Generating client credentials token for client in another Identity Zone

[aujjwal-smarsh]

SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to security@cloudfoundry.org

Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.

What version of UAA are you running?

74.17.0

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

{"app":{"version":"74.17.0"},"links":{"uaa":"http://localhost:8080/uaa","passwd":"/forgot_password","login":"http://localhost:8080/uaa","register":"/create_account"},"zone_name":"uaa","entityID":"cloudfoundry-saml-login","commit_id":"211c159","idpDefinitions":{},"prompts":{"username":["text","Email"],"password":["password","Password"]},"timestamp":"2020-04-09T11:39:46+0000"}

How are you deploying the UAA?

I am deploying the UAA

• using cf-release

What did you do?

• I have created a client internal-iz-client in an identity zone internal. To generate the token with client_credentials grant_type it works when I add the subdomain in the UAA URL which looks like http://internal.localhost:8080/oauth/token.

What do I want?

• I want to pass the identity zone in some other way instead of adding the subdomain to the URL. To be precise, I want to call http://localhost:8080/oauth/token with some additional param or header (or anything else possible) through which it generates the token for the internal-iz-client. How can we do that?

What did you expect to see? What goal are you trying to achieve with the UAA?

I passed X-Identity-Zone-Id in the headers while calling the endpoint to generate the token for this client but it still uses the default Identity-Zone uaa when calling the http://localhost:8080/oauth/token

What did you see instead?

{
    "error": "unauthorized",
    "error_description": "Bad credentials"
}

Please include UAA logs if available.

2024-03-29 09:47:06 [2024-03-29 04:17:06.884] - [http-nio-8080-exec-10] [INFO] --- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=internal-iz-client, origin=[remoteAddress=xxx.xx.x.x, clientId=internal-iz-client], identityZoneId=[uaa]

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187335793

The labels on this github issue will be updated when the story is started.

[swalchemist]

Is the behavior the same on the latest 77.x release or the head of the develop branch?

[aujjwal-smarsh]

@swalchemist I have not checked on the latest release but from the documentation it seems to be the same case there as well. The token generation works only when I pass the subdomain but there is no provision to pass the header X-Identity-Zone-Id for generating the token

[strehle]

Both headers should work because this is the central class for identity zone switches.

https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneSwitchingFilter.java#L44-L45