我计划使用UAA作为我的客户经理。我现在需要访问其他用户的详细信息,但是当我打到uaa的Request
端点时,我会收到401未经授权的错误。
我尝试按照API文档中的建议访问端点 https://speakerdeck.com/heahdude/symfony-forms-use-cases-and-optimization
由于它要求范围包含GET /Users
,因此我将其添加到了用户
scim.read
但是当我拨打电话时,我得到401
这是我的uaa.yml
$uaac user add user1 -p user1 --emails user1@test.com
$uaac member add scim.read user1
还有我的应用程序的application.yaml
oauth:
user:
authorities:
- openid
- scim.me
- password.write
- scim.userids
- uaa.user
- approvals.me
- oauth.approvals
clients:
sample_resource:
name: Mixed Messages
secret: samplesecret
authorized-grant-types: authorization_code
scope: openid,profile,email,messages,contacts,phone,roles,user_attributes,scim.read
authorities: uaa.resource
redirect-uri: http://localhost:8090/login/oauth2/code/localuaa,http://localhost:8080
admin:
secret: adminsecret
authorized-grant-types: client_credentials
authorities: contacts
expired:
secret: secret
access-token-validity: 1
authorized-grant-types: client_credentials
scope: contacts
当我查看UAA返回的访问令牌(jwt)时,我希望看到范围内的# Local instance of UAA
spring.security.oauth2.client.provider.localuaa.issuer-uri: http://localhost:8080/uaa/oauth/token
resource.uaa-base-uri: http://localhost:8080/uaa
spring.security.oauth2.client.registration.localuaa.client-id: sample_resource
spring.security.oauth2.client.registration.localuaa.client-secret: samplesecret
,但事实并非如此。
根据https://github.com/cloudfoundry/uaa/blob/develop/docs/UAA-APIs.rst#query-for-information-get-users,范围应包含用户组和客户端范围的交集。
scim.read
更新: 我意识到客户提出了要求
{
"sub": "476849cb-d975-4fb7-979f-acd8fc05f6db",
"aud": [
"sample_resource"
],
"iss": "http://localhost:8080/uaa/oauth/token",
"exp": 1560849541,
"iat": 1560806341,
"amr": [
"pwd"
],
"azp": "sample_resource",
"scope": [
"openid"
],
"email": "user1@test.com",
"zid": "uaa",
"origin": "uaa",
"jti": "b8111a33a8c34f09a14942c70e797a95",
"email_verified": true,
"client_id": "sample_resource",
"cid": "sample_resource",
"grant_type": "authorization_code",
"user_name": "user1",
"rev_sig": "efb7c4c8",
"user_id": "476849cb-d975-4fb7-979f-acd8fc05f6db",
"auth_time": 1560806338
}
使用默认http://localhost:8080/uaa/oauth/authorize?response_type=code&client_id=sample_resource&scope=openid%20profile%20email%20phone%20roles%20user_attributes&state=2BeBQtOJieu-A_3FfurWqjma_AJ3jsQcrpTgxtrDJqo%3D&redirect_uri=http://localhost:8090/login/oauth2/code/localuaa
中定义的范围
https://docs.cloudfoundry.org/uaa/uaa-concepts.html#scopes
这似乎覆盖了已注册客户端中的范围配置。