We want to test Spring data cloud security using uaa server(cloud foundry).Please help us with authentication failure.
Step 1 : Download uaa server war from maven
Step 2 : Set up uaa bundled spring boot project a. git clone https://github.com/pivotal/uaa-bundled.git b. cd uaa-bundled
c. Copy uaa server war to src/main/resources
d. ./mvnw clean install
e. java -jar target/uaa-bundled-1.0.0.BUILD-SNAPSHOT.jar
The uaa server is started on 8080 port
Step 3 : Run the uaac commands
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac client add dataflow --name dataflow --secret dataflow --scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,sample.create,sample.view,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view --authorized_grant_types password,authorization_code,client_credentials,refresh_token --authorities uaa.resource,dataflowcreate,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view,sample.view,sample.create --redirect_uri http://localhost:9393/login --autoapprove openid
uaac group add "sample.view"
uaac group add "sample.create"
uaac group add "dataflow.view"
uaac group add "dataflow.create"
uaac user add springrocks -p mysecret --emails [email protected]
uaac user add vieweronly -p mysecret --emails [email protected]
uaac member add "sample.view" springrocks
uaac member add "sample.create" springrocks
uaac member add "dataflow.view" springrocks
uaac member add "dataflow.create" springrocks
uaac member add "sample.view" vieweronly
Run the below curl command if the authentication is successful...
C:\Users\rajesh>curl -v -d"username=springrocks&password=mysecret&client_id=dataflow&grant_type=password" -u "dataflow:dataflow" http://localhost:8080/uaa/oauth/token -d 'token_format=opaque'
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'dataflow'
> POST /uaa/oauth/token HTTP/1.1
> Host: localhost:8080
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 99
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 99 out of 99 bytes
< HTTP/1.1 200
< Cache-Control: no-store
< Pragma: no-cache
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 21 May 2021 20:41:57 GMT
<
{"access_token":"eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJmNDYyMmY4NDJmZTE0ZjVkYjM2MmFhOWM1ZD
k5ZTU2NyIsInN1YiI6IjcxYjQ2NWI0LWFkZGItNDNhMi1iYjk3LTgxMjJjOTgwZWM5MiIsInNjb3BlIjpbImRhdGFmbG93LnZpZXciLCJzY2ltLnVzZXJpZHMiLCJzYW1wbGUuY3JlYXRlIiwib3BlbmlkIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwicGFzc
3dvcmQud3JpdGUiLCJjbG91ZF9jb250cm9sbGVyLndyaXRlIiwiZGF0YWZsb3cuY3JlYXRlIiwic2FtcGxlLnZpZXciXSwiY2xpZW50X2lkIjoiZGF0YWZsb3ciLCJjaWQiOiJkYXRhZmxvdyIsImF6cCI6ImRhdGFmbG93IiwiZ3JhbnRfdHlwZSI6InBhc3N
3b3JkIiwidXNlcl9pZCI6IjcxYjQ2NWI0LWFkZGItNDNhMi1iYjk3LTgxMjJjOTgwZWM5MiIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6InNwcmluZ3JvY2tzIiwiZW1haWwiOiJzcHJpbmdyb2Nrc0Bzb21lcGxhY2UuY29tIiwiYXV0aF90aW1lIjoxNj
IxNjI5NzE3LCJyZXZfc2lnIjoiODA1MTk3ODYiLCJpYXQiOjE2MjE2Mjk3MTcsImV4cCI6MTYyMTY3MjkxNywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDkwL3VhYS9vYXV0aC90b2tlbiIsInppZCI6InVhYSIsImF1ZCI6WyJzY2ltIiwiY2xvdWRfY29ud
HJvbGxlciIsInBhc3N3b3JkIiwiZGF0YWZsb3ciLCJvcGVuaW QiLCJzYW1wbGUiXX0.cbT2p9agOAxDfv2-kwM9XdaL-m1lnVC5_gKPxdxRRPQ","token_type":"bearer","id_token":"eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYW
xob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI3MWI0NjViNC1hZGRiLTQzYTItYmI5Ny04MTIyYzk4MGVjOTIiLCJhdWQiOlsiZGF0YWZsb3ciXSwiaXNzIjoiaHR0cDovL2xvY
2FsaG9zdDo4MDkwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTYyMTY3MjkxNywiaWF0IjoxNjIxNjI5NzE3LCJhbXIiOlsicHdkIl0sImF6cCI6ImRhdGFmbG93Iiwic2NvcGUiOlsib3BlbmlkIl0sImVtYWlsIjoic3ByaW5ncm9ja3NAc29tZXBsYWNlLmNv
bSIsInppZCI6InVhYSIsIm9yaWdpbiI6InVhYSIsImp0aSI6ImY0NjIyZjg0MmZlMTRmNWRiMzYyYWE5YzVkOTllNTY3IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImNsaWVudF9pZCI6ImRhdGFmbG93IiwiY2lkIjoiZGF0YWZsb3ciLCJncmFudF90eXBlIjo
icGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJzcHJpbmdyb2NrcyIsInJldl9zaWciOiI4MDUxOTc4NiIsInVzZXJfaWQiOiI3MWI0NjViNC1hZGRiLTQzYTItYmI5Ny04MTIyYzk4MGVjOTIiLCJhdXRoX3RpbWUiOjE2MjE2Mjk3MTd9.4COLuUIisv2PMvFHewFta
