Clarification on UAA <-> external Login Server communcation if user approval is required
35 views
Skip to first unread message
Martin Smolny
Feb 24, 2015, 10:49:50 AM2/24/15
to vcap...@cloudfoundry.org
In the Login Server sample code [1] in the UAA github repository, the recommended way to retrieve client_id and scopes for the approval dialog is this code snippet:
I made tests with UAA that is part of CloudFoundry v197, and I could not see an "authorizationParameters" property in the "auth_request" at all. This is the response I got:
{
"message": "To confirm or deny access POST to the following locations with the parameters requested.",
"scopes": [{
"text": "Access your data with scope 'openid'",
"code": "scope.openid"
}],
"undecided_scopes": [{
"text": "Access your data with scope 'openid'",
"code": "scope.openid"
}],
"client": {
"scope": ["openid"],
"client_id": "testconfirm",
"resource_ids": ["none"],
"authorized_grant_types": ["authorization_code",
"refresh_token"],
"authorities": ["openid"]
},
"auth_request": {
"clientId": "testconfirm",
"scope": ["openid"],
"requestParameters": {
"username": "smolny",
"response_type": "code",
"scope": "openid",
"source": "login",
"redirect_uri": "https://login.10.244.0.34.xip.io/UAALoginServerWAR/logout.jsp",
"external_scopes": "",
"origin": "uaa",
"state": "d495df1a-0ae3-4e0e-8ab1-d77ee10b2f2e763d4d55-c8f6-4978-8232-1d69c855e1bb",
"client_id": "testconfirm"
},
"approvalParameters": {
},
"state": "d495df1a-0ae3-4e0e-8ab1-d77ee10b2f2e763d4d55-c8f6-4978-8232-1d69c855e1bb",
"responseTypes": ["code"],
"resourceIds": ["testconfirm",
"openid"],
"authorities": [{
"authority": "openid"
}],
"approved": false,
"redirectUri": "https://login.10.244.0.34.xip.io/UAALoginServerWAR/logout.jsp",
"extensions": {
}
},
"redirect_uri": "https://login.10.244.0.34.xip.io/UAALoginServerWAR/logout.jsp",
"denied_scopes": [],
"approved_scopes": [],
"client_id": "testconfirm",
"options": {
"deny": {
"location": "http://uaa.10.244.0.34.xip.io/oauth/authorize",
"value": "false",
"path": "/oauth/authorize",
"key": "user_oauth_approval"
},
"confirm": {
"location": "http://uaa.10.244.0.34.xip.io/oauth/authorize",
"value": "true",
"path": "/oauth/authorize",
"key": "user_oauth_approval"
}
}
}
In the documentation [2], only the "auth_request" property is mentioned, but there are no details on that property documented at all. I am sure that this property was part of the response in the past, unfortunately, I cannot say exactly when that changed.
My questions:
Thanks for all your help in advance!
[1] https://github.com/cloudfoundry/uaa/blob/master/samples/login/login.rb
[2] https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#authorization-step-1-initial-authorization-request
...
:confirm, :locals => {:client_id => confirmation_info["auth_request"]["authorizationParameters"]["client_id"], \
:scopes => confirmation_info["auth_request"]["authorizationParameters"]["scope"])
...
I made tests with UAA that is part of CloudFoundry v197, and I could not see an "authorizationParameters" property in the "auth_request" at all. This is the response I got:
{
"message": "To confirm or deny access POST to the following locations with the parameters requested.",
"scopes": [{
"text": "Access your data with scope 'openid'",
"code": "scope.openid"
}],
"undecided_scopes": [{
"text": "Access your data with scope 'openid'",
"code": "scope.openid"
}],
"client": {
"scope": ["openid"],
"client_id": "testconfirm",
"resource_ids": ["none"],
"authorized_grant_types": ["authorization_code",
"refresh_token"],
"authorities": ["openid"]
},
"auth_request": {
"clientId": "testconfirm",
"scope": ["openid"],
"requestParameters": {
"username": "smolny",
"response_type": "code",
"scope": "openid",
"source": "login",
"redirect_uri": "https://login.10.244.0.34.xip.io/UAALoginServerWAR/logout.jsp",
"external_scopes": "",
"origin": "uaa",
"state": "d495df1a-0ae3-4e0e-8ab1-d77ee10b2f2e763d4d55-c8f6-4978-8232-1d69c855e1bb",
"client_id": "testconfirm"
},
"approvalParameters": {
},
"state": "d495df1a-0ae3-4e0e-8ab1-d77ee10b2f2e763d4d55-c8f6-4978-8232-1d69c855e1bb",
"responseTypes": ["code"],
"resourceIds": ["testconfirm",
"openid"],
"authorities": [{
"authority": "openid"
}],
"approved": false,
"redirectUri": "https://login.10.244.0.34.xip.io/UAALoginServerWAR/logout.jsp",
"extensions": {
}
},
"redirect_uri": "https://login.10.244.0.34.xip.io/UAALoginServerWAR/logout.jsp",
"denied_scopes": [],
"approved_scopes": [],
"client_id": "testconfirm",
"options": {
"deny": {
"location": "http://uaa.10.244.0.34.xip.io/oauth/authorize",
"value": "false",
"path": "/oauth/authorize",
"key": "user_oauth_approval"
},
"confirm": {
"location": "http://uaa.10.244.0.34.xip.io/oauth/authorize",
"value": "true",
"path": "/oauth/authorize",
"key": "user_oauth_approval"
}
}
}
In the documentation [2], only the "auth_request" property is mentioned, but there are no details on that property documented at all. I am sure that this property was part of the response in the past, unfortunately, I cannot say exactly when that changed.
My questions:
- When was "authorizationParameters" removed from "auth_request"? Was it introduced due to Spring Security OAuth2 v2?
- Should it be part of the response? If yes, could we get some documentation in [2] for that part. If no, we should likely update the login server sample or at least add a comment for this fact?
- client_id, redirect_uri and scopes is in this response in many places. Which is the "correct" place to take that values from? According to [2] ("...prepended with "scope." to facilitate i18n lookups..."), it seems like scopes.code would be the correct place to get scopes. Is this correct? What would be the right place for the remaining parameters?
Thanks for all your help in advance!
[1] https://github.com/cloudfoundry/uaa/blob/master/samples/login/login.rb
[2] https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#authorization-step-1-initial-authorization-request
Reply all
Reply to author
Forward
0 new messages