Skip to content
Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time

UAA Extras Code Climate

This application recreates the invite functionality that previously existed in UAA by using the /invite_users API endpoint.

Installing the App

Step One: Determine the URL for your instance of UAA Extras

You'll need to know where the app is going to be hosted, so you can tell UAA about it in the next step.

For example, if you'll be deploying into Cloudfoundry on BOSH-lite your url would probably be

Step Two: Create a client in UAA for this app

This application uses oauth to perform actions on your behalf in UAA. To add a new oauth client in UAA, run the following command:

uaac client add uaa_extras_app --name "UAA Extras" --scope "scim.invite,password.write" --authorized_grant_types "client_credentials,authorization_code" --authorities ",uaa.admin,password.write" --redirect_uri [url-from-step-one]/oauth/login -s [your-client-secret]

Remember the client-secret, you'll need it in step four.

If you are doing this within an already existing cloudfoundry deployment, you might want to create the user by editing your cf deployment with an opsfile like

Step Three: Create redis service instance

Either create a locally running version of Redis, or create a service instance in Cloud Foundry if the app will be deployed there.


cf create-service redis32 standard-ha redis-accounts

Step Four: Configure the app

The configuration is entirely read from environment variables. Edit the manifest.yml files and update your settings as neccessary. Download a copy of and place into uaaextras/static

Step Five: Launch the app

Running in Cloud Foundry

This app was designed to deploy in Cloud Foundry:

cf push
Local Development

This project uses a to install dependencies. Run the following command to get started with development.

python install

If you run into an issue with psycopg2 and you're working on a Mac running Catalina or higher, make sure you've done the following:

  • brew install postgresql@12 and add the location to your path
  • brew install openssl@1.1 and add the location to your path

Note that psycopg2 currently doesn't support PostgreSQL 13.x (, and PostgreSQL 13.x isn't available in AWS GovCloud yet, either.

Then export two environment variables in your current shell session:

  • export LDFLAGS="-L/usr/local/opt/openssl/lib"
  • export CPPFLAGS="-I/usr/local/opt/openssl/include"

To get a local server up, run the following command. Make sure you properly setup the environment variables mentioned above in the documentation.


Configuring UAA Invites to leverage IdP

Because of the redirect that occurs for setting up multi-factor authentication, the IDP_PROVIDER_URL must match what is coming from the UAA login screen under login button

A bit on the /first-login route

The /first-login route is used to redirect users with an origin of to the IdP provider. This route is used to set the user's origin to and the externalId to their userName. On a successful update of the user, cg-uaa-extras will redirect to the IDP_PROVIDER_URL to complete the user's authentication and TOTP token creation. This is why the URL from the screenshot above is necessary for the IDP_PROVIDER_URL.

Running tests

Tests are run using tox and flake8.

pip install tox

To run the tests, simply run tox from the root of the repository. If you run into the same psycopg2 setup issue as noted above in local development, make sure you've followed the same steps and add the following line to each env setting in the tox.ini file:

setenv = LDFLAGS = "-L/usr/local/opt/openssl/lib"


This repository leverages Concourse. The configuration files all reside in the ci/ directory. All pull requests should have staging as a base branch which will automatically trigger a deployment for the staging job. Once development is stable on staging, create a new pull request promoting all the changes on staging to master to deploy the application in the production environment.


This application provides for platform invitations using the /invite_users UAA API endpoint and allowing password resets for IdP users




No packages published