如何让UAA返回带有附加范围的JWT，例如短读

Question

我计划使用UAA作为我的客户经理。我现在需要访问其他用户的详细信息，但是当我打到uaa的Request端点时，我会收到401未经授权的错误。

我尝试按照API文档中的建议访问端点 https://speakerdeck.com/heahdude/symfony-forms-use-cases-and-optimization

由于它要求范围包含GET /Users，因此我将其添加到了用户

scim.read

但是当我拨打电话时，我得到401

这是我的uaa.yml

$uaac user add user1 -p user1 --emails user1@test.com
$uaac member add scim.read user1

还有我的应用程序的application.yaml

oauth:
  user:
    authorities:
      - openid
      - scim.me
      - password.write
      - scim.userids
      - uaa.user
      - approvals.me
      - oauth.approvals
  clients:
    sample_resource:
      name: Mixed Messages
      secret: samplesecret
      authorized-grant-types: authorization_code
      scope: openid,profile,email,messages,contacts,phone,roles,user_attributes,scim.read
      authorities: uaa.resource
      redirect-uri: http://localhost:8090/login/oauth2/code/localuaa,http://localhost:8080
    admin:
      secret: adminsecret
      authorized-grant-types: client_credentials
      authorities: contacts
    expired:
      secret: secret
      access-token-validity: 1
      authorized-grant-types: client_credentials
      scope: contacts

当我查看UAA返回的访问令牌（jwt）时，我希望看到范围内的# Local instance of UAA spring.security.oauth2.client.provider.localuaa.issuer-uri: http://localhost:8080/uaa/oauth/token resource.uaa-base-uri: http://localhost:8080/uaa spring.security.oauth2.client.registration.localuaa.client-id: sample_resource spring.security.oauth2.client.registration.localuaa.client-secret: samplesecret ，但事实并非如此。

根据https://github.com/cloudfoundry/uaa/blob/develop/docs/UAA-APIs.rst#query-for-information-get-users，范围应包含用户组和客户端范围的交集。

scim.read

更新： 我意识到客户提出了要求

{
  "sub": "476849cb-d975-4fb7-979f-acd8fc05f6db",
  "aud": [
    "sample_resource"
  ],
  "iss": "http://localhost:8080/uaa/oauth/token",
  "exp": 1560849541,
  "iat": 1560806341,
  "amr": [
    "pwd"
  ],
  "azp": "sample_resource",
  "scope": [
    "openid"
  ],
  "email": "user1@test.com",
  "zid": "uaa",
  "origin": "uaa",
  "jti": "b8111a33a8c34f09a14942c70e797a95",
  "email_verified": true,
  "client_id": "sample_resource",
  "cid": "sample_resource",
  "grant_type": "authorization_code",
  "user_name": "user1",
  "rev_sig": "efb7c4c8",
  "user_id": "476849cb-d975-4fb7-979f-acd8fc05f6db",
  "auth_time": 1560806338
}

使用默认http://localhost:8080/uaa/oauth/authorize?response_type=code&client_id=sample_resource&scope=openid%20profile%20email%20phone%20roles%20user_attributes&state=2BeBQtOJieu-A_3FfurWqjma_AJ3jsQcrpTgxtrDJqo%3D&redirect_uri=http://localhost:8090/login/oauth2/code/localuaa 中定义的范围 https://docs.cloudfoundry.org/uaa/uaa-concepts.html#scopes 这似乎覆盖了已注册客户端中的范围配置。