Re: [uaa] cannot retrieve username with scim.userids scope


Yitao Jiang
 

Hi, Fillip,

here's decoded token

{
"jti": "6a0fc594-3db9-4a10-b720-63c47ff82ef9",
"sub": "48981ed6-c72f-4072-939c-ad7a4e36a669",
"scope": [
"cloud_controller.read",
"password.write",
"cloud_controller.write",
"openid",
"uaa.user"
],
"client_id": "myconsole",
"cid": "myconsole",
"azp": "myconsole",
"grant_type": "password",
"user_id": "48981ed6-c72f-4072-939c-ad7a4e36a669",
"origin": "uaa",
"user_name": "XXX",
"email": "XXX",
"auth_time": 1458092554,
"rev_sig": "5aef8031",
"iat": 1458092554,
"exp": 1458135754,
"iss": "http://uaa.XXX.com/oauth/token",
"zid": "uaa",
"aud": [
"myconsole",
"cloud_controller",
"password",
"openid",
"uaa"
]
}

doesn't contain scim scope

On Wed, Mar 16, 2016 at 1:07 AM, Filip Hanik <fhanik(a)pivotal.io> wrote:

Take a look at the value of $TOKEN (many online decoders out there.
https://jwt.io is one) and see what scopes your token actually has.

Filip

On Tue, Mar 15, 2016 at 8:45 AM, Yitao Jiang <jiangyt.cn(a)gmail.com> wrote:

Hi, guys,

I wanna get the users email , so per the docs of UAA at
https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#query-for-information-get-users,
i create a client with following scopes, scim.userids cloud_controller.read
password.write cloud_controller.write openid scim.write scim.read
cloud_controller.admin and with grant types:
authorization_code,refresh_token,client_credentials,password

when using this client to login a user , the JWT of the token parsed
doesn't contain scim.read scopt, lead to fail calling /Users api.
But , when login the client using uaac and using uaac context to obtain
the token, the token has scim.read scope and success calling /Users api

Here's related infos

​#​
uaac client get myconsole

scope: cloud_controller.admin cloud_controller.read
cloud_controller.write openid password.write
​ ​
scim.read scim.userids scim.write uaa.user
client_id: myconsole
resource_ids: none
authorized_grant_types: authorization_code client_credentials password
refresh_token
autoapprove: true
action: none
authorities: scim.userids cloud_controller.read password.write
cloud_controller.write openid
​ ​
scim.write scim.read cloud_controller.admin
name: myconsole
lastmodified: 1458017396000

​login the user user1 using myconsole client​

curl -X POST -d"username=
​user1(a)abc.com​
&password=password&client_id=myconsole&client_secret=
​XXX
&grant_type=password" -u "myconsole:
​XXX
" http://uaa.
​XXX
.com/oauth/token

got the token
get the users

curl -v -X GET -H "Accept: application/json" -H "Authorization: basic
$TOKEN" http://uaa.
​XXX.
com/Users?attributes=userName​

failed with

{
"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": "scim.read zones.uaa.admin"
}​


​But if replace token with uaac context returned, i could get the users​




--

Regards,

Yitao

--

Regards,

Yitao

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.