Date   

Re: Spring OAuth2 - tokenInfoUri

Daniel Mikusa
 

On Thu, Jun 30, 2016 at 1:43 AM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

Hello All,

I am using Spring Cloud Security with OAuth2 and am having an issue
related to it not passing the scopes around. I believe that I need to
define an endpoint to retrieve information about a given token (Including
its scopes). However, I am getting an error stating that it is
unauthorized.:

I have defined this endpoint for the token info:
http://localhost:8080/uaa/check_token

Here is the error:

https://gist.github.com/bryantp/eb81d46b7beac9ee5011e5eca33a7a5c

Do you have logs from UAA? The UAA logs will sometimes tell you more about
the response you received.

Dan




I noticed that it is making a request to the endpoint, and the verbiage is
correct. I am not sure what it could be sending wrong. This is related to
this issue I found for Spring Boot and has to deal with Authorization on a
per-method basis.

https://github.com/spring-projects/spring-boot/issues/5096

Thanks for any help.


Spring OAuth2 - tokenInfoUri

Bryan Perino
 

Hello All,

I am using Spring Cloud Security with OAuth2 and am having an issue related to it not passing the scopes around. I believe that I need to define an endpoint to retrieve information about a given token (Including its scopes). However, I am getting an error stating that it is unauthorized.:

I have defined this endpoint for the token info: http://localhost:8080/uaa/check_token

Here is the error:

https://gist.github.com/bryantp/eb81d46b7beac9ee5011e5eca33a7a5c

I noticed that it is making a request to the endpoint, and the verbiage is correct. I am not sure what it could be sending wrong. This is related to this issue I found for Spring Boot and has to deal with Authorization on a per-method basis.

https://github.com/spring-projects/spring-boot/issues/5096

Thanks for any help.


Re: Spring OAuth not retrieving scopes from UAA

Madhura Bhave
 

The request to /oauth/authorize takes in a scope parameter where you can
specify which scopes you want in your access token. That is what adding the
scope in application.yml did. If you don't specify any scope parameter to
that request you get all the scopes that both the client and user have in
common. So in your case,

http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2

and

http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&state=QUHpO2
<http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2>


will end up with the same result.

The reason why uaa.admin does not show up on the authorization page in both
cases is because the UAA ignores scopes with a prefix of `uaa.` when asking
the user to authorize the scopes.

On Wed, Jun 29, 2016 at 3:04 PM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

Thanks! I am not sure if it makes a difference, but I can also specify the
scope in the client config:


https://gist.github.com/bryantp/4b3dadb17c620d301109859fd92c4539#file-application-yml-L16

The request URL then becomes:


http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2

Full HAR file:

https://dl.dropboxusercontent.com/u/4177525/request-with-scopes.har

However, I still only get the OpenID auth/scope on the UAA auth page.


CF CLI v6.20.0 Released Today

Koper, Dies <diesk@...>
 

The CF CLI team just cut 6.20.0. Binaries and link to release notes are available at:

https://github.com/cloudfoundry/cli#downloads

Route Services and Routes with Paths

Route services can now be bound to routes with paths.

Binding Security Groups to All Spaces of an Org

Security groups can now be bound to all spaces of an org in one command call.

Fixed Regressions

* Plug-in failures
Some plug-ins failed since cf CLI 6.17.0 due to an unintended change to the response of the CliCommandWithoutTerminalOutput function (#866<https://github.com/cloudfoundry/cli/issues/866>)
* .* in .cfignore
While cf CLI 6.13.0 correctly interprets pattern .* in .cfignore to mean ignore all files starting with a period, cf CLI 6.14.0 and greater ignores all files and fails to push the app.
This has been corrected. (#870<https://github.com/cloudfoundry/cli/issues/870>)
* cf copy-source with non-existing target app produces confusing error message
While cf CLI 6.17.1 correctly fails with a message that the target app could not be found, cf CLI 6.18.1 fails saying the target space could not be found.
This is addressed, and the command's help has been improved to clarify that the target app has to exist. (#849<https://github.com/cloudfoundry/cli/issues/849>)
* Negative WaitGroup Counter Panic
The cf CLI could panic when pushing an app when the noaa library the CLI uses to retrieve logs does a retry. (#850<https://github.com/cloudfoundry/cli/issues/850>)

Updated Commands

* bind-route-service and unbind-route-service now accept a route path
* bind-security-group now allows the space name to be omitted, binding the security group to all spaces of the org

New & Updated Community Plugins

* Copy Env v1.0.0: https://github.com/jthomas/copyenv
* Usage Report v1.3.1: https://github.com/krujos/usagereport-plugin
* Antifreeze v0.3.0: https://github.com/odlp/antifreeze

Enjoy!

