UAA api /introspect does not seem to be workign as expected #uaa


Shetty, Viraj S [CTR]
 

Hi All, 

We are using UAA version 74.14.0 

We have a UAA installation for our internal applications in cloudfoundry environment. We have been having a problem in verifying the oauth token (JWT token) using the /introspect token, but cannot seem to see the reason. I tried a test using postman. 

1. created a client with authority uaa.resource. See properties below. It has the uaa.resource authority. 

    scope: uaa.none
    resource_ids: none
    authorized_grant_types: client_credentials
    autoapprove:
    access_token_validity: 300
    authorities: uaa.resource

2. Generate a token for a user to test verification. 
3. Using postman, I tried to call /introspect api with the "Authorization: Basic ..." (this is deprecated). But this call worked fine and I was able to see the token in returned json. 
4. Using postman, I tried to call /introspect api with the "Authorization: Bearer {token}". This call failed with an error  

{
    "error""access_denied",
    "error_description""Access is denied"
}

I checked the bearer token and made sure that the scope has uaa.resource in there

"scope": [ "uaa.resource" ],

It looks like the /introspect call succeeds with "Authorization: basic .." but not "Authorization: bearer ..". 

Let me know what I am missing. I followed the API docs and I dont think I am missing any other authorithy for the client. 

Any help is appreciated. 

Thanks,
Viraj 



Shetty, Viraj S [CTR]
 

I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean? 

09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal: 7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityCo


Jeremy Morony
 

Hi Viraj,

From the details provided it looks like the call to /introspect might be using the user's token in the authorize header instead of a client token.

A successful curl request looks like:

curl -X POST http://uaa.example.com/instropect - H "Authorization: bearer client-token" -d "token=user-token"

Hope this helps.

  Jeremy.



From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Thursday, September 10, 2020 2:58 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa
 
I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean? 

09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal: 7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
   2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityCo


Shetty, Viraj S [CTR]
 

Hi Jeremy, 

Thanks for taklng the time to respond. Really appreciate it. 

I have double checked this many times. From Postman, I saw the request that is being sent and checked the bearer token to see the token scopes. The token contains the following (i added uaa.admin just as a test later)  

  "scope": [
    "uaa.resource",
    "uaa.admin"
],
  "grant_type": "client_credentials",

The request looks all fine.

Is there any configuration needed at the endpoints? I see the following configuration for /introspect from resource-endpoints.xml

    <http name="introspectSecurity" pattern="/introspect" create-session="stateless"
          entry-point-ref="basicAuthenticationEntryPoint"
          authentication-manager-ref="clientAuthenticationManager" use-expressions="true"
          xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/**" access="hasAuthority('uaa.resource')"/>
        <anonymous enabled="false"/>
        <custom-filter ref="oauthWithoutResourceAuthenticationFilter" position="PRE_AUTH_FILTER"/>
        <custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
        <expression-handler ref="oauthWebExpressionHandler"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
        <csrf disabled="true"/>
    </http>
Should there be one for Bearer token ? Not sure. 

As per the API docs for 74.14.0, 

Authorization One of the following authentication/authorization mechanisms:
  • Bearer token for a registered client with authority uaa.resource   [Recommended]
  • Basic authentication using client_id / client_secret for a registered client with authority uaa.resource   [Deprecated]
If both bearer token and basic auth credentials are provided, only the bearer token will be used.

Thanks,
Viraj 


Shetty, Viraj S [CTR]
 

Jeremy, 

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? 

Thanks,
Viraj 


Jeremy Morony
 

Hi Viraj,

I couldn't replicate the issue you've described.  While logs are always helpful, more helpful would be a small set up replicating the issue. For example, this is what I did to replicate your issue using the UAA in development:

./gradlew clean run
uaac target http://localhost:8080/uaa
uaac token client get admin
uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
uaac token owner get cf marissa -p koala --scope uaa.user
uaac contexts #extract marissa's access token
uaac token client get introspect-test
uaac curl --trace /introspect -X POST -d "token=marissas-access-token"

200
RESPONSE HEADERS:
<snip>
RESPONSE BODY:
{
  "active": true // other claims omitted
}


From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Friday, September 11, 2020 12:44 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa
 
Jeremy, 

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? 

Thanks,
Viraj 


Shetty, Viraj S [CTR]
 

Hi Jeremy, 

Thanks for that testcase. I followed your testcase on our UAA Server except with one change; since we are setup with MFA, I used the uaac token sso to get Marissas token. The UAA app version is 74.24.0 and the UAAC version is 4.2.0. You can see I got the access denied error that I received with Postman. I attached snippet of the log errors. Also, I upgraded to UAA 74.24.0 by downloading source from https://github.com/cloudfoundry/uaa/archive/v74.24.0.zip  and compiling it using gradle. I am wondering if I am doing something incorrect during installation. Next I will try with a brand new intallation and see if that works. 


