Create UAA user parallel with the token request (add_new=true)

[david.webe...@gmail.com]

Dear experts,

When we fetch a token for a user, we have the "add_new" option set to "true" and provide the additional parameters.

Here is the request we are calling:

curl -X "POST" "http://uaa.xyx.com/oauth/token" \

-H "Content-Type: application/x-www-form-urlencoded" \

-H "Authorization: Bearer <valid-token>" \

-H "Accept: application/json" \

-d "source=login " \

-d "origin=uaa" \

-d "response_type=token" \

-d "family_name=Weber" \

-d "grant_type=password" \

-d "username=dweberuser3" \

-d "email=dwebe...@example.com" \

-d "given_name=David" \

-d "client_secret=" \

-d "client_id=cf" \

-d "add_new=true"

I would expect that family_name, given_name, username and email will be used as described here https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#oauth2-token-endpoint-post-oauth-token.

The user will be created so this is fine but when I fetch the user form the UAA, only the username is correct.

Here are the response values, when I fetch the user form UAA:

Email = dwebe...@unknown.org
givenName = dweberuser3
familyName = unknown.org

Thanks for the help in advanced

Dave

[fha...@pivotal.io]

Yes, there is a discrepancy, I've opened a bug

https://www.pivotaltracker.com/story/show/87430526 

[david.webe...@gmail.com]

Thanks Filip.

[iamflying]

Hi David,

Could you share how did you create the user? I got the following error.
       {"error":"access_denied","error_description":"Invalid token does not contain resource id (oauth)"}


Commands I used:

TOKEN=`curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=admin&password=admin&grant_type=password" https://uaa.xxx.xip.io/oauth/token | jq -r .access_token`

curl -k -X "POST" "https://uaa.xxx.xip.io/oauth/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Authorization: Bearer $TOKEN" \

    -H "Accept: application/json" \
    -d "source=login " \
    -d "origin=uaa" \
    -d "response_type=token" \

    -d "family_name=Wang" \
    -d "grant_type=password" \
    -d "username=gc" \
    -d "email=g...@example.com" \
    -d "given_name=George" \
    -d "client_id=cf" \
    -d "add_new=true"

Here, I also tried "client_id=admin", but got the same error.

[Filip Hanik]

The error you get means the $TOKEN is not correct. It must contain the scope oauth.login

Check this story to see the commands we ran: 

https://www.pivotaltracker.com/story/show/87430526

[david.webe...@gmail.com]

Hi,

You have to use the "login" user form CF as this user has the scope oauth.login.

Best

Dave

[iamflying]

Hi David,

admin:admin is the default admin use who can login in cf with "cf login".
cf:cf is a new created user by admin. It also can login in cf with "cf login".

I am confused as I did not find "oauth.login" from the scope of the two users. Could you let me know how to assign "oauth.login" to the user? if the command of getting token is wrong?

ubuntu@ubuntu14:~/bosh-workspace/deployments/apps/uaa$ curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=cf&password=cf&grant_type=password" https://uaa.xxx.xip.io/oauth/token
"scope":"cloud_controller.admin cloud_controller.read cloud_controller.write openid password.write scim.read scim.userids scim.write

ubuntu@ubuntu14:~/bosh-workspace/deployments/apps/uaa$ curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=cf&password=cf&grant_type=password" https://uaa.xxx.xip.io/oauth/token
"scope":"cloud_controller.read cloud_controller.write openid password.write scim.userids"

[Filip Hanik]

There is a client, called 'login' that has the right scope, oauth.login

https://github.com/cloudfoundry/cf-release/blob/master/templates/cf-properties.yml#L260-L266

You can get a token for this client, or you can add the scope to another client and user.

Filip

[iamflying]

Thanks Filip. I can create a new user.
TOKEN=`curl -k  -H 'Accept:application/json' -u "login:c1oudc0w" "https://uaa.xxx.xip.io/oauth/token?grant_type=client_credentials" | jq -r .access_token`

 curl -k  -X "POST" "https://uaa.xxx.xip.io/oauth/token" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $TOKEN" -H "Accept: application/json" -d "source=login&origin=uaa&response_type=token&family_name=Wang&grant_type=password&username=gc&email=g...@example.com&given_name=George&client_secret=&client_id=cf&add_new=true"
 

But I can not know its password.  what's the default password? How to change it with curl api?

