Cannot create resources in an identity zone when you login with ID zone client credentials

[2d65]

uaa-test.zip

As the title states, I can't seem to create a user in an identity zone when I use the java client and login with identity zone specific credentials. The request fails with bad credentials

Steps to reproduce:

1. Login in to UAA with UAA admin client creds

2. Create ID zone

3. Create admin client creds for that ID zone

4. Login in to UAA with identity zone client creds

5. Create users in the ID zone

6. Create groups in ID zone

I cannot get steps 4+ to work with the Java client. From my limited understanding and looking at the code/debugging/etc, login calls are directed to the endpoint specified in /v2/info (login.system.example.com). My zone credentials reside in a "zone bucket" which are not present in login.system.example.com so the error seems to make sense.

Using uaac, I can target my identity zone and create resource using my zone credentials.
Ex:
uaac target <my-id-zone-subdomain>.login.system.example.com

I've attached a test case that captures the behavior.

[nebhale]

Ah, I think I know what we need to do. We need to add an identityZoneId to the UAA-based TokenProviders. I'll get on that in a morning.

[nebhale]

Nope, after consulting with the UAA team, this is a much harder problem. It'll be a bit longer than tomorrow morning to get a fix in place.

[nebhale]

@2d65 I've just added a identityZoneId to the default TokenProviders which will allow you to get tokens for users in a particular identity zone. In addition, there's an identityZoneId property on the ReactorUaaClient which routes all requests from that client into the proper identity zone as well.