----- Command entered -----

COMMAND> uaac version
UAA client 4.2.0
 
COMMAND> uaac info
Unknown key: Max-Age = 86400
  app
    version: 74.24.0
{truncated} 
 
COMMAND> uaac token client get admin
Client secret:  ************************
 
Successfully fetched token via client credentials grant.
Target: https://*****************
Context: admin, from client admin
 
 
COMMAND> uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
New client secret:  ***************
Verify new client secret:  ***************
  scope: uaa.none
  client_id: introspect-test
  resource_ids: none
  authorized_grant_types: client_credentials
  autoapprove:
  authorities: uaa.resource
  name: introspect-test
  required_user_groups:
  lastmodified: 1600268652000
  id: introspect-test
  
PS C:\Users\vshetty\source\repos\pservices-cyberark-api\bin> uaac user add marissa --given_name marissa --family_name koala
 --emails marisa@...
Password:  *****
Verify password:  *****
user account successfully added
 
COMMAND> uaac token sso get seswt-uaa-cli
Client secret:
Passcode (from https://********/passcode):  ******
 
Successfully fetched token via owner passcode grant.
Target: https://***************
Context: marissa, from client seswt-uaa-cli
 
COMMAND> uaac context marissa
{ captured Marissa's token }
 
COMMAND> uaac token client get introspect-test
Client secret:  ***************
{ double checked that the token has the uaa.resource scope }

Successfully fetched token via client credentials grant.
Target: https://**************
Context: introspect-test, from client introspect-test
 
# MARISSA-TOKEN is actual token 
COMMAND> uaac curl --trace /introspect -X POST -d "token=MARISSA-TOKEN"
POST https://*****/introspect
REQUEST BODY: "token=MARISSA-TOKEN"
 
403 Forbidden
RESPONSE HEADERS:
  Date: Wed, 16 Sep 2020 15:18:29 GMT
  Content-Type: application/json
  Transfer-Encoding: chunked
  Connection: close
  Vary: Accept-Encoding
  Cache-Control: no-store
  Pragma: no-cache
  Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  X-Content-Type-Options: nosniff
  X-Vcap-Request-Id: 86dbda61-e43d-43e9-650f-2150836c4ea0
  X-Xss-Protection: 1; mode=block
  X-Frame-Options: DENY
RESPONSE BODY:
{
  "error": "access_denied",
  "error_description": "Access is denied"
}

--- Log file contents --- 

   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config,active from identity_zone where subdomain=? and active = ?]
   2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.449] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [true], value class [java.lang.Boolean], SQL type unknown
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 7 of 20 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/introspect response_type:null
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/introspect response_type:null
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 8 of 20 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'introspectSecurity' processing request POST /introspect
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 9 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 10 of 20 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 11 of 20 in additional filter chain; firing Filter: 'HeaderWriterFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 12 of 20 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
   2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SESSION_LOGGER: No session found by id: Caching result for getSession(false) for this HttpServletRequest.
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.462] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove, lastmodified, required_user_groups from oauth_client_details where client_id = ? and identity_zone_id = ?]
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [introspect-test], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [uaa], value class [java.lang.String], SQL type unknown
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- OAuth2AuthenticationProcessingFilter: Authentication success: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 13 of 20 in additional filter chain; firing Filter: 'IdentityZoneSwitchingFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 14 of 20 in additional filter chain; firing Filter: 'DisableUserManagementSecurityFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 15 of 20 in additional filter chain; firing Filter: 'DisableInternalUserManagementFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 16 of 20 in additional filter chain; firing Filter: 'ClientBasicAuthenticationFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 17 of 20 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 18 of 20 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 19 of 20 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
   2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.499] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@17088b23, returned: -1
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.500] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: Loading properties [messages.properties]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.503] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en] - neither plain properties nor XML
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.504] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en_US] - neither plain properties nor XML
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'scimUserBootstrap'
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'delegatingApplicationListener'
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
   2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChai


Shetty, Viraj S [CTR]
 

Jeremy, 

Thanks for your help ! I found what the problem was. 

I ran a local copy of the UAA on my laptop, pointing to the cloud database and ran your testcases; it all worked as expected ! I was able to use the /introspect endpoint with the bearer token. 

So, I started comparing the differences in the uaa.yml file (default and our yaml) and found that the problem was the setting in my uaa.yml file which excluded authorities in the tokens. 

    claims:
      exclude:
        - authorities

The default uaa.yml had this commented and I just uncommented it while deploying our UAA  When I removed this setting, I am able to use the /introspect with the bearer token. I could also see that the token for the client introspect-test now has the authorities set as below. Looks like the UAA code is looking at "authorities" claim and not the "scope" claim.  Is that expected ?

  "authorities": [
    "uaa.resource"
  ],
  "scope": [
    "uaa.resource"
  ],

I am just wondering why that option (exclude authorities) is there in the first place and if removing that option affects
anything else.

Thanks,
Viraj