Re: [uaa] cannot retrieve username with scim.userids scope

Filip Hanik

Take a look at the value of $TOKEN (many online decoders out there. is one) and see what scopes your token actually has.


On Tue, Mar 15, 2016 at 8:45 AM, Yitao Jiang <> wrote:

Hi, guys,

I wanna get the users email , so per the docs of UAA at,
i create a client with following scopes, scim.userids
password.write cloud_controller.write openid scim.write
cloud_controller.admin and with grant types:

when using this client to login a user , the JWT of the token parsed
doesn't contain scopt, lead to fail calling /Users api.
But , when login the client using uaac and using uaac context to obtain
the token, the token has scope and success calling /Users api

Here's related infos

uaac client get myconsole

scope: cloud_controller.admin
cloud_controller.write openid password.write
​ ​ scim.userids scim.write uaa.user
client_id: myconsole
resource_ids: none
authorized_grant_types: authorization_code client_credentials password
autoapprove: true
action: none
authorities: scim.userids password.write
cloud_controller.write openid
​ ​
scim.write cloud_controller.admin
name: myconsole
lastmodified: 1458017396000

​login the user user1 using myconsole client​

curl -X POST -d"username=
&grant_type=password" -u "myconsole:
" http://uaa.

got the token
get the users

curl -v -X GET -H "Accept: application/json" -H "Authorization: basic
$TOKEN" http://uaa.

failed with

"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": " zones.uaa.admin"

​But if replace token with uaac context returned, i could get the users​




Join to automatically receive all group messages.