Create UAA user parallel with the token request (add_new=true)

162 views
Skip to first unread message

david.webe...@gmail.com

unread,
Feb 2, 2015, 8:31:37 AM2/2/15
to vcap...@cloudfoundry.org
Dear experts,

When we fetch a token for a user, we have the "add_new" option set to "true" and provide the additional parameters.
Here is the request we are calling:
curl -X "POST" "http://uaa.xyx.com/oauth/token" \
	-H "Content-Type: application/x-www-form-urlencoded" \
	-H "Authorization: Bearer <valid-token>" \
	-H "Accept: application/json" \
	-d "source=login " \
	-d "origin=uaa" \
	-d "response_type=token" \
	-d "family_name=Weber" \
	-d "grant_type=password" \
	-d "username=dweberuser3" \
	-d "email=dwebe...@example.com" \
	-d "given_name=David" \
	-d "client_secret=" \
	-d "client_id=cf" \
	-d "add_new=true"

I would expect that family_name, given_name, username and email will be used as described here https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#oauth2-token-endpoint-post-oauth-token.

The user will be created so this is fine but when I fetch the user form the UAA, only the username is correct.

Here are the response values, when I fetch the user form UAA:
Email = dwebe...@unknown.org
givenName = dweberuser3
familyName = unknown.org

Thanks for the help in advanced
Dave

fha...@pivotal.io

unread,
Feb 2, 2015, 11:30:35 AM2/2/15
to vcap...@cloudfoundry.org, david.webe...@gmail.com
Yes, there is a discrepancy, I've opened a bug

david.webe...@gmail.com

unread,
Feb 4, 2015, 2:46:28 AM2/4/15
to vcap...@cloudfoundry.org, david.webe...@gmail.com, fha...@pivotal.io
Thanks Filip.

iamflying

unread,
Mar 1, 2015, 11:27:46 PM3/1/15
to vcap...@cloudfoundry.org, david.webe...@gmail.com, fha...@pivotal.io
Hi David,

Could you share how did you create the user? I got the following error.
       {"error":"access_denied","error_description":"Invalid token does not contain resource id (oauth)"}


Commands I used:

TOKEN=`curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=admin&password=admin&grant_type=password" https://uaa.xxx.xip.io/oauth/token | jq -r .access_token`

curl -k -X "POST" "https://uaa.xxx.xip.io/oauth/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Authorization: Bearer $TOKEN" \

    -H "Accept: application/json" \
    -d "source=login " \
    -d "origin=uaa" \
    -d "response_type=token" \
    -d "family_name=Wang" \
    -d "grant_type=password" \
    -d "username=gc" \
    -d "email=g...@example.com" \
    -d "given_name=George" \
    -d "client_id=cf" \
    -d "add_new=true"

Here, I also tried "client_id=admin", but got the same error.

Filip Hanik

unread,
Mar 2, 2015, 8:40:07 AM3/2/15
to iamflying, vcap...@cloudfoundry.org, david.webe...@gmail.com
The error you get means the $TOKEN is not correct. It must contain the scope oauth.login
Check this story to see the commands we ran: 

david.webe...@gmail.com

unread,
Mar 2, 2015, 10:50:31 AM3/2/15
to vcap...@cloudfoundry.org, david.webe...@gmail.com, fha...@pivotal.io
Hi,

You have to use the "login" user form CF as this user has the scope oauth.login.

Best
Dave

iamflying

unread,
Mar 2, 2015, 6:17:07 PM3/2/15
to vcap...@cloudfoundry.org, david.webe...@gmail.com, fha...@pivotal.io
Hi David,

admin:admin is the default admin use who can login in cf with "cf login".
cf:cf is a new created user by admin. It also can login in cf with "cf login".

I am confused as I did not find "oauth.login" from the scope of the two users. Could you let me know how to assign "oauth.login" to the user? if the command of getting token is wrong?

ubuntu@ubuntu14:~/bosh-workspace/deployments/apps/uaa$ curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=cf&password=cf&grant_type=password" https://uaa.xxx.xip.io/oauth/token
"scope":"cloud_controller.admin cloud_controller.read cloud_controller.write openid password.write scim.read scim.userids scim.write

ubuntu@ubuntu14:~/bosh-workspace/deployments/apps/uaa$ curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=cf&password=cf&grant_type=password" https://uaa.xxx.xip.io/oauth/token
"scope":"cloud_controller.read cloud_controller.write openid password.write scim.userids"

Filip Hanik

unread,
Mar 2, 2015, 6:19:49 PM3/2/15
to iamflying, vcap...@cloudfoundry.org, david.webe...@gmail.com
There is a client, called 'login' that has the right scope, oauth.login


You can get a token for this client, or you can add the scope to another client and user.