Regards,
Dies Koper
Cloud Foundry CLI PM


Re: Spring OAuth not retrieving scopes from UAA

Bryan Perino
 

Thanks! I am not sure if it makes a difference, but I can also specify the scope in the client config:

https://gist.github.com/bryantp/4b3dadb17c620d301109859fd92c4539#file-application-yml-L16

The request URL then becomes:

http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2

Full HAR file:

https://dl.dropboxusercontent.com/u/4177525/request-with-scopes.har

However, I still only get the OpenID auth/scope on the UAA auth page.


Re: Spring OAuth not retrieving scopes from UAA

Madhura Bhave
 

So it looks like if the scope name starts with `uaa.` we ignore it at the
time of app authorization. I will create a story in our backlog to
investigate why that is the case. As a workaround if you want the scope to
end up in the access token you can autoapprove that scope in the client
configuration in uaa.yml. Example:
https://github.com/cloudfoundry/uaa-release/blob/develop/jobs/uaa/spec#L256

On Wed, Jun 29, 2016 at 2:00 PM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

There are 3 requests to /oauth/authorize. I have saved all 3 as HAR files.

https://dl.dropboxusercontent.com/u/4177525/har-files.zip


How to make values in VCAP_SERVICES json private or secret or hidden

Nikhil Katre <nikhil.katre@...>
 

Hi,

I have a service that is supported on Cloud Foundry through Java Buildpack.
I am trying to make the values of my service in VCAP_SERVICES json hidden or private, so that its invisible using the command cf env.
Does anyone know how to achieve this in Cloud Foundry or PCF platform ?


CF Summit EU 2016 code for Contributors

Chip Childers <cchilders@...>
 

Hi all,

Registration is open for the upcoming CF Summit Europe, and we have a
limited number of free passes for contributors to the project.

This code can be used by anyone that is a contributor to a Cloud Foundry or
BOSH project. We consider contributions to be project leads, dedicated
committers or even if you have sent in a pull request to one of the
projects.

*However, we ask that individuals consider their organization's ability to
fund the ticket first, before using this code. *

We run the summits on a very tight budget, and the number of free passes
that we can offer for this specific event are limited.

Also - please only register if you do intend to come to the event.

Use of the code is on the honor system...

https://www.cloudfoundry.org/community/summits/program/about/?summitId=11993


Code: CFEU16CONT
Feel free to reach out to me or to events(a)cloudfoundry.org if you have any
questions.

See you there!

-chip


Re: Spring OAuth not retrieving scopes from UAA

Bryan Perino
 

There are 3 requests to /oauth/authorize. I have saved all 3 as HAR files.

https://dl.dropboxusercontent.com/u/4177525/har-files.zip


Re: Spring OAuth not retrieving scopes from UAA

Madhura Bhave
 

Can you send me the full request to /oauth/authorize when you get to the
authorization page? You should be able to find it in the Network tab.

On Wed, Jun 29, 2016 at 10:29 AM, Bryan Perino <Bryan.Perino(a)gmail.com>
wrote:

I don't have to modify the client registration YAMl do I? Here is it for
brevity:

https://gist.github.com/bryantp/359249dfe2a40860c3a6f5489f9924bd


Re: How to listen to space deletion events?

Nicholas Calugar
 

Hi Piotr,

Delete space will fail if there are associated resources.


Nick

On Wed, Jun 29, 2016 at 8:21 AM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote:

Hi Nicholas,
what happens to applications if the recursive flag is not passed ? Will
delete fail if there are apps in the space ? or will delete succeed ? in
the latter case, what is the state of these applications ?

Piotr

Piotr Przybylski | IBM Bluemix


[image: Inactive hide details for Nicholas Calugar ---06/28/2016 06:07:26
PM---Hi Piotr, Yes, that is correct, deleting recursively wil]Nicholas
Calugar ---06/28/2016 06:07:26 PM---Hi Piotr, Yes, that is correct,
deleting recursively will delete service instances

From: Nicholas Calugar <ncalugar(a)pivotal.io>
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Date: 06/28/2016 06:07 PM
Subject: [cf-dev] Re: Re: Re: Re: Re: Re: How to listen to space deletion
events?

------------------------------



Hi Piotr,

Yes, that is correct, deleting recursively will delete service instances
and apps.


Thanks,

Nick

On Tue, Jun 28, 2016 at 2:45 PM, Piotr Przybylski <*piotrp(a)us.ibm.com*
<piotrp(a)us.ibm.com>> wrote:

Hi Nicholas,
is that behavior influenced by the 'recursive' flag on the Space
DELETE request?
Also, does the CC stop and delete applications in the deleted space ?
How is that influenced by the 'recursive' flag ?

