By: Sakit Atakishiyev user 06 Nov 2017 at 6:43 a.m. CST

2 Responses
Sakit Atakishiyev gravatar

Hi. Today I am testing UMA2 on gluu server 3.1.1. First I registered 2 resources with scopes.

Resource 1

POST /oxauth/restv1/host/rsrc/resource_set HTTP/1.1
Host: login.cybernet.az
Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456
Content-Type: application/json
Cache-Control: no-cache

{  
   "resource_scopes":[  
      "read-public",
      "post-updates",
      "read-private"
   ],
   "icon_uri":"http://www.example.com/icons/sharesocial.png",
   "name":"Resource 1"
}

resource id is f9a5ddae-dd58-4845-8963-816cb5df9901. Then I registered my second resource.

Resource 2

POST /oxauth/restv1/host/rsrc/resource_set HTTP/1.1
Host: login.cybernet.az
Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456
Content-Type: application/json
Cache-Control: no-cache

{  
   "resource_scopes":[  
      "test-public",
      "test-updates",
      "test-private"
   ],
   "icon_uri":"http://www.example.com/icons/sharesocial.png",
   "name":"Resource 2"
}

resource id is 86071ee8-dd21-4620-b466-e578cdcc2995. I registered the above resources and got resource id for each of them. Now to get the permission ticket I called the end point like below

POST /oxauth/restv1/host/rsrc_pr HTTP/1.1
Host: login.cybernet.az
Content-Type: application/json
Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456
Cache-Control: no-cache

{"resource_id":"86071ee8-dd21-4620-b466-e578cdcc2995","resource_scopes":["read-private"]}

As you see the above code I tried to register read-private which is not pre-registered with resource 86071ee8-dd21-4620-b466-e578cdcc2995 so that I got the below error.

{
    "error": "invalid_scope",
    "error_description": "At least one of the scopes included in the request was not registered previously by this host."
}

Until now everything is normal. Then I tried to again register permission ticket for my resource with its scopes.

POST /oxauth/restv1/host/rsrc_pr HTTP/1.1
Host: login.cybernet.az
Content-Type: application/json
Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456
Cache-Control: no-cache

{"resource_id":"86071ee8-dd21-4620-b466-e578cdcc2995","resource_scopes":["test-private"]}

And got my ticket successfully. After getting a ticket I called the token end point to get RPT

POST /oxauth/restv1/token HTTP/1.1
Host: login.cybernet.az
Content-Type: application/x-www-form-urlencoded
Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ=
Cache-Control: no-cache

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d

And the result likes below

{
    "pct": "b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5",
    "upgraded": false,
    "access_token": "1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87",
    "token_type": "Bearer"
}

When I checked my RPT status

POST /oxauth/restv1/rpt/status HTTP/1.1
Host: login.cybernet.az
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456
Cache-Control: no-cache

token=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87

and got below response

{
    "active": true,
    "exp": 1509973534714,
    "iat": 1509970534714,
    "nbf": null,
    "permissions": [
        {
            "resource_id": "86071ee8-dd21-4620-b466-e578cdcc2995",
            "resource_scopes": [
                "test-private"
            ],
            "exp": 1509972410290
        }
    ],
    "client_id": null,
    "sub": null,
    "aud": null,
    "iss": null,
    "jti": null
}

After this I called again obtain token end point with my rpt and pct with the test-public scope

POST /oxauth/restv1/token HTTP/1.1
Host: login.cybernet.az
Content-Type: application/x-www-form-urlencoded
Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ=
Cache-Control: no-cache

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d&pct=b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5&scope=test-public&rpt=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87

When I called this endpoint my AS execute my policy to check that the user has access or not for scope test-public. My policy granted the requested resources with test-public. Now I checked my token status again and got the below response

{
    "active": true,
    "exp": 1509973534714,
    "iat": 1509970534714,
    "nbf": null,
    "permissions": [
        {
            "resource_id": "86071ee8-dd21-4620-b466-e578cdcc2995",
            "resource_scopes": [
                "test-private"
            ],
            "exp": 1509972410290
        }
    ],
    "client_id": null,
    "sub": null,
    "aud": null,
    "iss": null,
    "jti": null
}

My question is until here I checked my 2 scopes test-private and test-public but as you can from the above response my rpt token shows me only test-private. is it normal? should not I see both scopes in permissions section?

<br/>And second question

For testing I called again the token end point but this time I passed scope read-public which is not pre-registered with resource 86071ee8-dd21-4620-b466-e578cdcc2995. read-public is pre-registered with resource f9a5ddae-dd58-4845-8963-816cb5df9901.

my request

POST /oxauth/restv1/token HTTP/1.1
Host: login.cybernet.az
Content-Type: application/x-www-form-urlencoded
Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ=
Cache-Control: no-cache

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d&pct=b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5&scope=read-public&rpt=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87

and my response

{
    "pct": "b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5",
    "upgraded": true,
    "access_token": "1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87",
    "token_type": "Bearer"
}

And I checked the oxauth.log and oxauth_script.log and see that my AS check execute my policy which I set to scope read-public. Is it normal? Should not AS return me invalid_scope error? or I misunderstand whole concept?

By Yuriy Zabrovarnyy staff 09 Nov 2017 at 12:33 p.m. CST

Yuriy Zabrovarnyy gravatar

I created tickets for both cases

https://github.com/GluuFederation/oxAuth/issues/689
https://github.com/GluuFederation/oxAuth/issues/690

It will be fixed in next release.

By Sakit Atakishiyev user 09 Nov 2017 at 11:28 p.m. CST

Sakit Atakishiyev gravatar

Thanks Yuriy for you information. So we need just waiting version 3.2.0 or trying to help you to fixing issues