Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 434 lines (344 sloc) 17.645 kb
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
1 # UAA Security Features and Configuration
2
3 It is the responsibility of a Resource Server to extract information
4 about the user and client application from the access token and make
5 an access decision based on that information. This guide will help
6 authors of resource Servers and maintainers of client and user account
7 data to understand the range of information available and the kinds of
8 decisions that can be taken. The UAA itself is a Resource Server, so
9 the access decisions taken by the UAA are used as an example.
10
4dc0b16 @dsyer [cfid-133] document json output from /authorize
dsyer authored
11 - [UAA Security Features and Configuration](#uaa-security-features-and-configuration)
12 - [User Accounts](#user-accounts)
13 - [Security Metadata](#security-metadata)
14 - [Bootstrap](#bootstrap)
15 - [Account lockout policy](#account-lockout-policy)
16 - [OAuth Client Applications](#oauth-client-applications)
17 - [Security Metadata](#security-metadata)
18 - [Bootstrap](#bootstrap)
19 - [Demo Environment](#demo-environment)
20 - [VCAP Dev Setup](#vcap-dev-setup)
21 - [Token Scope Rules](#token-scope-rules)
22 - [User Tokens](#user-tokens)
23 - [Client Tokens](#client-tokens)
24 - [UAA Resources](#uaa-resources)
25 - [Token Management](#token-management)
26 - [Client Registration](#client-registration)
27 - [Client Secret Mangagement](#client-secret-mangagement)
28 - [Password Change](#password-change)
29 - [User Account Management](#user-account-management)
30 - [Username from ID Queries](#username-from-id-queries)
31 - [User Profiles](#user-profiles)
e683a6d @vedyval Fix typo in security doc
vedyval authored
32 - [Groups & Membership Management](#groups--membership-management)
4dc0b16 @dsyer [cfid-133] document json output from /authorize
dsyer authored
33 - [Token Resources for Providers](#token-resources-for-providers)
34 - [Management Information](#management-information)
35 - [Login Prompts](#login-prompts)
36
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
37 ## User Accounts
38
39 ### Security Metadata
40
41 User accounts are either of type "user" or type "admin" (using the
be07b0d @dsyer Switch docs to new security model
dsyer authored
42 SCIM `type` field from the core schema). These translate into granted
43 authorities, `[uaa.user]` or `[uaa.admin,uaa.user]` respectively, for
44 the purposes of access decisions within the UAA (i.e. admin users also
45 have the user role). Granted authorities are not directly visible to
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
46 Resource Servers, but they show up as scopes in the access tokens.
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
47
48 Resource Servers may choose to use this information as part of an
be07b0d @dsyer Switch docs to new security model
dsyer authored
49 access decision, and this may be good enough for simple use cases
50 (e.g. users belong to a small number of relatively static roles), but
51 in general they will need to maintain their own acess decision data
52 since roles on UAA don't necessarily correspond to the same thing on a
53 Resource Server.
54
55 Support for SCIM groups is currently provided only through the
56 authorities attribute of the user object. Resource Servers that are
57 also SCIM clients can modify this attribute themselves, but it might
58 be better (and safer) if the data don't change much to have an admin
59 user or client do the role assignments. In any case it is recommended
60 that Resource Servers have sensible defaults for new users that have
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
61 not yet been assigned a role.
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
62
63 ### Bootstrap
64
65 There are 2 distinct scenarios:
66
67 1. Demo or test with vanilla code and no special environment. A UAA
68 service started with no active Spring profile will initialize a single
69 user account (marissa/koala).
70
71 2. A `vcap` environment: integration testing or in production. If the
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
72 service starts with any active Spring profile by default it will not
73 touch the user database. The SCIM endpoints can be used to provision
74 user accounts, once a client with the correct privileges has been
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
75 registered.
76
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
77 In either case additional user accounts and client registrations can
78 be bootstrapped at start up by providing some data in `uaa.yml`.
79 Example users:
80
81 scim:
82 users:
83 - paul|wombat|paul@test.org|Paul|Smith|uaa.admin
84 - stefan|wallaby|stefan@test.org|Stefan|Schmidt
85
86 The format for the user is
87 `username|password|email|first_name|last_name(|comma-separated-authorities)`.
88 Remember that authorities are represented as groups in SCIM.
89
9e3d70a @tekul Add summary of lockout policy.
tekul authored
90 ### Account lockout policy
91
92 In its default configuration, the UAA does not lock accounts permanently
93 when a user repeatedly fails authentication. Instead it temporarily locks a
94 user out for a short period (5 minutes by default) after 5 failed logins
95 within the previous hour. The failure count is reset when a user
96 successfully authenticates.