Thank you,

Piotr

Piotr Przybylski, IBM Bluemix


[image: Inactive hide details for Nicholas Calugar ---06/28/2016
11:51:33 AM---Hi Padma, Apologies for the delay. In the case of a spac]Nicholas
Calugar ---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In
the case of a space with a service instance, if

From: Nicholas Calugar <*ncalugar(a)pivotal.io* <ncalugar(a)pivotal.io>>
To: "Discussions about Cloud Foundry projects and the system overall."
<*cf-dev(a)lists.cloudfoundry.org* <cf-dev(a)lists.cloudfoundry.org>>
Date: 06/28/2016 11:51 AM
Subject: [cf-dev] Re: Re: Re: Re: How to listen to space deletion
events?
------------------------------




Hi Padma,

Apologies for the delay. In the case of a space with a service
instance, if the space is deleted, the Cloud Controller sends a deprovision
request to the service broker. The broker is responsible for properly
handling the deprovision, what other cleanup do you have in mind?


-Nick

On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <*padmashree.b(a)sap.com*
<padmashree.b(a)sap.com>> wrote:
Hi,

Any suggestion on this?

Thanks,
Padma



--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.






--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.


--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.


Re: Spring OAuth not retrieving scopes from UAA

Bryan Perino
 

I don't have to modify the client registration YAMl do I? Here is it for brevity:

https://gist.github.com/bryantp/359249dfe2a40860c3a6f5489f9924bd


Re: Spring OAuth not retrieving scopes from UAA

Bryan Perino
 

I am not using a DB currently, everything is in memory. I usually just restart UAA to make the changes take effect.


Re: Spring OAuth not retrieving scopes from UAA

Madhura Bhave
 

I suspect that the client did not get updated with the uaa.admin scope. Can you check the database to see if the client has that scope? It would be in the oauth_client_details table. If it hasn't been updated, you can add override: true in the client configuration in uaa.yml and restart the UAA.

On Jun 28, 2016, at 8:34 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote:

I must be doing something wrong. I added some scopes that belong to the user to the client definition, but they won't show up on the authorization page.

http://i.imgur.com/iSSpsNz.png

Here is the updated YML

https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L11

Line 62 has the user with the scopes uaa.user and uaa.admin, so uaa.admin should show up in the authorization page right?


Re: How to listen to space deletion events?

Piotr Przybylski <piotrp@...>
 

Hi Nicholas,
what happens to applications if the recursive flag is not passed ? Will
delete fail if there are apps in the space ? or will delete succeed ? in
the latter case, what is the state of these applications ?

Piotr

Piotr Przybylski | IBM Bluemix




From: Nicholas Calugar <ncalugar(a)pivotal.io>
To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org>
Date: 06/28/2016 06:07 PM
Subject: [cf-dev] Re: Re: Re: Re: Re: Re: How to listen to space
deletion events?



Hi Piotr,

Yes, that is correct, deleting recursively will delete service instances
and apps.


Thanks,

Nick

On Tue, Jun 28, 2016 at 2:45 PM, Piotr Przybylski <piotrp(a)us.ibm.com>
wrote:
Hi Nicholas,
is that behavior influenced by the 'recursive' flag on the Space DELETE
request?
Also, does the CC stop and delete applications in the deleted space ? How
is that influenced by the 'recursive' flag ?

Thank you,

Piotr

Piotr Przybylski, IBM Bluemix


Inactive hide details for Nicholas Calugar ---06/28/2016 11:51:33 AM---Hi
Padma, Apologies for the delay. In the case of a spacNicholas Calugar
---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In the
case of a space with a service instance, if

From: Nicholas Calugar <ncalugar(a)pivotal.io>
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Date: 06/28/2016 11:51 AM
Subject: [cf-dev] Re: Re: Re: Re: How to listen to space deletion events?




Hi Padma,

Apologies for the delay. In the case of a space with a service instance,
if the space is deleted, the Cloud Controller sends a deprovision request
to the service broker. The broker is responsible for properly handling
the deprovision, what other cleanup do you have in mind?


-Nick

On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <padmashree.b(a)sap.com>
wrote:
Hi,

Any suggestion on this?

Thanks,
Padma



--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.







--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.


Concerns on the "unique_id" in the service metadata

Ponraj E
 

Hi Colleagues,

I have some concerns on the unique_id in the service metadata.

1. In the api docs http://apidocs.cloudfoundry.org/237/services/retrieve_a_particular_service.html it says unique_id -A "guid" that identifies the service with the broker. And if one visits the catalog-metadata link here: http://docs.cloudfoundry.org/services/catalog-metadata.html -see Example Cloud Controller Response Body-here the unique_id values seem to take string containing characters and numbers (not only guid). So there is a little bit of confusion as to what the unique_id value type is. The documentation of the apidocs can be updated for better clarity.

2. Secondly, in the space summary retrieval :http://apidocs.cloudfoundry.org/237/spaces/get_space_summary.html ,the unique_id is not part of the service details metadata that's been returned. Any particular reason why?

Thanks for the help.