[Josh Ghiloni]

See https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#change-password-put-users-id-password (`PUT /Users/{id}/password`)

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/0d24afab-d44c-455c-bf83-bd55917be7bd%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

[iamflying]

I am not familar with curl format. According to the UAA API[1], I got the error message. I think, my request may have wrong format. Who can help?

HTTP Status 415 - The server refused this request because the request entity is in a format not supported by the requested resource for the requested method.

uaa.log

[2015-03-03 00:47:02.273] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- FilterChainProxy: /Users/a7f6d3a2-b8bc-4217-8603-a971687510ba/password reached end of additional filter chain; proceeding with original chain
[2015-03-03 00:47:02.273] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- DispatcherServlet: DispatcherServlet with name 'spring' processing PUT request for [/Users/a7f6d3a2-b8bc-4217-8603-a971687510ba/password]
[2015-03-03 00:47:02.275] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- ExceptionHandlerExceptionResolver: Resolving exception from handler [public org.cloudfoundry.identity.uaa.message.SimpleMessage org.cloudfoundry.identity.uaa.password.PasswordChangeEndpoint.changePassword(java.lang.String,org.cloudfoundry.identity.uaa.message.PasswordChangeRequest)]: org.springframework.web.HttpMediaTypeNotSupportedException: Content type 'application/x-www-form-urlencoded' not supported
[2015-03-03 00:47:02.275] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- ResponseStatusExceptionResolver: Resolving exception from handler [public org.cloudfoundry.identity.uaa.message.SimpleMessage org.cloudfoundry.identity.uaa.password.PasswordChangeEndpoint.changePassword(java.lang.String,org.cloudfoundry.identity.uaa.message.PasswordChangeRequest)]: org.springframework.web.HttpMediaTypeNotSupportedException: Content type 'application/x-www-form-urlencoded' not supported
[2015-03-03 00:47:02.275] uaa - 1045 [http-bio-8080-exec-7] .... DEBUG --- DefaultHandlerExceptionResolver: Resolving exception from handler [public org.cloudfoundry.identity.uaa.message.SimpleMessage org.cloudfoundry.identity.uaa.password.PasswordChangeEndpoint.changePassword(java.lang.String,org.cloudfoundry.identity.uaa.message.PasswordChangeRequest)]: org.springframework.web.HttpMediaTypeNotSupportedException: Content type 'application/x-www-form-urlencoded' not supported

The commands I am using are:

 TOKEN=`curl -k  -H 'AUTHORIZATION: Basic Y2Y6' -d "username=admin&password=admin&grant_type=password" https://uaa.xxx.xip.io/oauth/token | jq -r .access_token`

export POST_DATA=$(cat <<EOF
{"schemas":["urn:scim:schemas:core:1.0"],"password": "passw0rd" }
EOF
)
  curl -k  -X "PUT" "https://uaa.xxx.xip.io/Users/3b294040-47ba-4975-b1c9-ab509d22d8f6/password" -H "Authorization: Bearer $TOKEN" -H "Accept: application/json"  -d "${POST_DATA}"


[1] https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#change-password-put-users-id-password (`PUT /Users/{id}/password`)

[Filip Hanik]

Ok, you are using the wrong API to create a user.

There is documentation for the UAA APIs

https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst

Read up on the the general usage of these APIs. 

There are three ways of doing this

1. Use the CF cli

http://docs.cloudfoundry.org/adminguide/cli-user-management.html

2. Use the command line uaac ruby gem

http://docs.cloudfoundry.org/adminguide/uaa-user-management.html

3. Using CURL they way you are - then get familiar with the API doc. The API that you have been using is out of context. It is used when the UAA can't authenticate the user itself, but must rely on an outside source to do so. Therefor there is no password for those users.

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/d6a904b5-5389-4dd7-b3ae-02d9b7f6ea1e%40cloudfoundry.org.

[Josh Ghiloni]

Thanks for that Filip. I just wanted to add to resolve the HTTP 415 in and of itself, you should also add to your curl statement `-H "Content-Type: application/json"` to tell the server that you're sending the JSON. The Accept header said "I want JSON in return"

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CANXYgqGWjm6VZnZtd1eK_Desv10qyPgv-3SmeAbV855akp5_Uw%40mail.gmail.com.