Re: UAA api /introspect does not seem to be workign as expected #uaa


Shetty, Viraj S [CTR]
 

Hi Jeremy, 

Thanks for taklng the time to respond. Really appreciate it. 

I have double checked this many times. From Postman, I saw the request that is being sent and checked the bearer token to see the token scopes. The token contains the following (i added uaa.admin just as a test later)  

  "scope": [
    "uaa.resource",
    "uaa.admin"
],
  "grant_type": "client_credentials",

The request looks all fine.

Is there any configuration needed at the endpoints? I see the following configuration for /introspect from resource-endpoints.xml

    <http name="introspectSecurity" pattern="/introspect" create-session="stateless"
          entry-point-ref="basicAuthenticationEntryPoint"
          authentication-manager-ref="clientAuthenticationManager" use-expressions="true"
          xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/**" access="hasAuthority('uaa.resource')"/>
        <anonymous enabled="false"/>
        <custom-filter ref="oauthWithoutResourceAuthenticationFilter" position="PRE_AUTH_FILTER"/>
        <custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
        <expression-handler ref="oauthWebExpressionHandler"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
        <csrf disabled="true"/>
    </http>
Should there be one for Bearer token ? Not sure. 

As per the API docs for 74.14.0, 

Authorization One of the following authentication/authorization mechanisms:
  • Bearer token for a registered client with authority uaa.resource   [Recommended]
  • Basic authentication using client_id / client_secret for a registered client with authority uaa.resource   [Deprecated]
If both bearer token and basic auth credentials are provided, only the bearer token will be used.

Thanks,
Viraj 

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.