Filip

iamflying

unread,
Mar 2, 2015, 7:04:38 PM3/2/15
to vcap...@cloudfoundry.org, guangc...@gmail.com, david.webe...@gmail.com

Thanks Filip. I can create a new user.
TOKEN=`curl -k  -H 'Accept:application/json' -u "login:c1oudc0w" "https://uaa.xxx.xip.io/oauth/token?grant_type=client_credentials" | jq -r .access_token`

 curl -k  -X "POST" "https://uaa.xxx.xip.io/oauth/token" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $TOKEN" -H "Accept: application/json" -d "source=login&origin=uaa&response_type=token&family_name=Wang&grant_type=password&username=gc&email=g...@example.com&given_name=George&client_secret=&client_id=cf&add_new=true"
 

But I can not know its password.  what's the default password? How to change it with curl api?

Josh Ghiloni

unread,
Mar 2, 2015, 7:21:20 PM3/2/15
to vcap...@cloudfoundry.org

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/0d24afab-d44c-455c-bf83-bd55917be7bd%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

iamflying

unread,
Mar 2, 2015, 7:49:25 PM3/2/15
to vcap...@cloudfoundry.org

I am not familar with curl format. According to the UAA API[1], I got the error message. I think, my request may have wrong format. Who can help?

HTTP Status 415 - The server refused this request because the request entity is in a format not supported by the requested resource for the requested method.

uaa.log
[2015-03-03 00:47:02.273] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- FilterChainProxy: /Users/a7f6d3a2-b8bc-4217-8603-a971687510ba/password reached end of additional filter chain; proceeding with original chain
[2015-03-03 00:47:02.273] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- DispatcherServlet: DispatcherServlet with name 'spring' processing PUT request for [/Users/a7f6d3a2-b8bc-4217-8603-a971687510ba/password]
[2015-03-03 00:47:02.275] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- ExceptionHandlerExceptionResolver: Resolving exception from handler [public org.cloudfoundry.identity.uaa.message.SimpleMessage org.cloudfoundry.identity.uaa.password.PasswordChangeEndpoint.changePassword(java.lang.String,org.cloudfoundry.identity.uaa.message.PasswordChangeRequest)]: org.springframework.web.HttpMediaTypeNotSupportedException: Content type 'application/x-www-form-urlencoded' not supported
[2015-03-03 00:47:02.275] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- ResponseStatusExceptionResolver: Resolving exception from handler [public org.cloudfoundry.identity.uaa.message.SimpleMessage org.cloudfoundry.identity.uaa.password.PasswordChangeEndpoint.changePassword(java.lang.String,org.cloudfoundry.identity.uaa.message.PasswordChangeRequest)]: org.springframework.web.HttpMediaTypeNotSupportedException: Content type 'application/x-www-form-urlencoded' not supported
[2015-03-03 00:47:02.275] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- DefaultHandlerExceptionResolver: Resolving exception from handler [public org.cloudfoundry.identity.uaa.message.SimpleMessage org.cloudfoundry.identity.uaa.password.PasswordChangeEndpoint.changePassword(java.lang.String,org.cloudfoundry.identity.uaa.message.PasswordChangeRequest)]: org.springframework.web.HttpMediaTypeNotSupportedException: Content type 'application/x-www-form-urlencoded' not supported



The commands I am using are:

 TOKEN=`curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=admin&password=admin&grant_type=password" https://uaa.xxx.xip.io/oauth/token | jq -r .access_token`

export POST_DATA=$(cat <<EOF
{"schemas":["urn:scim:schemas:core:1.0"],"password": "passw0rd" }
EOF
)
  curl -k  -X "PUT" "https://uaa.xxx.xip.io/Users/3b294040-47ba-4975-b1c9-ab509d22d8f6/password" -H "Authorization: Bearer $TOKEN" -H "Accept: application/json"  -d "${POST_DATA}"


[1] https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#change-password-put-users-id-password (`PUT /Users/{id}/password`)

Filip Hanik

unread,
Mar 2, 2015, 8:29:36 PM3/2/15
to vcap...@cloudfoundry.org
Ok, you are using the wrong API to create a user.
There is documentation for the UAA APIs

Read up on the the general usage of these APIs. 
There are three ways of doing this

1. Use the CF cli

2. Use the command line uaac ruby gem

3. Using CURL they way you are - then get familiar with the API doc. The API that you have been using is out of context. It is used when the UAA can't authenticate the user itself, but must rely on an outside source to do so. Therefor there is no password for those users.



Josh Ghiloni

unread,
Mar 2, 2015, 8:44:06 PM3/2/15
to vcap...@cloudfoundry.org
Thanks for that Filip. I just wanted to add to resolve the HTTP 415 in and of itself, you should also add to your curl statement `-H "Content-Type: application/json"` to tell the server that you're sending the JSON. The Accept header said "I want JSON in return"

Reply all
Reply to author
Forward
0 new messages