issue with CF UAA Oauth2 redirect URI


Beth Tran
 

1. I have registered this client to CF as followed
foo-client-id
scope: cloud_controller_service_permissions.read openid
resource_ids: none
authorized_grant_types: refresh_token authorization_code
redirect_uri: http://localhost:8080
autoapprove:
authorities: uaa.none
name: foo-client-id
lastmodified: 1487292160153
2. I have running CF
3. I have a running webapp at port80 with application.yml
security:
oauth2:
client:
clientId: foo-client-id
clientSecret: thesecret
accessTokenUri: https://uaa.home.com
userAuthorizationUri: https://login.home.com
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
4. Test as followed
a. browser = localhost:8080
b. redirected to the Cloud Foundry's login screen
c. login with a valid CF account
d. the browser is redirected to
https://login.home.com/?client_id=foo-client-id&redirect_uri=http://localhost:8080/login&response_type=code&state=ICZeSn
e. displayed message: Cloud Foundry...Where To?
5. What expected
I expect after logging in with the step 4c using a valid CF account, I should see the approval UI.
This does not happen.
I instead got the above redirect URI and the "Where To?" message
6. Anything missing with my configuration? Thanks for advise.


Gwenn Etourneau
 

Hi,
Please try using uaa endpoint in userAuthorizationUri instead of login one.

Thanks

On Mon, Jun 5, 2017 at 4:13 AM, Beth Tran <vsfss(a)yahoo.com> wrote:

1. I have registered this client to CF as followed
foo-client-id
scope: cloud_controller_service_permissions.read openid
resource_ids: none
authorized_grant_types: refresh_token authorization_code
redirect_uri: http://localhost:8080
autoapprove:
authorities: uaa.none
name: foo-client-id
lastmodified: 1487292160153
2. I have running CF
3. I have a running webapp at port80 with application.yml
security:
oauth2:
client:
clientId: foo-client-id
clientSecret: thesecret
accessTokenUri: https://uaa.home.com
userAuthorizationUri: https://login.home.com
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
4. Test as followed
a. browser = localhost:8080
b. redirected to the Cloud Foundry's login screen
c. login with a valid CF account
d. the browser is redirected to
https://login.home.com/?client_id=foo-client-id&
redirect_uri=http://localhost:8080/login&response_type=code&state=ICZeSn
e. displayed message: Cloud Foundry...Where To?
5. What expected
I expect after logging in with the step 4c using a valid CF account, I
should see the approval UI.
This does not happen.
I instead got the above redirect URI and the "Where To?" message
6. Anything missing with my configuration? Thanks for advise.


Beth Tran
 

Gwenn
I've changed to recommended "userAuthorizationUri: https://uaa.home.com"
and still have the same issue with the "redirect_uri" in the following URL which
immediately follows the login step

https://login.home.com/?client_id=foo-client-id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=ICZeSn

Hope my info is clear, if not, please let me know, I'll explain it.
Thanks


Filip Hanik
 

Step 1: Are you using underscores, "_", where you are supposed to be using
hypens, "-" ?

https://github.com/cloudfoundry/uaa-release/blob/develop/jobs/uaa/spec#L282-L296

On Sun, Jun 4, 2017 at 12:13 PM, Beth Tran <vsfss(a)yahoo.com> wrote:

1. I have registered this client to CF as followed
foo-client-id
scope: cloud_controller_service_permissions.read openid
resource_ids: none
authorized_grant_types: refresh_token authorization_code
redirect_uri: http://localhost:8080
autoapprove:
authorities: uaa.none
name: foo-client-id
lastmodified: 1487292160153
2. I have running CF
3. I have a running webapp at port80 with application.yml
security:
oauth2:
client:
clientId: foo-client-id
clientSecret: thesecret
accessTokenUri: https://uaa.home.com
userAuthorizationUri: https://login.home.com
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
4. Test as followed
a. browser = localhost:8080
b. redirected to the Cloud Foundry's login screen
c. login with a valid CF account
d. the browser is redirected to
https://login.home.com/?client_id=foo-client-id&
redirect_uri=http://localhost:8080/login&response_type=code&state=ICZeSn
e. displayed message: Cloud Foundry...Where To?
5. What expected
I expect after logging in with the step 4c using a valid CF account, I
should see the approval UI.
This does not happen.
I instead got the above redirect URI and the "Where To?" message
6. Anything missing with my configuration? Thanks for advise.


Beth Tran
 

Filip
I have taken out the redirect uri in command used to register oauth2 client, and the
approval UI comes up as expected now.
The next step is for the http://localhost:8080 page to come up, but it redirect to the following URL
with error
http://localhost:8080/login?code=X2RAJD0seF&state=ZQWpxC
Not sure why my index.html does not display. Any idea?
Beth


Filip Hanik
 

http://localhost:8080/login?code=X2RAJD0seF&state=ZQWpxC

This means that the authorization portion on the UAA was complete. You have
a "code" that your application can exchange for a token.
Check your application logs on why the code is not being swapped. Turn on
debugging for Spring Security Oauth2

Filip

On Sun, Jun 4, 2017 at 7:27 PM, Beth Tran <vsfss(a)yahoo.com> wrote:

Filip
I have taken out the redirect uri in command used to register oauth2
client, and the
approval UI comes up as expected now.
The next step is for the http://localhost:8080 page to come up, but it
redirect to the following URL
with error
http://localhost:8080/login?code=X2RAJD0seF&state=ZQWpxC
Not sure why my index.html does not display. Any idea?
Beth


Beth Tran
 

Thanks for the Tip Filip. After looking at it for a while, it seems the following https causes error userInfoUri: https://uaa.home.com/userinfo which the browser displays as

There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token

After some debugging, the cause of above error is
I/O error on POST request for "https://uaa.bosh-lite.com/oauth/token": sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

I have configure the UI server with SSL, and add UI server certificate to the Java keystore, and rerun the test. Still I got the same PKIX error

Any tip is great


Beth Tran
 

It turns out that for some reason my setting for SSL in application.yml does not work.
So I run the spring boot client with keystore/truststore on command line, and was able to authorized with CF's UAA.
The index page finally displays.
Thank you for all the helpful tips.

Beth


Filip Hanik
 

Glad you worked it out!

On Tue, Jun 6, 2017 at 9:49 AM, Beth Tran <vsfss(a)yahoo.com> wrote:

It turns out that for some reason my setting for SSL in application.yml
does not work.
So I run the spring boot client with keystore/truststore on command line,
and was able to authorized with CF's UAA.
The index page finally displays.
Thank you for all the helpful tips.

Beth