Re: UAA api /introspect does not seem to be workign as expected #uaa


Shetty, Viraj S [CTR]
 

Jeremy, 

Thanks for your help ! I found what the problem was. 

I ran a local copy of the UAA on my laptop, pointing to the cloud database and ran your testcases; it all worked as expected ! I was able to use the /introspect endpoint with the bearer token. 

So, I started comparing the differences in the uaa.yml file (default and our yaml) and found that the problem was the setting in my uaa.yml file which excluded authorities in the tokens. 

    claims:
      exclude:
        - authorities

The default uaa.yml had this commented and I just uncommented it while deploying our UAA  When I removed this setting, I am able to use the /introspect with the bearer token. I could also see that the token for the client introspect-test now has the authorities set as below. Looks like the UAA code is looking at "authorities" claim and not the "scope" claim.  Is that expected ?

  "authorities": [
    "uaa.resource"
  ],
  "scope": [
    "uaa.resource"
  ],

I am just wondering why that option (exclude authorities) is there in the first place and if removing that option affects
anything else.

Thanks,
Viraj

 

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.