Regards,
Ponraj


Re: How shoulld I debug a blobstore error?

Eyal Shalev
 

Hello amit,
Regarding your above post, I have followed those instructions exactly in my cluster besides the fact that I called my SYSTEM_DOMAIN "sysdomain" to make it more easily searchable in logs later (I have had to read a lot of log files to debug errors. "sys" is not a good string to grep for as it truns up too many times...)

My stub configuration is as such:
properties:
domain: 10.60.18.186.xip.io
system_domain: sysdomain.10.60.18.186.xip.io
system_domain_organization: sysdomainorg.10.60.18.186.xip.io
app_domains:
- appsdomain.10.60.18.186.xip.io

However, the problem looks like a problem in the instructions.
When I follow your new instructions I immeditaly get a 404 which I did not get beforehand:
ubuntu(a)cf-installer:~/cloudfoundry-stubs$ cf api api.sysdomain.api.10.60.18.186.xip.io --skip-ssl-validation
Setting api endpoint to api.sysdomain.api.10.60.18.186.xip.io...
FAILED
Server error, status code: 404, error code: 0, message:

What more I have read the instructions on using the API which are linked from in your documentation ( http://docs.cloudfoundry.org/cf-cli/getting-started.html and https://github.com/cloudfoundry/cli ). They do not give explicit instructions about which node is the api node, but when I look at the example, it says nothing about accessing it through the system domain.
Also when I used "cf api api.10.60.18.186.xip.io" on the global domain (as in the doc example) I did not get a 404
Please copy-paste above, to see that there is no 404 on the original cli command.

So It does not seem plausible that the problem is as you describe it.


Re: Spring OAuth not retrieving scopes from UAA

Bryan Perino
 

I must be doing something wrong. I added some scopes that belong to the user to the client definition, but they won't show up on the authorization page.

http://i.imgur.com/iSSpsNz.png

Here is the updated YML

https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L11

Line 62 has the user with the scopes uaa.user and uaa.admin, so uaa.admin should show up in the authorization page right?


Re: How to listen to space deletion events?

Nicholas Calugar
 

Hi Piotr,

Yes, that is correct, deleting recursively will delete service instances
and apps.


Thanks,

Nick

On Tue, Jun 28, 2016 at 2:45 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote:

Hi Nicholas,
is that behavior influenced by the 'recursive' flag on the Space DELETE
request?
Also, does the CC stop and delete applications in the deleted space ? How
is that influenced by the 'recursive' flag ?

Thank you,

Piotr

Piotr Przybylski, IBM Bluemix


[image: Inactive hide details for Nicholas Calugar ---06/28/2016 11:51:33
AM---Hi Padma, Apologies for the delay. In the case of a spac]Nicholas
Calugar ---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In
the case of a space with a service instance, if

From: Nicholas Calugar <ncalugar(a)pivotal.io>
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Date: 06/28/2016 11:51 AM
Subject: [cf-dev] Re: Re: Re: Re: How to listen to space deletion events?
------------------------------



Hi Padma,

Apologies for the delay. In the case of a space with a service instance,
if the space is deleted, the Cloud Controller sends a deprovision request
to the service broker. The broker is responsible for properly handling the
deprovision, what other cleanup do you have in mind?


-Nick

On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <*padmashree.b(a)sap.com*
<padmashree.b(a)sap.com>> wrote:

Hi,

Any suggestion on this?

Thanks,
Padma




--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.


--
Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.


Re: Emitting service instance logs to dopplr

Dr Nic Williams <drnicwilliams@...>
 

Mike, sorry didn't mean to infer the broker is a cf app. Your example is what I'm asking about. I haven't played with dropsonde clients yet; will investigate. Thanks!



_____________________________
From: Mike Youngstrom <youngm(a)gmail.com>
Sent: Wednesday, June 29, 2016 7:33 AM
Subject: [cf-dev] Re: Re: Emitting service instance logs to dopplr
To: Discussions about Cloud Foundry projects and the system overall. <cf-dev(a)lists.cloudfoundry.org>


I'm not sure I understand you're question.  We have several brokers that write to loggregator.  We just use the app guid passed in when binding and log messages using a dropsonde client library for the platform we are using.
This wouldn't work if your broker is also a CF app is that your case?
Mike
On Tue, Jun 28, 2016 at 3:10 PM, Dr Nic Williams <drnicwilliams(a)gmail.com> wrote:
If not via dopplr, can you please share "state of the art" for how are your service brokers exposing backend logs to end users?
Nic





On Tue, Jun 28, 2016 at 9:41 AM +1000, "Dr Nic Williams" <drnicwilliams(a)gmail.com> wrote:

Has anyone implemented (and has some sample code/OSS project) for a service broker implementation to emit logs/events back into dopplr for each service binding's app?
Nic

4141 - 4160 of 9425