build":"2222","support":"http://support.local.example.com","version":2,"description":"CF v2 test environment","authorization_endpoint":"http://localhost:8080 ","token_endpoint":"http://localhost:8080/uaa ","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.34.0","app_ssh_endpoint":null,"app_ssh_host_key_fingerprint":null,"logging_endpoint":"ws:// 127.0.0.1:9090"} Warning: Insecure http API endpoint detected: secure https API endpoints are recommended REQUEST: [2015-09-04T20:46:51Z] GET /login HTTP/1.1 Host: localhost:8080 Accept: application/json Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux RESPONSE: [2015-09-04T20:46:51Z] HTTP/1.1 200 OK Transfer-Encoding: chunked Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store, max-age=0, must-revalidate Cache-Control: no-cache, no-store, max-age=0 Content-Language: en-US Content-Type: application/json;charset=UTF-8 Date: Fri, 04 Sep 2015 20:46:51 GMT Expires: 0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Pragma: no-cache Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block 1fd {"timestamp":"2015-08-05T00:00:41+0000","app":{"version":"2.5.1"},"idpDefinitions":[],"fieldUsernameShow":true,"zone_name":"uaa","commit_id":"eae6724","prompts":{"username":["text","Email"],"password":["password","Password"]},"forgotPasswordLink":"/forgot_password","createAccountLink":"/create_account","links":{"register":"/create_account","passwd":"/forgot_password","login":" http://localhost:8080/login","uaa":"http://localhost:8080/uaa "},"entityID":"cloudfoundry-saml-login","linkCreateAccountShow":true} 0 Email> admin Password> Authenticating... REQUEST: [2015-09-04T20:46:58Z] POST /oauth/token HTTP/1.1 Host: localhost:8080 Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/x-www-form-urlencoded User-Agent: go-cli 6.12.3-c0c9a03 / linux grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=admin RESPONSE: [2015-09-04T20:46:58Z] HTTP/1.1 200 OK Transfer-Encoding: chunked Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store, max-age=0, must-revalidate Cache-Control: no-store Content-Type: application/json;charset=UTF-8 Date: Fri, 04 Sep 2015 20:46:58 GMT Expires: 0 Pragma: no-cache Pragma: no-cache Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block 738 {"access_token":"[PRIVATE DATA HIDDEN]","token_type":"bearer","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":43199,"scope":"scim.read scim.userids cloud_controller.admin scim.write cloud_controller.write password.write openid cloud_controller.read","jti":"cbda4e10-cf04-4696-a560-2e1f4d2c610c"} 0 OK REQUEST: [2015-09-04T20:46:58Z] GET /v2/organizations HTTP/1.1 Host: localhost:8181 Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux RESPONSE: [2015-09-04T20:46:58Z] HTTP/1.1 401 Unauthorized Content-Length: 97 Connection: keep-alive Content-Type: application/json;charset=utf-8 Server: thin X-Content-Type-Options: nosniff X-Vcap-Request-Id: b7658709-8145-4e31-a7ed-12a7831e99da { "code": 1000, "description": "Invalid Auth Token", "error_code": "CF-InvalidAuthToken" } REQUEST: [2015-09-04T20:46:58Z] POST /oauth/token HTTP/1.1 Host: localhost:8080 Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/x-www-form-urlencoded User-Agent: go-cli 6.12.3-c0c9a03 / linux grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJlNzFmOTNmZS0yMmEyLTQ3ZjgtODgwNC0xN2ZmNmU1YzM1NmMiLCJzdWIiOiIzMDBkZTc1YS1mN2RhLTRjMWQtYjA0Yi02YWZhZjI1ZmE5MjgiLCJzY29wZSI6WyJzY2ltLnJlYWQiLCJzY2ltLnVzZXJpZHMiLCJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwic2NpbS53cml0ZSIsImNsb3VkX2NvbnRyb2xsZXIud3JpdGUiLCJwYXNzd29yZC53cml0ZSIsIm9wZW5pZCIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCJdLCJpYXQiOjE0NDEzOTk2MTgsImV4cCI6MTQ0Mzk5MTYxOCwiY2lkIjoiY2YiLCJjbGllbnRfaWQiOiJjZiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiIzMDBkZTc1YS1mN2RhLTRjMWQtYjA0Yi02YWZhZjI1ZmE5MjgiLCJyZXZfc2lnIjoiOTAyODliNjgiLCJhdWQiOlsiY2YiLCJzY2ltIiwiY2xvdWRfY29udHJvbGxlciIsInBhc3N3b3JkIiwib3BlbmlkIl19.