Re: UAA api /introspect does not seem to be workign as expected #uaa

Jeremy Morony

Hi Viraj,

From the details provided it looks like the call to /introspect might be using the user's token in the authorize header instead of a client token.

A successful curl request looks like:

curl -X POST - H "Authorization: bearer client-token" -d "token=user-token"

Hope this helps.


From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via <>
Sent: Thursday, September 10, 2020 2:58 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa
I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean? 

09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal: 7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids,, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter:, returned: -1
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT Access is denied
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at$VirtualFilterChain.doFilter( ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at$VirtualFilterChain.doFilter( [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at

Join to automatically receive all group messages.