Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Client creation endpoint does not accept two secrets to support rotation

See original GitHub issue

In the UAA API Documentation for Client Create endpoint, it is mentioned that two secrets can be used (delimited with a space) for a single client.

client_secret - A secret string used for authenticating as this client. To support secret rotation this can be space delimited string of two secrets.

However if two secrets, delimited with space character are used, the UAA does not split them and neither of them works.

What version of UAA are you running?

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

{
  "app": {
    "version": "v75.5.0"
  }
  ...
}

How are you deploying the UAA?

I am deploying the UAA

  • locally only using gradlew

What did you do?

Create client with two secrets delimited with a space character:

 curl 'http://localhost/oauth/clients' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 3c44a1c0c4744d8996de460077ed37e2' \
    -H 'Accept: application/json' \
    -d '{
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "NWDGM7",
  "client_secret" : "secret1 secret2",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "3qJVLu",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}'

Try to obtain token using secret1 or secret2. Both will fail with error:

{
    "error": "unauthorized",
    "error_description": "Bad credentials"
}

However if secret secret1 secret2 is used the authorization succeeds.

What did you expect to see? What goal are you trying to achieve with the UAA?

I expected to be able to obtain token using both secrets: secret1 or secret2.

What did you see instead?

{
    "error": "unauthorized",
    "error_description": "Bad credentials"
}

Please include UAA logs if available.

[UAA_AUDIT] [2021-08-05T06:54:34.669545Z] uaa - 1 [http-nio-8080-exec-9] ....  INFO --- Audit: PrincipalAuthenticationFailure ('null'): principal=NWDGM7, origin=[192.168.65.3], identityZoneId=[xxx]
[UAA] [2021-08-05T06:54:34.669545Z] uaa - 1 [http-nio-8080-exec-9] ....  INFO --- Audit: PrincipalAuthenticationFailure ('null'): principal=NWDGM7, origin=[192.168.65.3], identityZoneId=[xxx]
[UAA_AUDIT] [2021-08-05T06:54:34.670204Z] uaa - 1 [http-nio-8080-exec-9] ....  INFO --- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=NWDGM7, origin=[remoteAddress=192.168.65.3, clientId=NWDGM7], identityZoneId=[xxx]
[UAA] [2021-08-05T06:54:34.670204Z] uaa - 1 [http-nio-8080-exec-9] ....  INFO --- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=NWDGM7, origin=[remoteAddress=192.168.65.3, clientId=NWDGM7], identityZoneId=[xxx]

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
tkurylekcommented, Aug 13, 2021

Hi @strehle

Thanks a lot for the suggestions. I’m open to create a PR for that.

I understand that fixing this issue on client creation endpoint would break the compatibility and thus there should be an extra parameter. Could you suggest any approach to this? I was thinking about:

  • adding a header that would work as a feature flag to split the given secrets. if the header is missing the creation would work as before
  • adding a parameter to the uaa.yaml. if that parameter is set to true then we would split the secrets on client creation endpoint, if not – it would be working as before
  • extending org.springframework.security.oauth2.provider.ClientDetails to support another json property (e.g. “secondary_client_secret”) and accepting it in the client creation endpoint:
@RequestMapping(value = "/oauth/clients", method = RequestMethod.POST)
// ...
public ClientDetails createClientDetails(@RequestBody ClientDetailsCreation client) {
  // ...
}

Thank you for suggesting mixed actions endpoint. Unfortunately the Mixed Actions endpoint does not support an action to ADD a secret. I would like to create a client with two secrets so I tried:

[
	{
		"action": "add",
		"scope": [
			"openid"
		],
		"client_secret": "secret1",
		"client_id": "client_id",
 "//": "(... other client details properties ...)"
	},
	{
		"action": "secret",
		"client_secret": "secret2",
		"client_id": "client_id"
	}
]

But that updates the secret1 to secret2 and only secret2 is working. This endpoint would have to support another action, like “add_secret” which would make both secrets working.

In the end I have two options – both would work for us. I could:

  • fix the issue in client creation endpoint
  • add new action (“add_secret”) to the mixed actions endpoint.

I would greatly appreciate your input here.

1reaction
tkurylekcommented, Aug 6, 2021

Hi @strehle

This is how we currently work around this issue. But it would be better if there would be a possibility to create a client with two secrets via a single HTTP call. This would make the client creation transactional. With two HTTP calls it’s very problematic to ensure data consistency.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Set up alternating users rotation for AWS Secrets Manager
In this tutorial, you learn how to set up alternating users rotation for a secret that contains database credentials. Alternating users rotation is...
Read more >
Set up single user rotation for Amazon Secrets Manager
Single user rotation is a rotation strategy where Secrets Manager updates a single user's credentials in both the secret and the database.
Read more >
Client secret rotation and key management - Okta Developer
This guide shows you how to rotate and manage your client secrets without service or app downtime. Additionally, this guide shows you how...
Read more >
How to manage any kind of secret with AWS Secrets Manager
Do not yet enable secret rotation. When the secret is created, open it in the console and copy the Secret ARN. Get the...
Read more >
AWS secrets manager, 'A previous rotation isn't complete ...
Just a note for people in future who might get the same error... If you are using the AWS Secrets Manager to rotate...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Receiving auth token in Authorization Code Grant with PKCE

Next page

UAA returns JSON error responses with incorrect media type.