Bhm6BgykMV6nLskhUM3Qac","refresh_token":"eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODA vdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiIxOTQ4OT
ZiNDBlMGM0YWE1ODhkNzg2ODM1Zjg4ZDYwZS1yIiwic3ViIjoiNzFiNDY1YjQtYWRkYi00M2EyLWJiOTctODEyMmM5ODBlYzkyIiwiaWF0IjoxNjIxNjI5NzE3LCJleHAiOjE2MjQyMjE3MTcsImNpZCI6ImRhdGFmbG93IiwiY2xpZW50X2lkIjoiZGF0YWZsb
3ciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwOTAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiLCJkYXRhZmxvdyIsIm9wZW5pZCIsInNhbXBsZSJdLCJncmFudGVkX3Nj
b3BlcyI6WyJkYXRhZmxvdy52aWV3Iiwic2NpbS51c2VyaWRzIiwic2FtcGxlLmNyZWF0ZSIsIm9wZW5pZCIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsImRhdGFmbG93LmNyZWF0ZSI
sInNhbXBsZS52aWV3Il0sImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxNjIxNjI5NzE3LCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJzcHJpbmdyb2NrcyIsIm9yaWdpbiI6InVhYSIsInVzZXJfaWQiOiI3MWI0NjViNC1hZGRiLTQzYT
ItYmI5Ny04MTIyYzk4MGVjOTIiLCJyZXZfc2lnIjoiODA1MTk3ODYifQ.xZfW4vo26DUOlByX6yLVG4jmvq0qprdP4AufGA4B40Q","expires_in":43199,"scope":"dataflow.view scim.use rids sample.create openid cloud_controller.
read password.write cloud_controller.write dataflow.create sample.view","jti":"f4622f842fe14f5db362aa9c5d99e567"}* Connection #0 to host localhost left intact
Step 4 : Run spring cloud data flow server using application.yml
application.yml -
spring:
security:
oauth2:
client:
registration:
uaa:
client-id: springrocks
client-secret: mysecret
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
authorization-grant-type: authorization_code
scope:
- openid
provider:
uaa:
jwk-set-uri: http://localhost:8080/uaa/token_keys
token-uri: http://localhost:8080/uaa/oauth/token
user-info-uri: http://localhost:8080/uaa/userinfo
user-name-attribute: [email protected]
authorization-uri: http://localhost:8080/uaa/oauth/authorize
resourceserver:
opaquetoken:
introspection-uri: http://localhost:8080/uaa/introspect
client-id: dataflow
client-secret: dataflow
Run the below command...
java -jar spring-cloud-dataflow-server-2.7.2.jar --spring.config.additional-location=application.yml
The server is started on 9393 port.
Step 5 : - Open the url http://localhost:9393/dashboard
Click on the link OAuth2 Login
On the Cloud foundry page - give username and password
But the authentication fails.
Please find the uaa server logs as below....
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/uaa/oauth/authorize response_type:code
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/uaa/oauth/authorize response_type:code
[2021-05-23 11:43:15.641] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'uiSecurity' processing request GET /uaa/oauth/authorize
[2021-05-23 11:43:15.647] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... INFO --- SamlKeyManagerFactory: Loaded service provider certificate legacy-saml-key
[2021-05-23 11:43:15.649] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... INFO --- NonSnarlMetadataManager: Initialized local service provider for entityID: cloudfoundry-saml-login
[2021-05-23 11:43:15.650] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- NonSnarlMetadataManager: Found metadata EntityDescriptor with ID
[2021-05-23 11:43:15.651] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- FixHttpsSchemeRequest: Request X-Forwarded-Proto null
[2021-05-23 11:43:15.651] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- UaaSavedRequestCache: Removing DefaultSavedRequest from session if present
[2021-05-23 11:43:15.676] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... DEBUG --- SessionResetFilter: Evaluating user-id for session reset:e943b779-297b-4008-8a5d-4748cb2ef575
[2021-05-23 11:43:15.694] cloudfoundry-identity-server/uaa - 7344 [http-nio-8080-exec-4] .... INFO --- UaaAuthorizationEndpoint: Handling OAuth2 error: error="invalid_client", error_description="No client with requested id: springrocks"
The client-id and client-secret should be "dataflow". Here is my working configuration:
uaac script:
application.yml