97
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
98 ## OAuth Client Applications
99
100 ### Security Metadata
101
102 Client application meta data can be used by Resource Servers to make
103 an access decision, and by the Authorization Server (the UAA itself)
9e3d70a @tekul Add summary of lockout policy.
tekul authored
104 to decide whether to grant an access token.
be07b0d @dsyer Switch docs to new security model
dsyer authored
105
106 Scope values are arbitrary strings, but are a contract between a
107 client and a Resource Server, so in cases where UAA acts as a Resource
108 Server there are some "standard" values (`scim.read`, `scim.write`,
109 `passsword.write`, `openid`, etc.) whose usage and meaning is
110 described below. Scopes are used by the Authorization Server to deny
111 a token requested for a scope not on the list, and should be used by a
112 Resource Server to deny access to a resource if the token has
113 insufficient scope.
114
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
115 UAA client applications have the following meta data (some are
be07b0d @dsyer Switch docs to new security model
dsyer authored
116 optional, but to prevent mistakes it is usually better to use a
117 default value):
118
119 * authorized-grant-types: a comma-separated list of OAuth2 grant
be47e3a @dsyer CFID-234: add clarifications to security docs
dsyer authored
120 types, as defined in the spec: choose from `client_credentials`,
121 `password`, `implicit`, `refresh_token`, `authorization_code`. Used
122 by the Authorization Server to deny a token grant if it is not on
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
123 the list. If in doubt use `authorization_code` and `refresh_token`.
be07b0d @dsyer Switch docs to new security model
dsyer authored
124 * scope: a list of permitted scopes for this client to obtain on
125 behalf of a user (so not relevant to `client_credentials` grants).
126 Also used as the default scopes for a token where the client does
127 not explicitly specify scopes in the authorization request.
128 * authorities: a list of granted authorities for the client
129 (e.g. `uaa.admin` or any valid scope value). The authorities are
130 used to define the default scopes that are assigned to a token in a
131 `client_credentials` grant, and to limit the legal values if
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
132 explicit scopes are requested in that case.
be47e3a @dsyer CFID-234: add clarifications to security docs
dsyer authored
133 * secret: the shared secret used to authenticate token grant requests
134 and token decoding operations (not revealed to Resource Server).
135 * resource-ids: white list of resource ids to be included in the
be07b0d @dsyer Switch docs to new security model
dsyer authored
136 decoded tokens granted to this client. The UAA does not store any
137 data here (it should be `none` for all clients), but instead creates
138 a list of resource ids dynamically from the scope values when a
139 token is granted. The resource id is extracted from a scope using a
140 period separator (the last occurrence in the string) except for some
141 standard values (e.g. `openid`) that are not controlled by the UAA
142 or its own resources. So a scope of `cloud_controller.read` is
143 assigned a resource id of `cloud_controller`, for instance.
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
144
145 ### Bootstrap
146
147 Client registration can be initialized by adding client details data
148 to `uua.yml`. The UAA always starts with a registered `admin` client.
149 There are 2 typical scenarios for additional client registration
150 bootstraps:
151
152 1. Demo or test with vanilla code and no custom `uaa.yml`. A UAA
153 service started with no active Spring profile will start with some
154 client registrations (used in samples to make the out-of-the box
155 experience for new users as convenient as possible). More clients and
156 user accounts will be created by the integration tests.
157
158 2. A `vcap` environment: integration testing or in production. By
159 default no clients are created if any Spring profile is active, but
160 client registrations can be configured in `uaa.yml` and in some
161 well-known situations clients this will happen. In particular, the
162 `dev_setup` environment and the CF.com deployment job both start up
163 with additional client registrations that are needed by the basic
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
164 Cloud Foundry use cases (`cf` and `cloud_controller`). If the `vcap`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
165 Spring profile is active in the integration tests, no additional
166 accounts will be created.
