cf-dev@lists.cloudfoundry.org | UAA api /introspect does not seem to be workign as expected

Home Messages Hashtags Subgroups

Date Date 1 - 8 of 8

UAA api /introspect does not seem to be workign as expected

#uaa

Shetty, Viraj S [CTR]

Hi All,

We are using UAA version 74.14.0

We have a UAA installation for our internal applications in cloudfoundry environment. We have been having a problem in verifying the oauth token (JWT token) using the /introspect token, but cannot seem to see the reason. I tried a test using postman.

1. created a client with authority uaa.resource. See properties below. It has the uaa.resource authority.

scope: uaa.none

resource_ids: none

authorized_grant_types: client_credentials

autoapprove:

access_token_validity: 300

authorities: uaa.resource

2. Generate a token for a user to test verification.
3. Using postman, I tried to call /introspect api with the "Authorization: Basic ..." (this is deprecated). But this call worked fine and I was able to see the token in returned json.
4. Using postman, I tried to call /introspect api with the "Authorization: Bearer {token}". This call failed with an error

{

"error": "access_denied",

"error_description": "Access is denied"

}

I checked the bearer token and made sure that the scope has uaa.resource in there

"scope": [ "uaa.resource" ],

It looks like the /introspect call succeeds with "Authorization: basic .." but not "Authorization: bearer ..".

Let me know what I am missing. I followed the API docs and I dont think I am missing any other authorithy for the client.

Any help is appreciated.

Thanks,
Viraj

Shetty, Viraj S [CTR]

#9153
Edited

I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean?

09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]

2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityCo

Jeremy Morony

#9154

Hi Viraj,

From the details provided it looks like the call to /introspect might be using the user's token in the authorize header instead of a client token.

A successful curl request looks like:

curl -X POST http://uaa.example.com/instropect - H "Authorization: bearer client-token" -d "token=user-token"

Hope this helps.

Jeremy.

Show quoted text

From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Thursday, September 10, 2020 2:58 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa

I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean?

2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal: 7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]

2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityCo

Shetty, Viraj S [CTR]

#9155

Hi Jeremy,

Thanks for taklng the time to respond. Really appreciate it.

I have double checked this many times. From Postman, I saw the request that is being sent and checked the bearer token to see the token scopes. The token contains the following (i added uaa.admin just as a test later)

  "scope": [

    "uaa.resource",

    "uaa.admin"

  "grant_type": "client_credentials",

The request looks all fine.

Is there any configuration needed at the endpoints? I see the following configuration for /introspect from resource-endpoints.xml

    <http name="introspectSecurity" pattern="/introspect" create-session="stateless"
          entry-point-ref="basicAuthenticationEntryPoint"
          authentication-manager-ref="clientAuthenticationManager" use-expressions="true"
          xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/**" access="hasAuthority('uaa.resource')"/>
        <anonymous enabled="false"/>
        <custom-filter ref="oauthWithoutResourceAuthenticationFilter" position="PRE_AUTH_FILTER"/>
        <custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
        <expression-handler ref="oauthWebExpressionHandler"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
        <csrf disabled="true"/>
    </http>

Should there be one for Bearer token ? Not sure.

As per the API docs for 74.14.0,

Authorization

One of the following authentication/authorization mechanisms:

Bearer token for a registered client with authority uaa.resource [Recommended]
Basic authentication using client_id / client_secret for a registered client with authority uaa.resource [Deprecated]

If both bearer token and basic auth credentials are provided, only the bearer token will be used.

Thanks,
Viraj

Shetty, Viraj S [CTR]

#9156

Jeremy,

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ?

Thanks,
Viraj

Jeremy Morony

#9166

Hi Viraj,

I couldn't replicate the issue you've described. While logs are always helpful, more helpful would be a small set up replicating the issue. For example, this is what I did to replicate your issue using the UAA in development:

./gradlew clean run

uaac target http://localhost:8080/uaa

uaac token client get admin

uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource

uaac token owner get cf marissa -p koala --scope uaa.user

uaac contexts #extract marissa's access token

uaac token client get introspect-test

uaac curl --trace /introspect -X POST -d "token=marissas-access-token"

200

RESPONSE HEADERS:

<snip>

RESPONSE BODY:

{

"active": true // other claims omitted

}

Show quoted text

From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Friday, September 11, 2020 12:44 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa

Jeremy,

I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ?

Thanks,
Viraj

Shetty, Viraj S [CTR]

#9169
Edited

Hi Jeremy,

Thanks for that testcase. I followed your testcase on our UAA Server except with one change; since we are setup with MFA, I used the uaac token sso to get Marissas token. The UAA app version is 74.24.0 and the UAAC version is 4.2.0. You can see I got the access denied error that I received with Postman. I attached snippet of the log errors. Also, I upgraded to UAA 74.24.0 by downloading source from https://github.com/cloudfoundry/uaa/archive/v74.24.0.zip and compiling it using gradle. I am wondering if I am doing something incorrect during installation. Next I will try with a brand new intallation and see if that works.

