Hi, Fillip, here's decoded token { "jti": "6a0fc594-3db9-4a10-b720-63c47ff82ef9",
"sub": "48981ed6-c72f-4072-939c-ad7a4e36a669",
"scope": [
"cloud_controller.read",
"password.write",
"cloud_controller.write",
"openid",
"uaa.user"
],
"client_id": "myconsole",
"cid": "myconsole",
"azp": "myconsole",
"grant_type": "password",
"user_id": "48981ed6-c72f-4072-939c-ad7a4e36a669",
"origin": "uaa",
"user_name": "XXX",
"email": "XXX",
"auth_time": 1458092554,
"rev_sig": "5aef8031",
"iat": 1458092554,
"exp": 1458135754,
"iss": "http://uaa.XXX.com/oauth/token",
"zid": "uaa",
"aud": [
"myconsole",
"cloud_controller",
"password",
"openid",
"uaa"
]
} doesn't contain scim scope On Wed, Mar 16, 2016 at 1:07 AM, Filip Hanik <fhanik(a)pivotal.io> wrote: Take a look at the value of $TOKEN (many online decoders out there.
https://jwt.io is one) and see what scopes your token actually has.
Filip
On Tue, Mar 15, 2016 at 8:45 AM, Yitao Jiang <jiangyt.cn(a)gmail.com> wrote:
Hi, guys,
I wanna get the users email , so per the docs of UAA at
https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#query-for-information-get-users,
i create a client with following scopes, scim.userids cloud_controller.read
password.write cloud_controller.write openid scim.write scim.read
cloud_controller.admin and with grant types:
authorization_code,refresh_token,client_credentials,password
when using this client to login a user , the JWT of the token parsed
doesn't contain scim.read scopt, lead to fail calling /Users api.
But , when login the client using uaac and using uaac context to obtain
the token, the token has scim.read scope and success calling /Users api
Here's related infos
#
uaac client get myconsole
scope: cloud_controller.admin cloud_controller.read
cloud_controller.write openid password.write
scim.read scim.userids scim.write uaa.user
client_id: myconsole
resource_ids: none
authorized_grant_types: authorization_code client_credentials password
refresh_token
autoapprove: true
action: none
authorities: scim.userids cloud_controller.read password.write
cloud_controller.write openid
scim.write scim.read cloud_controller.admin
name: myconsole
lastmodified: 1458017396000
login the user user1 using myconsole client
curl -X POST -d"username=
user1(a)abc.com
&password=password&client_id=myconsole&client_secret=
XXX
&grant_type=password" -u "myconsole:
XXX
" http://uaa.
XXX
.com/oauth/token
got the token
get the users
curl -v -X GET -H "Accept: application/json" -H "Authorization: basic
$TOKEN" http://uaa.
XXX.
com/Users?attributes=userName
failed with
{
"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": "scim.read zones.uaa.admin" }
But if replace token with uaac context returned, i could get the users
--
Regards,
Yitao
-- Regards, Yitao
|
