Re: [uaa] cannot retrieve username with scim.userids scope


Filip Hanik
 

Take a look at the value of $TOKEN (many online decoders out there.
https://jwt.io is one) and see what scopes your token actually has.

Filip

On Tue, Mar 15, 2016 at 8:45 AM, Yitao Jiang <jiangyt.cn(a)gmail.com> wrote:

Hi, guys,

I wanna get the users email , so per the docs of UAA at
https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#query-for-information-get-users,
i create a client with following scopes, scim.userids cloud_controller.read
password.write cloud_controller.write openid scim.write scim.read
cloud_controller.admin and with grant types:
authorization_code,refresh_token,client_credentials,password

when using this client to login a user , the JWT of the token parsed
doesn't contain scim.read scopt, lead to fail calling /Users api.
But , when login the client using uaac and using uaac context to obtain
the token, the token has scim.read scope and success calling /Users api

Here's related infos

​#​
uaac client get myconsole

scope: cloud_controller.admin cloud_controller.read
cloud_controller.write openid password.write
​ ​
scim.read scim.userids scim.write uaa.user
client_id: myconsole
resource_ids: none
authorized_grant_types: authorization_code client_credentials password
refresh_token
autoapprove: true
action: none
authorities: scim.userids cloud_controller.read password.write
cloud_controller.write openid
​ ​
scim.write scim.read cloud_controller.admin
name: myconsole
lastmodified: 1458017396000

​login the user user1 using myconsole client​

curl -X POST -d"username=
​user1(a)abc.com​
&password=password&client_id=myconsole&client_secret=
​XXX
&grant_type=password" -u "myconsole:
​XXX
" http://uaa.
​XXX
.com/oauth/token

got the token
get the users

curl -v -X GET -H "Accept: application/json" -H "Authorization: basic
$TOKEN" http://uaa.
​XXX.
com/Users?attributes=userName​

failed with

{
"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": "scim.read zones.uaa.admin"
}​


​But if replace token with uaac context returned, i could get the users​




--

Regards,

Yitao

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.