Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot authenticate tokens using Identity Providers

See original GitHub issue

I have 2 identity zones idzone1 and idzone2. I have added an identity provider in idzone2 with urls pointing to idzone1 . The authentication still fails. How are tokens forwarded to the relevant identity providers for authentication? This is the code for adding the identity provider to idZone2:

uaaClient.identityProviders().create(CreateIdentityProviderRequest.builder()
                .configuration(OAuth2Configuration.builder()
                        .authUrl("https://idZone1.uaa.system.sample.io/oauth/authorize")
                        .tokenKeyUrl("https://idZone1.uaa.system.sample.io/oauth/token_key")
                        .tokenUrl("https://idZone1.uaa.system.sample.io/oauth/token")
                        .checkTokenUrl("https://idZone1.uaa.system.sample.io/oauth/check_token")
                        .relyingPartyId("clientId")
                        .relyingPartySecret("clientSecret")
                        .showLinkText(false)
                        .skipSslVerification(cfProperties.getSkipSslVerification())
                        .build())
                .originKey("idZone1-id-provider")
                .name("idZone1-id-provider")
                .type(Type.OAUTH2)
                .build())
                .doOnError(r -> {logger.info("error message: " + r.getMessage());});

The following is a GET on identity-providers in idZone2:

[
    {
        "type": "oauth2.0",
        "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":false,\"authUrl\":\"https://idZone1.uaa.system.sample.io/oauth/authorize\",\"tokenUrl\":\"https://idZone1.uaa.system.sample.io/oauth/token\",\"tokenKeyUrl\":\"https://idZone1.uaa.system.sample.io/oauth/token_key\",\"tokenKey\":null,\"linkText\":null,\"showLinkText\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"clientId\",\"relyingPartySecret\":\"clientSecret\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"checkTokenUrl\":\"https://idZone1.uaa.system.sample.io/oauth/check_token\"}",
        "id": "a66c546a-3ef1-4cca-b9d4-4602d0ba608e",
        "originKey": "idZone1-id-provider",
        "name": "idZone1-id-provider",
        "version": 0,
        "created": 1505326644000,
        "last_modified": 1505326644000,
        "active": true,
        "identityZoneId": "948f9ab3-b7a0-4c8a-9527-c728cfb6eead"
    },
    {
        "type": "uaa",
        "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":10,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":0,\"passwordNewerThan\":null},\"lockoutPolicy\":null,\"disableInternalUserManagement\":false}",
        "id": "6bd2c8f9-c401-4e55-a93b-055ce4c9714a",
        "originKey": "uaa",
        "name": "uaa",
        "version": 1,
        "created": 1505326643000,
        "last_modified": 1505326643000,
        "active": true,
        "identityZoneId": "948f9ab3-b7a0-4c8a-9527-c728cfb6eead"
    }
]

Issue Analytics

State:
Created 6 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

maikschoeneichcommented, Nov 7, 2018

Tokens are not portable across zones, but you should be able to get a new token in zone2 for the user from zone1 using a client in zone2 if your idp configuration has been set up correctly.

I am currently asking myself how to setup the identity provider for this scenario correctly (in my special case for “oauth2.0”). Where can I find a specific documentation on this?

1reaction

jhamoncommented, Sep 14, 2017

Tokens are not portable across zones, but you should be able to get a new token in zone2 for the user from zone1 using a client in zone2 if your idp configuration has been set up correctly.

Try this:

# Target your uaa
uaac target <YOUR_UAA>

# Get a token with admin privileges to create a new client
uaac token client get admin -s <admin_client_password>

# Create a password grant client in zone2
uaac client add testpasswordclient --authorized_grant_types password -s testsecret --scope scim.read --zone idZone2

# Target zone 2
uaac target https://idZone2.<YOUR_UAA>

# Attempt to get a token for the zone1 user in zone2
uaac token owner get testpasswordclient username -s testsecret -p password