167
be47e3a @dsyer CFID-234: add clarifications to security docs
dsyer authored
168 Clients are bootstrapped from config if they are not present in the
169 backend when the system starts up (i.e. once the system has started up
170 once config changes will not affect the client registrations for
be07b0d @dsyer Switch docs to new security model
dsyer authored
171 existing clients). Certain fields (e.g. secret) can be reset if the
172 bootstrap component is configured to do so (it is not by default).
be47e3a @dsyer CFID-234: add clarifications to security docs
dsyer authored
173
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
174 The `admin` client has the following properties (in the default
be47e3a @dsyer CFID-234: add clarifications to security docs
dsyer authored
175 `uaa.yml` always present on the classpath but overriddable by
176 specifying all the values again in a custom config file):
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
177
178 id: admin
be07b0d @dsyer Switch docs to new security model
dsyer authored
179 secret: adminsecret
180 authorized-grant-types: client_credentials
181 scope: none
182 authorities: uaa.admin,clients.read,clients.write,clients.secret
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
183
184 The admin client can be used to bootstrap the system by adding
be07b0d @dsyer Switch docs to new security model
dsyer authored
185 additional clients. In particular, user accounts cannot be
be47e3a @dsyer CFID-234: add clarifications to security docs
dsyer authored
186 provisioned until a client with access to the `scim` resource is
187 added.
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
188
189 ### Demo Environment
190
191 The default Spring profile initializes 3 clients in addition to the
192 `admin` client, e.g. if the server is started from the command line
193 after a fresh clone from github for demo purposes:
194
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
195 cf:
196 id: cf
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
197 authorized-grant-types: implicit
be07b0d @dsyer Switch docs to new security model
dsyer authored
198 scope: cloud_controller.read,cloud_controller.write,openid,password.write
199 authorities: uaa.none
200 resource-ids: none
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
201 app:
202 id: app
203 secret: appclientsecret
204 authorized-grant-types: password,authorization_code,refresh_token
be07b0d @dsyer Switch docs to new security model
dsyer authored
205 scope: cloud_controller.read,cloud_controller.write,openid,password.write,tokens.read,tokens.write
206 authorities: uaa.none
207 resource-ids: none
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
208
209 ### VCAP Dev Setup
210
211 In `dev_setup` these client accounts (in addition to the `admin`
212 client) are initialized:
213
214 cloud_controller:
215 authorized-grant-types: client_credentials
be07b0d @dsyer Switch docs to new security model
dsyer authored
216 scope: none
217 authorities: scim.read,scim.write,password.write,tokens.read,tokens.write
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
218 id: cloud_controller
219 secret: ...
be07b0d @dsyer Switch docs to new security model
dsyer authored
220 resource-ids: none
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
221 cf:
222 id: cf
be07b0d @dsyer Switch docs to new security model
dsyer authored
223 authorized-grant-types: implicit
224 scope: cloud_controller.read,cloud_controller.write,openid,password.write
225 authorities: uaa.none
226 resource-ids: none
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
227 redirect-uri: http://uaa.cloudfoundry.com/redirect/cf
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
228
229 The cloud controller secret is generated during the setup. The same
230 clients are initialized in CF.com, but the secret is different.
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
231 Additional clients can be added during start up using `uaa.yml`, e.g.
232
233 oauth:
234 clients:
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
235 cf:
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
236 authorized-grant-types: implicit
237 scope: cloud_controller.read,cloud_controller.write,password.write,openid
238 authorities: uaa.none
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
239 id: cf
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
240 resource-ids: none
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
241 redirect-uri: http://uaa.cloudfoundry.com/redirect/cf
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
242
243 ## Token Scope Rules
244
245 When a client application asks for a new access token it can
246 optionally provide a set of requested scopes (space separated,
247 e.g. `scope=openid cloud_controller.read`). The UAA will use that set
248 if provided and that will be the scope of the token if
249 granted. Otherwise, if no explicit value is requested, defaults will
250 be supplied according to what the client and user are allowed to do.
251 The rules governing the defaults and what is allowed are described
252 next.
253
254 ### User Tokens
255
256 A token granted on behalf of a user (grant type anything except
257 `client_credentials`) takes its default scopes from the `scope` field
258 of the client registration. Whether or not the default values are
259 used, the requested scopes are then validated:
260
261 * The user's authorities (SCIM groups) are augmented with some static
262 values, configurable but defaulting to
263 `[openid, cloud_controller.read, cloud_controller.write]`
264 * Allowed scopes consist of the intersection of the client scope and
265 the augmented user authorities.
266 * Disallowed scopes are removed from the request.
267 * If all the requested scopes are disallowed then clients get a 400
268 response with a JSON error message indicating the allowed values (for
269 implicit grants it should be a 302 according to the OAuth2 spec, but
270 that change hasn't been implemented yet). The exception to that rule
271 is for clients with no registered scopes (no error in that case), but
272 there shouldn't be any such clients in a production system.