-eGB2RWZfYVZkTSvT7c4lUzsY5QZMWgXFHMGGx4HEN8&scope= RESPONSE: [2015-09-04T20:46:58Z] HTTP/1.1 200 OK Transfer-Encoding: chunked Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store, max-age=0, must-revalidate Cache-Control: no-store Content-Type: application/json;charset=UTF-8 Date: Fri, 04 Sep 2015 20:46:58 GMT Expires: 0 Pragma: no-cache Pragma: no-cache Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block 738 {"access_token":"[PRIVATE DATA HIDDEN]","token_type":"bearer","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":43199,"scope":"scim.userids scim.read cloud_controller.admin password.write scim.write openid cloud_controller.write cloud_controller.read","jti":"e62d3265-9ab7-441e-b2b2-69ca92d81d7c"} 0 REQUEST: [2015-09-04T20:46:58Z] GET /v2/organizations HTTP/1.1 Host: localhost:8181 Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux RESPONSE: [2015-09-04T20:46:58Z] HTTP/1.1 401 Unauthorized Content-Length: 97 Connection: keep-alive Content-Type: application/json;charset=utf-8 Server: thin X-Content-Type-Options: nosniff X-Vcap-Request-Id: 7b07e39c-60f0-4db4-9274-6a59e23b8f29 { "code": 1000, "description": "Invalid Auth Token", "error_code": "CF-InvalidAuthToken" } FAILED Error finding available orgs Invalid auth token: Invalid Auth Token FAILED Error finding available orgs Invalid auth token: Invalid Auth Token API endpoint: http://localhost:8181 (API version: 2.34.0) User: admin No org or space targeted, use 'cf target -o ORG -s SPACE' On Fri, Sep 4, 2015 at 4:49 PM, kyle havlovitz <kylehav(a)gmail.com> wrote: Ok, thanks for the helpful links. I replaced my config with the uaa.yml and login.yml from there and now the uaac commands from above work and I can run 'uaac token owner get'. I still can't login to cf with the cli though. On Fri, Sep 4, 2015 at 4:15 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: Minimalist defaults are in the UAA repo (uaa.yml and login.yml) https://github.com/cloudfoundry/uaa/tree/master/uaa/src/main/resources Yaml is very sensitive to indentation. So hand crafting it may become a bit difficult. If you want the UAA to provide all default values (including admin/adminsecret client and cf/<blank password> client, then don't add any uaa.yml config file at all. Just start up UAA with it's defaults. It will suck in client defaults from https://github.com/cloudfoundry/uaa/blob/feature/invitations_flow_by_email_domain/uaa/src/main/webapp/WEB-INF/spring/oauth-clients.xml#L47-L172 Filip On Fri, Sep 4, 2015 at 2:05 PM, kyle havlovitz <kylehav(a)gmail.com> wrote: is there an example somewhere of a minimalist working config for them? I'm going through at the moment and trying to make mine resemble the config here: https://github.com/cloudfoundry/cf-release/blob/master/jobs/uaa/templates/uaa.yml.erb I'm also defining a test admin user in the scim users section On Fri, Sep 4, 2015 at 4:00 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: ok, that tells me that your configuration of the UAA clients is incorrect On Fri, Sep 4, 2015 at 1:44 PM, kyle havlovitz <kylehav(a)gmail.com> wrote: ok so the 'uaac token client get' fails, and the error is 'Bad credentials' On Fri, Sep 4, 2015 at 3:33 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: ok, so we can validate that uaac target http://localhost:8080 uaac token client get admin -s <your admin client secret> uaac clients Should show your 'cf' client in the list then we can do uaac token owner get cf <username> -s "" -p <user password> and if that works, we can take it to the next step On Fri, Sep 4, 2015 at 1:26 PM, kyle havlovitz <kylehav(a)gmail.com> wrote: I started the uaa by building from the tagged version in cf-release v215 and running it via tomcat with a custom config file, but I didn't specify a database. I have both a cf and admin section in the uaa clients config: cf: id: cf override: true authorized-grant-types: password,implicit,refresh_token authorities: uaa.none scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write secret: 'xxxxxxxxxx' admin: id: admin authorized-grant-types: client_credentials authorities: clients.read,clients.write,clients.secret,password.write,scim.read,uaa.admin scope: read,write,password resource-ids: clients secret: 'xxxxxxxxxx' On Fri, Sep 4, 2015 at 3:09 PM, Filip Hanik <fhanik(a)pivotal.io> wrote: ok, so the URL you have is /oauth/token, that's fine. your trace returns "authorization_endpoint":"http://localhost:8080 ","token_endpoint":"http://localhost:8080/uaa" indicating that there is a misconfiguration somewhere, but we can fix that later. How did you start the UAA? Are you sure that your UAA has a client named 'cf' in its database? On Fri, Sep 4, 2015 at 1:05 PM, kyle havlovitz <kylehav(a)gmail.com wrote: Running that command against /uaa/oauth/token gives just a redirect to /login. Doing it with /oauth/token gives a 401 unauthorized, same as the cf cli. What do you mean by deploy it as root "/"? As in, a override the url it hosts the endpoints at? attachment.html
More

View All 21 Messages In Topic

#1527

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms