Re: [uaa] cannot retrieve username with scim.userids scope

Yitao Jiang

Hi, Fillip,

here's decoded token

"jti": "6a0fc594-3db9-4a10-b720-63c47ff82ef9",
"sub": "48981ed6-c72f-4072-939c-ad7a4e36a669",
"scope": [
"client_id": "myconsole",
"cid": "myconsole",
"azp": "myconsole",
"grant_type": "password",
"user_id": "48981ed6-c72f-4072-939c-ad7a4e36a669",
"origin": "uaa",
"user_name": "XXX",
"email": "XXX",
"auth_time": 1458092554,
"rev_sig": "5aef8031",
"iat": 1458092554,
"exp": 1458135754,
"iss": "",
"zid": "uaa",
"aud": [

doesn't contain scim scope

On Wed, Mar 16, 2016 at 1:07 AM, Filip Hanik <fhanik(a)> wrote:

Take a look at the value of $TOKEN (many online decoders out there. is one) and see what scopes your token actually has.


On Tue, Mar 15, 2016 at 8:45 AM, Yitao Jiang <> wrote:

Hi, guys,

I wanna get the users email , so per the docs of UAA at,
i create a client with following scopes, scim.userids
password.write cloud_controller.write openid scim.write
cloud_controller.admin and with grant types:

when using this client to login a user , the JWT of the token parsed
doesn't contain scopt, lead to fail calling /Users api.
But , when login the client using uaac and using uaac context to obtain
the token, the token has scope and success calling /Users api

Here's related infos

uaac client get myconsole

scope: cloud_controller.admin
cloud_controller.write openid password.write
​ ​ scim.userids scim.write uaa.user
client_id: myconsole
resource_ids: none
authorized_grant_types: authorization_code client_credentials password
autoapprove: true
action: none
authorities: scim.userids password.write
cloud_controller.write openid
​ ​
scim.write cloud_controller.admin
name: myconsole
lastmodified: 1458017396000

​login the user user1 using myconsole client​

curl -X POST -d"username=
&grant_type=password" -u "myconsole:
" http://uaa.

got the token
get the users

curl -v -X GET -H "Accept: application/json" -H "Authorization: basic
$TOKEN" http://uaa.

failed with

"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": " zones.uaa.admin"

​But if replace token with uaac context returned, i could get the users​







Join to automatically receive all group messages.