273
274 Note that the filtering of scopes by user authorities might mean that
275 a client gets a narrower-scoped token than it originally asked for,
276 e.g. if it asks for no `scope=dash.admin dash.user openid`, the token
277 might come back with only `dash.user openid`. Tokens are opaque to
278 client applications, so they have to be prepared for resource servers
279 to deny access to some resources based on the scope of the token when
280 it is presented.
281
282 ### Client Tokens
283
284 A token issued on a `client_credentials` grant has default and allowed
285 scopes equal to the client authorities. Requesting a disallowed scope
286 will result in a 400 reponse and an error message that indicates the
287 allowed scopes. A client would normally take the default scopes when
288 acting on its own behalf - since no approval is necessary there is no
289 point narrowing the scope.
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
290
291 ## UAA Resources
292
293 All OAuth2 protected resource have an id (as listed individually).
130b086 @dsyer CFID-368: update security docs to reflect 1.1 changes
dsyer authored
294 Any request whose token does not have a matching resource id (`aud`
295 field in decoded token) will be rejected. Resources that are not
296 OAuth2 protected resources do not have a resource id (e.g. those with
297 simple HTTP Basic authentication).
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
298
299 ### Token Management
300
301 Resource ID = `tokens`. Rules:
302
9e3d70a @tekul Add summary of lockout policy.
tekul authored
303 * Revoke user token:
be07b0d @dsyer Switch docs to new security model
dsyer authored
304 * Token has scope `uaa.admin`, or
305 * If token represents user, user is authenticated and is the owner
306 of the token to be revoked, and token has scope `tokens.write`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
307 * List user tokens:
be07b0d @dsyer Switch docs to new security model
dsyer authored
308 * Token has scope `uaa.admin` or
309 * If token represents user, user is authenticated and is the owner
310 of the token to be read, and token has scope `tokens.read`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
311 * Revoke client token:
be07b0d @dsyer Switch docs to new security model
dsyer authored
312 * Token has scope `uaa.admin` or
313 * Token represents the client in the token to be revoked, and token
314 has scope `tokens.write`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
315 * List client tokens:
be07b0d @dsyer Switch docs to new security model
dsyer authored
316 * Token has scope `uaa.admin` or
317 * Token represents the client in the token to be revoked, and token
318 has scope `tokens.read`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
319
320 ### Client Registration
321
322 Resource ID = `clients`. Rules:
323
324 * Remove, update or add client registration
be07b0d @dsyer Switch docs to new security model
dsyer authored
325 * Token has scope `clients.write`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
326 * Inspect client registration
be07b0d @dsyer Switch docs to new security model
dsyer authored
327 * Token has scope `clients.read`
9e3d70a @tekul Add summary of lockout policy.
tekul authored
328
ed5142b @dsyer CFID-266: add integration test
dsyer authored
329 ### Client Secret Mangagement
330
331 Resource ID null (so all clients can change their password). Rule:
332
333 * Change secret
be07b0d @dsyer Switch docs to new security model
dsyer authored
334 * Token has scope `clients.secret`
335 * Either token has scope `uaa.admin` or client can only change its own secret
336 * Either token has scope `uaa.admin` or client provides the old secret
337 * Even if token has scope `uaa.admin` client must provide the old value to change its own secret
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
338
339 ### Password Change
340
341 Resource ID = `password`. Rules:
342
343 * Change password
be07b0d @dsyer Switch docs to new security model
dsyer authored
344 * Token has scope `password.write`
345 * If token represents a client, scope includes `uaa.admin`
346 * If token represents a user, either scope includes `uaa.admin` or user provides the old password
9e3d70a @tekul Add summary of lockout policy.
tekul authored
347
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
348 ### User Account Management
349
350 Resource ID = `scim`. Rules:
351
8a1066d @vedyval [cfid-716] Update docs with the authorization rules around SCIM endpo…
vedyval authored
352 * List or search users
353 * Token with scope `scim.read` provides read/query access to ALL users in the UAA
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
354
8a1066d @vedyval [cfid-716] Update docs with the authorization rules around SCIM endpo…
vedyval authored
355 * Delete, add user account
be07b0d @dsyer Switch docs to new security model
dsyer authored
356 * Token has scope `scim.write`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
357
8a1066d @vedyval [cfid-716] Update docs with the authorization rules around SCIM endpo…
vedyval authored
358 * Update existing user account
359 * Token with scope `scim.write` lets you update ANY user's information in the UAA
360
361 In addition, a User Token obtained by a client with authorities `scim.me` (eg. token from authorization_code
362 or password grant flow) provides read/query/update access to that particular user's account.
