Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

UAA not working with external Oauth2 IDP

See original GitHub issue

Issue Description

What version of UAA are you running?

UAA 4.10.0

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json' {“app”:{“version”:“4.10.0”},“showLoginLinks”:true,“links”:{“uaa”:“http://localhost:8080/uaa",“passwd”:“/forgot_password”,“login”:"http://loc alhost:8080/uaa”,“register”:“/create_account”},“zone_name”:“uaa”,“entityID”:“uaa-8080-saml”,“commit_id”:“a4132cb”,“idpDefinitions”:{},“prompts”:{“username”:[“text”,“Email”],“password”:[“password”,“Password”],“passcode”:[“password”,“One Time Code ( Get one at http://localhost:8080/uaa/passcode )”]},“timestamp”:“2018-02-06T18:24:36+0000”}

How are you deploying the UAA?

I am deploying the UAA

  • As a war file downloaded from Maven repository.

What did you do?

I am trying to setup Github as an external Oauth2 identity provider with the UAA. Here is what I did:

  1. Created a new Oauth app at:
  2. Configure UAA to setup github as external Oauth2 IDP with the below configuration in the uaa.yml login: oauth: providers: github: type: oauth2.0 authUrl: tokenUrl: userInfoUrl: scopes: - openid - email linkText: Login with Github showLinkText: true addShadowUserOnLogin: true relyingPartyId: $My-clientId relyingPartySecret: $My-clientSecret skipSslValidation: true clientAuthInBody: true attributeMappings: user_name: email

What did you expect to see? What goal are you trying to achieve with the UAA?

I want to be logged in via an external Oauth2 IDP configured in UAA. When I go to the UAA I see the link ‘Login with Github’. After clicking the link I am redirected to the Github. After successful login in Github I expect to be logged in the UAA.

What did you see instead?

After successfully login in the Guthub I am redirected back to UAA with the below message: “There was an error when authenticating against the external identity provider: NullPointerException”

Please include UAA logs if available. [2018-04-03 10:21:27.186] cloudfoundry-identity-server - ??? [http-apr-8080-exec-6] … ERROR — XOAuthAuthenticationFilter: XOauth Authentication exception java.lang.NullPointerException at org.cloudfoundry.identity.uaa.login.AccountSavingAuthenticationSuccessHandler.setSavedAccountOptio nCookie( at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter.lambda$authenticationWasSu ccessful$0( at java.util.Optional.ifPresent( at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter.authenticationWasSuccessfu l( at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter.doFilter(XOAuthAuthenticat at

Here is my analysis so far: Below is the request and response from UAA to acquire access token from Github: Request: Parameters: grant_type=authorization_code&response_type=token&code=72a22a2d404f6061aa2f&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fuaa%2Flogin%2Fcallback%2Fgithub&client_id=$My-clientId&client_secret=$My-clientSecret

Response: {access_token=I-get-here-valid-access-token, token_type=bearer, scope=}

At this point UAA tries to fetch ‘access_token’ from the response here:

But it seems the method getResponseType returns as ‘token’ instead of ‘access_token’ and hence it fails. Please see below:

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:4
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

tnwangcommented, Apr 4, 2018

Thanks for the detailed analysis and example of properly set-up IdP configurations.

I think a lot of this is historical inertia for OAuth being a pure authorization protocol, not an authentication protocol. OpenID Connect ID tokens have been the replacement to represent authentication on top of OAuth 2.0.

It does appear that UAA could support OAuth 2.0 if the token was JWT spec. UAA appears to be parsing the token for claims assuming that it’s a JWT ID Token, even when the default token config is used.

What should be happening is that if the token is not parseable as JWT, UAA should be taking the value, and performing a call out to the User Info endpoint configured, and grabbing the user values from that response instead of from the token claims. That logic would be placed likely around

bgandoncommented, Dec 7, 2020

Hello all, I have made a patch for this issue with some unit test for basic code coverage. Turns out plain Oauth2 was never really supported for IDP, as the implementation only supported OIDC. All 4600+ tests are passing. The working code in this repo/branch: and the forked uaa-release that uses it is here: Finally, I’ve deployed the forked release in my own Gstack’s sandbox Cloud Foundry, and the real-life Github authentication works fine. I’ll push a PR soon. Best, Benjamin

Edit: see PR #1463!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Overview – UAA API Reference - Cloud Foundry Documentation
supports APIs for user account management for an external web UI; most of the APIs are defined by the specs for the OAuth2,...
Read more >
UAA Concepts | VMware Tanzu Docs
External IDPs are read-only, as are attributes from those providers. ... A UAA user is the resource owner of the OAuth2 protocol.
Read more >
Integrating Cloudfoundry UAA with external identity provider
We have all the user data in our local mysql database. We are moving our services to cloud and I need to use...
Read more >
Using the OAuth2 filter for SSO | Edge Stack
... Auth0, Okta, and UAA although other OAuth/OIDC-compliant identity providers should work. Please contact us on Slack if you have questions about IdPs...
Read more >
OIDC Federated Authentication | Predix Platform | GE Digital
The Regular User is not configured through an external Identity Provider (IdP). Shadow User, Choose this option to create a local user in...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found