Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing external Scopes when assertion is used in /oauth/token request #3213

Open
gryffindor-001 opened this issue Jan 2, 2025 · 0 comments

Comments

@gryffindor-001
Copy link

gryffindor-001 commented Jan 2, 2025

SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to [email protected]

Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.

What version of UAA are you running?

76.31.0

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

{
    "app": {
        "version": "76.31.0"
    },
    "showSelfServiceLinks": false,
    "links": {
        "uaa": "https://xxxx/uaa",
        "passwd": "/forgot_password",
        "login": "https://xxxx/uaa",
        "register": "/create_account"
    },
    "zone_name": "uaa",
    "entityID": "https://xxxx/uaa/saml/metadata",
    "commit_id": "------",
    "idpDefinitions": {},
    "prompts": {
        "username": [
            "text",
            "User Identifier"
        ],
        "password": [
            "password",
            "Password"
        ]
    },
    "timestamp": "2024-11-29T02:03:14+0530"
}

How are you deploying the UAA?

I am deploying the UAA

  • locally only using gradlew

What did you do?

Requested a token for an ldap user using https://{{hostname}}:{{uaa_port}}/uaa/oauth/token and the following parameters as body

client_id:client_id
client_secret:secret
grant_type:password
token_format:jwt
username:[email protected]
password:password
response_type:token

Then using the access_token obtained from above, requested another token using https://{{hostname}}:{{uaa_port}}/uaa/oauth/token with:

client_id:client_id
client_secret:secret
token_format:jwt
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:{{user_token}}
response_type:token id_token

What did you expect to see? What goal are you trying to achieve with the UAA?

Expected to see a new token with all the scopes for the user.

What did you see instead?

For LDAP user the token obtained from the assertion (second api request) call is missing external scopes. The token only contains default scopes. For a UAA user the flow worked perfectly and the second token had all the scopes (default and any additional scopes given) but for a LDAP/domain user external scopes were missing.

Scopes granted when first token is requested
image

Scopes granted when assertion=user_token was used
image

Here, scada.test1.abc is not a default scope which is missing when assertion=user_token in passed in body instead of username, password of the user.

Please include UAA logs if available.
uaa.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

No branches or pull requests

1 participant