----- Command entered -----

COMMAND> uaac version

UAA client 4.2.0

COMMAND> uaac info

Unknown key: Max-Age = 86400

app

version: 74.24.0

{truncated}

COMMAND> uaac token client get admin

Client secret: ************************

Successfully fetched token via client credentials grant.

Target: https://*****************

Context: admin, from client admin

COMMAND> uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource

New client secret: ***************

Verify new client secret: ***************

scope: uaa.none

client_id: introspect-test

resource_ids: none

authorized_grant_types: client_credentials

autoapprove:

authorities: uaa.resource

name: introspect-test

required_user_groups:

lastmodified: 1600268652000

id: introspect-test

PS C:\Users\vshetty\source\repos\pservices-cyberark-api\bin> uaac user add marissa --given_name marissa --family_name koala

--emails marisa@...

Password: *****

Verify password: *****

user account successfully added

COMMAND> uaac token sso get seswt-uaa-cli

Client secret:

Passcode (from https://********/passcode): ******

Successfully fetched token via owner passcode grant.

Target: https://***************

Context: marissa, from client seswt-uaa-cli

COMMAND> uaac context marissa

{ captured Marissa's token }

COMMAND> uaac token client get introspect-test

Client secret: ***************

{ double checked that the token has the uaa.resource scope }

Successfully fetched token via client credentials grant.

Target: https://**************

Context: introspect-test, from client introspect-test

# MARISSA-TOKEN is actual token

COMMAND> uaac curl --trace /introspect -X POST -d "token=MARISSA-TOKEN"

POST https://*****/introspect

REQUEST BODY: "token=MARISSA-TOKEN"

403 Forbidden

RESPONSE HEADERS:

Date: Wed, 16 Sep 2020 15:18:29 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Cache-Control: no-store

Pragma: no-cache

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

X-Content-Type-Options: nosniff

X-Vcap-Request-Id: 86dbda61-e43d-43e9-650f-2150836c4ea0

X-Xss-Protection: 1; mode=block

X-Frame-Options: DENY

RESPONSE BODY:

{

"error": "access_denied",

"error_description": "Access is denied"

}

--- Log file contents ---

2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query

2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config,active from identity_zone where subdomain=? and active = ?]

2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.449] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type unknown

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [true], value class [java.lang.Boolean], SQL type unknown

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 7 of 20 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/introspect response_type:null

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/introspect response_type:null

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 8 of 20 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'introspectSecurity' processing request POST /introspect

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 9 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 10 of 20 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 11 of 20 in additional filter chain; firing Filter: 'HeaderWriterFilter'

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 12 of 20 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'

2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SESSION_LOGGER: No session found by id: Caching result for getSession(false) for this HttpServletRequest.

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.462] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove, lastmodified, required_user_groups from oauth_client_details where client_id = ? and identity_zone_id = ?]

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [introspect-test], value class [java.lang.String], SQL type unknown

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [uaa], value class [java.lang.String], SQL type unknown

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- OAuth2AuthenticationProcessingFilter: Authentication success: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 13 of 20 in additional filter chain; firing Filter: 'IdentityZoneSwitchingFilter'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 14 of 20 in additional filter chain; firing Filter: 'DisableUserManagementSecurityFilter'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 15 of 20 in additional filter chain; firing Filter: 'DisableInternalUserManagementFilter'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 16 of 20 in additional filter chain; firing Filter: 'ClientBasicAuthenticationFilter'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 17 of 20 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 18 of 20 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 19 of 20 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]

2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=**************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.499] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@17088b23, returned: -1

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.500] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: Loading properties [messages.properties]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.503] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en] - neither plain properties nor XML

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.504] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en_US] - neither plain properties nor XML

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'scimUserBootstrap'

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]

2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChai

Shetty, Viraj S [CTR]

#9173

Jeremy,

Thanks for your help ! I found what the problem was.

I ran a local copy of the UAA on my laptop, pointing to the cloud database and ran your testcases; it all worked as expected ! I was able to use the /introspect endpoint with the bearer token.

So, I started comparing the differences in the uaa.yml file (default and our yaml) and found that the problem was the setting in my uaa.yml file which excluded authorities in the tokens.

    claims:
      exclude:
        - authorities

The default uaa.yml had this commented and I just uncommented it while deploying our UAA  When I removed this setting, I am able to use the /introspect with the bearer token. I could also see that the token for the client introspect-test now has the authorities set as below. Looks like the UAA code is looking at "authorities" claim and not the "scope" claim.  Is that expected ?


  "authorities": [
    "uaa.resource"
  ],
  "scope": [
    "uaa.resource"
  ],

I am just wondering why that option (exclude authorities) is there in the first place and if removing that option affects 
anything else.

Thanks,
Viraj 

 

1 - 8 of 8

Previous Topic Next Topic

Home Hashtags Subgroups Terms