363
fadda60 @tekul [cfid-113] Open access to /ids/Users endpoint.
tekul authored
364 ### Username from ID Queries
3cbd17d @dsyer CFID-402: add docs for /Groups/{group}/Users
dsyer authored
365
366 Resource ID = `scim`. Rules:
367
fadda60 @tekul [cfid-113] Open access to /ids/Users endpoint.
tekul authored
368 * Obtain username information via `/ids/Users`
369 * ``filter`` parameter must be supplied
6a16773 @fhanik Implement proper security for /ids/Users
fhanik authored
370 * Only attributes `userName`, `origin` and `id` are returned (and can be queried on)
371 * Requires `scim.userids` scope
3cbd17d @dsyer CFID-402: add docs for /Groups/{group}/Users
dsyer authored
372
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
373 ### User Profiles
374
375 Used for Single Sign On (OpenID Connect lite). Resource ID = `openid`. Rules:
376
377 * Obtain user profile data
378 * Token has scope `openid`
9e3d70a @tekul Add summary of lockout policy.
tekul authored
379
8a1066d @vedyval [cfid-716] Update docs with the authorization rules around SCIM endpo…
vedyval authored
380 ### Groups & Membership Management
381
382 Resource ID = `scim`. Rules:
383
384 * List or Search groups
385 * Token has scope `scim.read`
386
387 * Delete or Add groups
388 * Token has scope `scim.write`
389
390 * Update group name or add/remove members
391 * Token has either `scim.write` OR `groups.update`
392
393 In addition, a User Token obtained by a client with authorities `scim.me` (eg. token from authorization_code
394 or password grant flow) provides the following access:
395
396 * List or Search groups
397 * Response contains the group(s) that lists the user as a `reader`.
398
399 * Update group name or add/remove members
400 * The user is listed as a `writer` in the group being updated.
401
be07b0d @dsyer Switch docs to new security model
dsyer authored
402 ### Token Resources for Providers
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
403
afc88bb @dsyer CFID-257: Tidy README and API docs and add extra instructions for ins…
dsyer authored
404 The UAA uses HTTP Basic authentication for these resources, so they
be07b0d @dsyer Switch docs to new security model
dsyer authored
405 are no OAuth2 protected resources, but to simplify the security data
406 client registrations are used, so only registered clients can access
f3e3f5f @pjk25 Rename vmc to cf
pjk25 authored
407 them. The caller must have a secret (so `cf` and other implicit
be07b0d @dsyer Switch docs to new security model
dsyer authored
408 grant clients need not apply).
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
409
afc88bb @dsyer CFID-257: Tidy README and API docs and add extra instructions for ins…
dsyer authored
410 * Obtain access token at `/oauth/token`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
411 * Client is authenticated
afc88bb @dsyer CFID-257: Tidy README and API docs and add extra instructions for ins…
dsyer authored
412 * If grant type is `authorization_code` client must have the code
9e3d70a @tekul Add summary of lockout policy.
tekul authored
413
afc88bb @dsyer CFID-257: Tidy README and API docs and add extra instructions for ins…
dsyer authored
414 * Inspect access token at `/check_token`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
415 * Client is authenticated
be07b0d @dsyer Switch docs to new security model
dsyer authored
416 * Client has authority `uaa.resource`
9e3d70a @tekul Add summary of lockout policy.
tekul authored
417
afc88bb @dsyer CFID-257: Tidy README and API docs and add extra instructions for ins…
dsyer authored
418 * Obtain token key (for decoding JWT tokens locally) at `/token_key`
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
419 * Client is authenticated
be07b0d @dsyer Switch docs to new security model
dsyer authored
420 * Client has authority `uaa.resource`
9e3d70a @tekul Add summary of lockout policy.
tekul authored
421
ef5e0de @dsyer CFID-190: document security meta data and bootstraps
dsyer authored
422 ### Management Information
423
424 The `/varz` endpoint is protected by HTTP Basic authentication with
425 credentials that are externalized via `uaa.yml`. They have defaults
426 (`varz:varzclientsecret`) and can also be overridden via System
427 properties.
428
429 ### Login Prompts
430
431 The login endpoint is unsecured. Any client can ask it and it will
432 respond with some information about the system and the login prompts
433 required to authenticate.
Something went wrong with that request. Please try again.