Date
1 - 13 of 13
Spring OAuth not retrieving scopes from UAA
|
Bryan Perino
Hello All,
Brand new to Cloud Foundry. I have hooked up a Spring Cloud Application to a UAA server and gotten it to authenticate properly. However, I noticed that none of the scopes that I defined in uaa.yml for the user are showing up in the resource server backend. Here is a link to the debugging session of what I can see: http://imgur.com/6wTYpQD Here is the code I am debugging: @RequestMapping("/") public Message home(OAuth2Authentication principal) { System.out.println(principal.getName()); return new Message("Hello World"); } The screenshot is the value of the 'principal' variable. I have set the Spring Security yml variables for the resource server like so: security: oauth2: resource: userInfoUri: http://localhost:8080/uaa/userinfo and here is the relevant parts from the uaa.yml: https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8 Thanks for any help. |
|
|
|
Madhura Bhave
Hi Brian,
toggle quoted message
Show quoted text
The scopes that end up in the access token are the intersection of the client scopes and the user scopes. Which oauth client have you configured your spring cloud application with? Thanks, Madhura On Jun 27, 2016, at 2:57 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: |
|
|
|
Bryan Perino
It's a custom client that I wrote (Just a Spring Application). Here is the YAML file that configures the client:
https://gist.github.com/bryantp/82111bbcbc0db8be701b389fd0f490e9 |
|
|
|
Madhura Bhave
Ok, so the oauth-client that is registered with the UAA for this
application (app) only has the openid scope. If you want this client to be able to request other scopes on behalf of the user you would need to add them to the list of scopes on this client in the uaa.yml. This is where you would add them: https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L17 On Tue, Jun 28, 2016 at 9:13 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: It's a custom client that I wrote (Just a Spring Application). Here is the |
|
|
|
Bryan Perino
I must be doing something wrong. I added some scopes that belong to the user to the client definition, but they won't show up on the authorization page.
http://i.imgur.com/iSSpsNz.png Here is the updated YML https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L11 Line 62 has the user with the scopes uaa.user and uaa.admin, so uaa.admin should show up in the authorization page right? |
|
|
|
Madhura Bhave
I suspect that the client did not get updated with the uaa.admin scope. Can you check the database to see if the client has that scope? It would be in the oauth_client_details table. If it hasn't been updated, you can add override: true in the client configuration in uaa.yml and restart the UAA.
toggle quoted message
Show quoted text
On Jun 28, 2016, at 8:34 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: |
|
|
|
Bryan Perino
I am not using a DB currently, everything is in memory. I usually just restart UAA to make the changes take effect.
|
|
|
|
Bryan Perino
I don't have to modify the client registration YAMl do I? Here is it for brevity:
https://gist.github.com/bryantp/359249dfe2a40860c3a6f5489f9924bd |
|
|
|
Madhura Bhave
Can you send me the full request to /oauth/authorize when you get to the
authorization page? You should be able to find it in the Network tab. On Wed, Jun 29, 2016 at 10:29 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: I don't have to modify the client registration YAMl do I? Here is it for |
|
|
|
Bryan Perino
There are 3 requests to /oauth/authorize. I have saved all 3 as HAR files.
https://dl.dropboxusercontent.com/u/4177525/har-files.zip |
|
|
|
Madhura Bhave
So it looks like if the scope name starts with `uaa.` we ignore it at the
time of app authorization. I will create a story in our backlog to investigate why that is the case. As a workaround if you want the scope to end up in the access token you can autoapprove that scope in the client configuration in uaa.yml. Example: https://github.com/cloudfoundry/uaa-release/blob/develop/jobs/uaa/spec#L256 On Wed, Jun 29, 2016 at 2:00 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: There are 3 requests to /oauth/authorize. I have saved all 3 as HAR files. |
|
|
|
Bryan Perino
Thanks! I am not sure if it makes a difference, but I can also specify the scope in the client config:
https://gist.github.com/bryantp/4b3dadb17c620d301109859fd92c4539#file-application-yml-L16 The request URL then becomes: http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2 Full HAR file: https://dl.dropboxusercontent.com/u/4177525/request-with-scopes.har However, I still only get the OpenID auth/scope on the UAA auth page. |
|
|
|
Madhura Bhave
The request to /oauth/authorize takes in a scope parameter where you can
specify which scopes you want in your access token. That is what adding the scope in application.yml did. If you don't specify any scope parameter to that request you get all the scopes that both the client and user have in common. So in your case, http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2 and http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&state=QUHpO2 <http://localhost:8080/uaa/oauth/authorize?client_id=myApp&redirect_uri=http://localhost:8081/login&response_type=code&scope=uaa.admin%20openid&state=QUHpO2> will end up with the same result. The reason why uaa.admin does not show up on the authorization page in both cases is because the UAA ignores scopes with a prefix of `uaa.` when asking the user to authorize the scopes. On Wed, Jun 29, 2016 at 3:04 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: Thanks! I am not sure if it makes a difference, but I can also specify the |
|
|