By: Sakit Atakishiyev user 06 Nov 2017 at 6:43 a.m. CST

2 Responses
Sakit Atakishiyev gravatar
Hi. Today I am testing `UMA2` on `gluu server 3.1.1`. First I registered 2 resources with scopes. **Resource 1** ``` POST /oxauth/restv1/host/rsrc/resource_set HTTP/1.1 Host: login.cybernet.az Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Content-Type: application/json Cache-Control: no-cache { "resource_scopes":[ "read-public", "post-updates", "read-private" ], "icon_uri":"http://www.example.com/icons/sharesocial.png", "name":"Resource 1" } ``` resource id is `f9a5ddae-dd58-4845-8963-816cb5df9901`. Then I registered my second resource. **Resource 2** ``` POST /oxauth/restv1/host/rsrc/resource_set HTTP/1.1 Host: login.cybernet.az Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Content-Type: application/json Cache-Control: no-cache { "resource_scopes":[ "test-public", "test-updates", "test-private" ], "icon_uri":"http://www.example.com/icons/sharesocial.png", "name":"Resource 2" } ``` resource id is `86071ee8-dd21-4620-b466-e578cdcc2995`. I registered the above resources and got `resource id` for each of them. Now to get the permission ticket I called the end point like below ``` POST /oxauth/restv1/host/rsrc_pr HTTP/1.1 Host: login.cybernet.az Content-Type: application/json Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Cache-Control: no-cache {"resource_id":"86071ee8-dd21-4620-b466-e578cdcc2995","resource_scopes":["read-private"]} ``` As you see the above code I tried to register `read-private` which is not `pre-registered` with resource `86071ee8-dd21-4620-b466-e578cdcc2995` so that I got the below error. ``` { "error": "invalid_scope", "error_description": "At least one of the scopes included in the request was not registered previously by this host." } ``` Until now everything is normal. Then I tried to again register permission ticket for my resource with its scopes. ``` POST /oxauth/restv1/host/rsrc_pr HTTP/1.1 Host: login.cybernet.az Content-Type: application/json Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Cache-Control: no-cache {"resource_id":"86071ee8-dd21-4620-b466-e578cdcc2995","resource_scopes":["test-private"]} ``` And got my ticket successfully. After getting a ticket I called the `token` end point to get `RPT` ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ= Cache-Control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d ``` And the result likes below ``` { "pct": "b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5", "upgraded": false, "access_token": "1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87", "token_type": "Bearer" } ``` When I checked my `RPT` status ``` POST /oxauth/restv1/rpt/status HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Bearer d68d8c42-b5f1-47c5-9bf6-7853a2a4e456 Cache-Control: no-cache token=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87 ``` and got below response ``` { "active": true, "exp": 1509973534714, "iat": 1509970534714, "nbf": null, "permissions": [ { "resource_id": "86071ee8-dd21-4620-b466-e578cdcc2995", "resource_scopes": [ "test-private" ], "exp": 1509972410290 } ], "client_id": null, "sub": null, "aud": null, "iss": null, "jti": null } ``` After this I called again obtain `token` end point with my `rpt` and `pct` with the `test-public` scope ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ= Cache-Control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d&pct=b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5&scope=test-public&rpt=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87 ``` When I called this endpoint my `AS` execute my policy to check that the user has access or not for scope `test-public`. My policy granted the requested resources with `test-public`. Now I checked my token status again and got the below response ``` { "active": true, "exp": 1509973534714, "iat": 1509970534714, "nbf": null, "permissions": [ { "resource_id": "86071ee8-dd21-4620-b466-e578cdcc2995", "resource_scopes": [ "test-private" ], "exp": 1509972410290 } ], "client_id": null, "sub": null, "aud": null, "iss": null, "jti": null } ``` My question is until here I checked my 2 scopes `test-private` and `test-public` but as you can from the above response my `rpt` token shows me only `test-private`. is it normal? should not I see both scopes in `permissions` section? <br/>**And second question** For testing I called again the `token` end point but this time I passed scope `read-public` which is not `pre-registered` with resource `86071ee8-dd21-4620-b466-e578cdcc2995`. `read-public` is `pre-registered` with resource `f9a5ddae-dd58-4845-8963-816cb5df9901`. my request ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.cybernet.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCExRUQzLkExNjEuREQ0Qy5DQjYzITAwMDEhMzlDNS5EOEIzITAwMDghREM3Mi45RUFFLkJENjIuMzZENTpzZWNyZXQ= Cache-Control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&redirect_uri=https%3A%2F%2Fgoogle.com%2F&ticket=af788f59-f250-4172-96ee-9dca342e912d&pct=b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5&scope=read-public&rpt=1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87 ``` and my response ``` { "pct": "b4d27cb8-d925-4d13-a058-85fd886960b0_9805.3992.151B.2A5A.54C7.B8E3.34C8.2CB5", "upgraded": true, "access_token": "1e94fb17-4a96-49c6-811a-5339697f9625_90DA.E100.831C.90DE.0B58.3176.913A.7B87", "token_type": "Bearer" } ``` And I checked the `oxauth.log` and `oxauth_script.log` and see that my AS check execute my policy which I set to scope `read-public`. Is it normal? Should not `AS` return me `invalid_scope` error? or I misunderstand whole concept?

By Yuriy Zabrovarnyy staff 09 Nov 2017 at 12:33 p.m. CST

Yuriy Zabrovarnyy gravatar
I created tickets for both cases ``` https://github.com/GluuFederation/oxAuth/issues/689 https://github.com/GluuFederation/oxAuth/issues/690 ``` It will be fixed in next release.

By Sakit Atakishiyev user 09 Nov 2017 at 11:28 p.m. CST

Sakit Atakishiyev gravatar
Thanks Yuriy for you information. So we need just waiting version `3.2.0` or trying to help you to fixing issues