New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth to PCF UAA broke in 3.9.2 #2097
Comments
Doesn't look like our pipelines cover UAA. When we investigate this, we should also consider writing tests to validate UAA compatibility |
@jama-pivotal We just verified that this still works for us on 3.11.0. Not sure testing this in our pipeline is all that practical since we'd need a pcf instance to test against... @gaigaslab Can you check the logs from the atc. You should see a message like "atc.skymarshal.oauth-callback.callback.failed-to-exchange-token". Can you check the error message it prints? |
@pivotal-jwinters thanks for checking! I think you're right, it might not actually be practical to do it. Would still like to hear back from @gaigaslab about the details on their error. If there is a problem with 3.9.2 and Pivotal's UAA |
@jama-pivotal there doesn't seem to be any significant changes from 3.9.2 to 3.11.0 for what its worth. It could be a certificate issue. If the certificate validation fails it gives the "failed to exchange token" error, but will output a proper message in the atc logs, so now we wait... |
@jama-pivotal @pivotal-jwinters I mucked my way through accessing and finding the logs: From: {"timestamp":"1523996304.364424229","source":"atc","message":"atc.skymarshal.oauth-callback.callback.failed-to-exchange-token","log_level":2,"data":{"error":"oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"unauthorized","error_description":"Bad credentials"}","session":"10.4.44"}} |
@gaigaslab can you try re-running the Actually re-reading your initial message it looks like you tried this already? |
@pivotal-jwinters Is there anyone who can reproduce this issue in their environment? I have reproduced it in two of my environments. |
@gaigaslab what version of UAA are you testing against? Are you able to get a token directly from UAA using the password grant? |
@pivotal-jwinters As for getting 'a token directly from UAA using the password grant', I am not sure of the mechanics of this, but we can login via the uaac CLI and with 'cf login --sso' options. If you would provide a pointer to the mechanics for a curl-based method, I would be happy to test it out. |
@gaigaslab are you able to get a token using |
@pivotal-jwinters |
@pivotal-jwinters Accidentally hit the wrong button and closed this. It is not closed. It is still a bug! |
@gaigaslab its no big deal, I was just trying to rule out a bad client id or client secret. Usually thats what Do you have access to your UAA logs? |
Yes, I can get access to them.
…On Fri, Apr 20, 2018 at 10:52 AM, Joshua Winters ***@***.***> wrote:
@gaigaslab <https://github.com/gaigaslab> its no big deal, I was just
trying to rule out a bad client id or client secret. Usually thats what
{"error":"unauthorized","error_description":"Bad credentials"} means.
Do you have access to your UAA logs?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2097 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AfZUwNWnka9LBX9BL6FE0qPCvoE4EDLOks5tqfZBgaJpZM4SwHBn>
.
|
@gaigaslab can you try logging in with concourse and see if there's anything interesting that shows up in the UAA logs? |
@pivotal-jwinters For some reason, I didn't get notified of this. I will try this in the next few hours. |
@pivotal-jwinters You should theoretically be able to test concourse against a standalone UAA bosh deployment. UAA has no dependency on the rest of PCF/CF. |
@jhamon @pivotal-jwinters |
@jhamon the |
I ran into the same issue as @gaigaslab, removing special characters from my password is a workaround. |
@pivotal-jwinters, I am facing exactly the same issue, but having password without special characters is not solving the issue. I am running Concourse 3.14.0 against PCF 2.0. I get the following error:
My |
closing stale issue. |
We just upgraded from 3.8.0 to 3.9.2 using the bosh release.
We had previously setup oauth authentication with PCF UAA, but we are now getting:
"failed to exchange token"
I don't know where to look. I appear to be getting a token from UAA.
This is our configuration for each team:
fly -t app-main set-team -n ${myprojectname}
--uaa-auth-client-id concourse-app-1
--uaa-auth-client-secret
--uaa-auth-auth-url https://login.sys../oauth/authorize
--uaa-auth-token-url https://login.sys../oauth/token
--uaa-auth-cf-url https://api.sys.
--uaa-auth-cf-ca-cert ./Hosting_Services_CA.crt
--uaa-auth-cf-space ${myspaceguid}
--basic-auth-username
--basic-auth-password
Basic Auth continues to work.
The text was updated successfully, but these errors were encountered: