Token error using API client credentials

211 views
Skip to first unread message

Aidan Feldman

unread,
Apr 8, 2015, 2:00:54 AM4/8/15
to vcap...@cloudfoundry.org

Hi folks-

I am trying to create a Hubot plugin that sends notifications for Cloud Foundry events to our chat room, but have been banging my head against API auth for a couple days. Essentially, I am trying to consume:

cf curl /v2/events

but am trying to make the equivalent underlying calls via Node.js rather than through the CLI. From my reading of OAuth2, a read-only not-acting-on-behalf-of-a-user server-side-only app is a good use case for client credentials. I couldn't find a CF client library for Node that supports client credentials so I'm trying to do it myself...unsuccessfully. Here's what I've tried, in bash:

CLIENT_ID=hubot-cf-test
CLIENT_SECRET=mysecret

uaac client add $CLIENT_ID --secret $CLIENT_SECRET --scope uaa.none --authorized_grant_types "client_credentials"
curl -X POST --user "$CLIENT_ID:$CLIENT_SECRET" -d 'grant_type=client_credentials' https://uaa.mycloudfoundry.com/oauth/token

# copy in access_token value from previous response
curl -H "Authorization: Bearer eyJhbGc..." https://api.mycloudfoundry.com/v2/events

which gives me

{
  "code": 1000,
  "description": "Invalid Auth Token",
  "error_code": "CF-InvalidAuthToken"
}

What silly little thing am I doing wrong? Thanks in advance!

-Aidan

P.S. Here is my progress on the Hubot plugin, if anyone's interested.

(cross-post from Stack Overflow)

http://stackoverflow.com/questions/29506879/token-error-using-cloud-foundry-api-client-credentials

Message has been deleted

zaue...@pivotal.io

unread,
Apr 15, 2015, 3:11:08 PM4/15/15
to vcap...@cloudfoundry.org
Hi Aiden,

You need to make sure that your token has the correct uaa scope. In the case of getting every single event that happens on your CF installation with a client token that would be cloud_controller.admin.

While it may seem like to a good choice to use a client token since they're disconnected from users that may actually come back to bite you. The cloud controller returns items from its list endpoints based upon what the user has access too. A user that is an OrgManager from some org "zak_org" will only receive events for that org, for instance. Since that is the case the only way for a client token to get anything back from a CC list endpoint is for it to always have the cloud_controller.admin scope, and you will always receive every item that can possibly be returned.

Just something to keep in mind.

Thanks,
Zak
CF Runtime Team
Reply all
Reply to author
Forward
0 new messages