OAuth to PCF UAA broke in 3.9.2 #2097
Comments
|
Doesn't look like our pipelines cover UAA. When we investigate this, we should also consider writing tests to validate UAA compatibility |
|
@jama-pivotal We just verified that this still works for us on 3.11.0. Not sure testing this in our pipeline is all that practical since we'd need a pcf instance to test against... @gaigaslab Can you check the logs from the atc. You should see a message like "atc.skymarshal.oauth-callback.callback.failed-to-exchange-token". Can you check the error message it prints? |
|
@pivotal-jwinters thanks for checking! I think you're right, it might not actually be practical to do it. Would still like to hear back from @gaigaslab about the details on their error. If there is a problem with 3.9.2 and Pivotal's UAA |
|
@jama-pivotal there doesn't seem to be any significant changes from 3.9.2 to 3.11.0 for what its worth. It could be a certificate issue. If the certificate validation fails it gives the "failed to exchange token" error, but will output a proper message in the atc logs, so now we wait... |
|
@jama-pivotal @pivotal-jwinters I mucked my way through accessing and finding the logs: From: {"timestamp":"1523996304.364424229","source":"atc","message":"atc.skymarshal.oauth-callback.callback.failed-to-exchange-token","log_level":2,"data":{"error":"oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"unauthorized","error_description":"Bad credentials"}","session":"10.4.44"}} |
|
@gaigaslab can you try re-running the Actually re-reading your initial message it looks like you tried this already? |
|
@pivotal-jwinters Is there anyone who can reproduce this issue in their environment? I have reproduced it in two of my environments. |
|
@gaigaslab what version of UAA are you testing against? Are you able to get a token directly from UAA using the password grant? |
|
@pivotal-jwinters As for getting 'a token directly from UAA using the password grant', I am not sure of the mechanics of this, but we can login via the uaac CLI and with 'cf login --sso' options. If you would provide a pointer to the mechanics for a curl-based method, I would be happy to test it out. |
|
@gaigaslab are you able to get a token using |
|
@pivotal-jwinters |
|
@pivotal-jwinters Accidentally hit the wrong button and closed this. It is not closed. It is still a bug! |
|
@gaigaslab its no big deal, I was just trying to rule out a bad client id or client secret. Usually thats what Do you have access to your UAA logs? |
|
Yes, I can get access to them.
…On Fri, Apr 20, 2018 at 10:52 AM, Joshua Winters ***@***.***> wrote:
@gaigaslab <https://github.com/gaigaslab> its no big deal, I was just
trying to rule out a bad client id or client secret. Usually thats what
{"error":"unauthorized","error_description":"Bad credentials"} means.
Do you have access to your UAA logs?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2097 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AfZUwNWnka9LBX9BL6FE0qPCvoE4EDLOks5tqfZBgaJpZM4SwHBn>
.
|
|
@gaigaslab can you try logging in with concourse and see if there's anything interesting that shows up in the UAA logs? |
|
@pivotal-jwinters For some reason, I didn't get notified of this. I will try this in the next few hours. |
|
@pivotal-jwinters You should theoretically be able to test concourse against a standalone UAA bosh deployment. UAA has no dependency on the rest of PCF/CF. |
|
@jhamon @pivotal-jwinters |
|
@jhamon the |
|
I ran into the same issue as @gaigaslab, removing special characters from my password is a workaround. |
|
@pivotal-jwinters, I am facing exactly the same issue, but having password without special characters is not solving the issue. I am running Concourse 3.14.0 against PCF 2.0. I get the following error: My |
|
closing stale issue. |
We just upgraded from 3.8.0 to 3.9.2 using the bosh release.
We had previously setup oauth authentication with PCF UAA, but we are now getting:
"failed to exchange token"
I don't know where to look. I appear to be getting a token from UAA.
This is our configuration for each team:
fly -t app-main set-team -n ${myprojectname}
--uaa-auth-client-id concourse-app-1
--uaa-auth-client-secret
--uaa-auth-auth-url https://login.sys../oauth/authorize
--uaa-auth-token-url https://login.sys../oauth/token
--uaa-auth-cf-url https://api.sys.
--uaa-auth-cf-ca-cert ./Hosting_Services_CA.crt
--uaa-auth-cf-space ${myspaceguid}
--basic-auth-username
--basic-auth-password
Basic Auth continues to work.
The text was updated successfully, but these errors were encountered: