Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unable to request oauth token for client in non-default identity zone
See original GitHub issueSECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to security@cloudfoundry.org
Thanks for taking the time to file an issue. You’ll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.
What version of UAA are you running?
{
"app": {
"version": "3.6.5"
},
"links": {
"uaa": "http://localhost:8080/uaa",
"passwd": "/forgot_password",
"login": "http://localhost:8080/uaa",
"register": "/create_account"
},
"zone_name": "uaa",
"entityID": "cloudfoundry-saml-login",
"commit_id": "83e1370",
"idpDefinitions": {
},
"prompts": {
"username": [
"text",
"Email"
],
"password": [
"password",
"Password"
]
},
"timestamp": "2016-11-30T18:58:56+0100"
}
How are you deploying the UAA?
I am deploying the UAA on a remote server with the public hortonworks/cloudbreak-uaa:3.6.5 Docker image.
What did you do?
I created a new identity zone with Postman:
POST /identity-zones HTTP/1.1
Host: <ip address>:<port>
Content-Type: application/json
Authorization: Bearer <token>
{
"id": "testzone1",
"subdomain": "testzone1",
"name": "Test Zone"
}
I received a success 201 Created. Then I created a client in that identity zone with Postman:
POST /oauth/clients HTTP/1.1
Host: <ip address>:<port>
Content-Type: application/json
Accept: application/json
Authorization: Bearer <token>
X-Identity-Zone-Id: testzone1
{
"scope": [
"password.write"
],
"client_id": "testclient",
"client_secret": "testsecret",
"authorized_grant_types": [
"client_credentials",
"password",
"refresh_token"
],
"redirect_uri": [],
"authorities": [
"zones.testzone1.scim.read",
"zones.testzone1.scim.write",
"uaa.user"
]
}
I received a success 201 Created. Finally I tried to request a client credentials OAuth token also with Postman:
POST /oauth/token HTTP/1.1
Host: <ip address>:<port>
Content-Type: application/x-www-form-urlencoded
Accept: application/json
X-Identity-Zone-Id: testzone1
client_id=testclient&client_secret=testsecret&grant_type=client_credentials&token_format=opaque&response_type=token
I receive the following 401 Unauthorized response:
{
"error": "unauthorized",
"error_description": "Bad credentials"
}
I even tried including the zone filter header X-Identity-Zone-Id: testzone1, but the response is the same.
I actually tried to request a client token with the CLI as well using the -z option and received the same response:
$ uaac token client get testclient -z testzone1
Client secret: ****
error response:
{
"error": "unauthorized",
"error_description": "Bad credentials"
}
What did you expect to see? What goal are you trying to achieve with the UAA?
I expected to see a 200 OK response along with a payload containing the OAuth token. My goal is to use the client credentials token to then create users within the same “testzone1” zone. If I re-create the client in the default “uaa” identity zone, my client token requests work just fine.
My assumption is that the /oauth/token endpoint currently has no way to authenticate clients/users in different identity zones that are not the default, because I see in the logs (pasted below) it is looking to authenticate the client in the “uaa” zone.
What did you see instead?
Here are the UAA logs:
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.709] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [loginAuthenticateRequestMatcher] Checking match of request : '/oauth/token'; '/authenticate' with parameters={} and headers {Authorization=[bearer ], accept=[application/json]}
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.709] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcher] Checking match of request : '/oauth/token'; '/oauth/authorize' with parameters={source=login} and headers {accept=[application/json]}
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.710] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [loginTokenRequestMatcher] Checking match of request : '/oauth/token'; '/oauth/token' with parameters={source=login, grant_type=password, add_new=} and headers {Authorization=[bearer ], accept=[application/json]}
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.710] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/oauth/token'; '/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.710] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/oauth/token'; '/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.711] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- CorsFilter: CORS Processing request: URI: /oauth/token; Scheme: http; Host: <ip address>; Port: <port>; Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop; Method: POST
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.711] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- CorsFilter: Request cross origin request has passed validation.
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.711] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- IdentityZoneResolvingFilter: No root domains configured, UAA is catch-all domain for host:<ip address>
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.717] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.717] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/oauth/token response_type:token
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.718] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/oauth/token response_type:token
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.718] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'tokenEndpointSecurity' processing request POST /oauth/token
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.815] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... INFO --- Audit: PrincipalAuthenticationFailure ('null'): principal=testclient, origin=[10.42.0.1], identityZoneId=[uaa]
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.815] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... INFO --- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=testclient, origin=[remoteAddress=<ip address>, clientId=testclient], identityZoneId=[uaa]
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.816] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- ClientParametersAuthenticationFilter: Could not authenticate with client credentials.
10/14/2017 2:30:02 PM[2017-10-14 21:30:02.818] cloudfoundry-identity-server - ???? [http-nio-8080-exec-2] .... DEBUG --- CorsFilter: CORS processing completed for: URI: /oauth/token; Scheme: http; Host: <ip address>; Port: <port>; Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop; Method: POST Status:401
10/14/2017 2:30:24 PM[2017-10-14 21:30:24.034] cloudfoundry-identity-server - ???? [ZoneAwareMetadataManager.Refresh[idpMetadataManager]] .... DEBUG --- ZoneAwareIdpMetadataManager: Running SAML SP refresh[ZoneAwareMetadataManager.Refresh[idpMetadataManager]-1859833227] - ignoreTimestamp=false
Issue Analytics
- State:
- Created 6 years ago
- Comments:39
Top Results From Across the Web
Error Message: 01490290:3: OAuth Client: failed for server error
In BIG-IP APM as OAuth Client/Resource server, the BIG-IP system needs to connect to the OAuth Authorization server for OAuth token request.
Read more >SharePoint OAuth token request failed - Microsoft Q&A
I have a console application that connects to a SharePoint site to retrieve some data. It uses a Client ID and Client Secret...
Read more >Managing AWS STS in an AWS Region - AWS Documentation
Set the session token version. Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not...
Read more >Authorization Errors | Device Access - Google Developers
When attempting to get an access or refresh token, you will get an "Invalid client" error if you provide an incorrect OAuth 2.0...
Read more >Overview – UAA API Reference - Cloud Foundry Documentation
The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Ended up resolving my own issue. Sorry to bother. 😃
I can by-pass the first if , but when it goes to for loop the string operation is hostname.endswith(.+zone)…
Don’t u think it should be other way around which is zone.endwith(.+hostname) this satisfies the condition and gets the sub domain