By: Sakit Atakishiyev user 23 May 2019 at 9 a.m. CDT

2 Responses
Sakit Atakishiyev gravatar
Hello my friends :). I asked this question on 2017 when gluu version is 3.0.1. Now we are on 2019 and gluu version 3.1.6. My question how we find the logged in user when running uma scope policies? `UmaAuthorizationContext` class has `getUser()` method but this method always return null. I will explain what I did. I would like to someone help me to find the answer. Lets begin. First, I got the access token from `token_endpoint` with the below code snippet **REQUEST** ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.isb.az Content-Type: application/x-www-form-urlencoded Authorization: Basic QCFGMTMwLjY4MjAuM0FCRC5GRjEzITAwMDEhMkZGQS4wODQ0ITAwMDghRDU3OC4zQTEzLjc4MUUuREMyQjphZG1pbg== User-Agent: PostmanRuntime/7.13.0 Accept: */* Cache-Control: no-cache Host: login.isb.az accept-encoding: gzip, deflate content-length: 91 Connection: keep-alive cache-control: no-cache grant_type=password&username=terlan&password=123123&scope=openid%2Bprofile%2Buma_protection ``` **RESPONSE** ``` { "access_token": "524b3bd4-aa71-49f7-af02-68cbce12e371", "token_type": "bearer", "expires_in": 3599, "refresh_token": "edb9046e-e207-4160-b8a9-3d2dc9ba3181", "scope": "openid profile uma_protection" } ``` We got our `access token` for my user `terlan`. Now with this `access_token` I am getting to obtain a ticket to access my resource with the given scopes **REQUEST** ``` POST /oxauth/restv1/host/rsrc_pr HTTP/1.1 Host: login.isb.az Content-Type: application/json Authorization: Bearer 524b3bd4-aa71-49f7-af02-68cbce12e371 User-Agent: PostmanRuntime/7.13.0 Accept: */* Cache-Control: no-cache Host: login.isb.az accept-encoding: gzip, deflate content-length: 146 Connection: keep-alive cache-control: no-cache { "resource_id": "713ea6cf-17c2-4356-9a5b-c5aed15167ca", "resource_scopes": [ "contractWideInfo", "getVehicleInfo" ] } ``` **RESPONSE** ``` { "ticket": "a78db646-c6b8-4e0a-a129-2df02bb3a9e6" } ``` Next step is getting `rpt` with the `ticket` we got the above response. I enabled the below policy to one of the scope of resource. **POLICY SCRIPT** ``` from org.xdi.oxauth.model.uma import UmaConstants from org.xdi.model.uma import ClaimDefinitionBuilder from org.xdi.model.custom.script.type.uma import UmaRptPolicyType from org.xdi.service.cdi.util import CdiUtil from org.xdi.util import StringHelper, ArrayHelper from java.util import Arrays, ArrayList, HashSet from java.lang import String class UmaRptPolicy(UmaRptPolicyType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "RPT Policy. Initializing ..." self.clientsSet = self.prepareClientsSet(configurationAttributes) print "RPT Policy. Initialized successfully" return True def destroy(self, configurationAttributes): print "RPT Policy. Destroyed successfully" return True def getApiVersion(self): return 1 def getRequiredClaims(self, context): json = """[ ]""" return ClaimDefinitionBuilder.build(json) def authorize(self, context): # context is reference of org.xdi.oxauth.uma.authorization.UmaAuthorizationContext print "RPT Policy. Authorizing ..." client_id = context.getClient().getClientId() print "UmaRptPolicy. client_id = %s" % client_id if (StringHelper.isEmpty(client_id)): return False if (self.clientsSet.contains(client_id)): print "UmaRptPolicy. Authorizing client" print "UmaRptPolicy. Authenticated user = %s" % context.getUserDn() return True else: print "UmaRptPolicy. Client isn't authorized" return False def getClaimsGatheringScriptName(self, context): return UmaConstants.NO_SCRIPT def prepareClientsSet(self, configurationAttributes): clientsSet = HashSet() if (not configurationAttributes.containsKey("allowed_clients")): return clientsSet allowedClientsList = configurationAttributes.get("allowed_clients").getValue2() if (StringHelper.isEmpty(allowedClientsList)): print "UmaRptPolicy. The property allowed_clients is empty" return clientsSet allowedClientsListArray = StringHelper.split(allowedClientsList, ",") if (ArrayHelper.isEmpty(allowedClientsListArray)): print "UmaRptPolicy. No clients specified in allowed_clients property" return clientsSet # Convert to HashSet to quick search i = 0 count = len(allowedClientsListArray) while (i < count): client = allowedClientsListArray[i] clientsSet.add(client) i = i + 1 return clientsSet ``` As you can see the above code snippet I print the `user dn` with the ``` print "UmaRptPolicy. Authenticated user = %s" % context.getUserDn() ``` statement. Let's obtain our `rpt` **REQUEST** ``` POST /oxauth/restv1/token HTTP/1.1 Host: login.isb.az Content-Type: application/x-www-form-urlencoded Authorization: AccessToken 524b3bd4-aa71-49f7-af02-68cbce12e371 User-Agent: PostmanRuntime/7.13.0 Accept: */* Cache-Control: no-cache Host: login.isb.az accept-encoding: gzip, deflate content-length: 108 Connection: keep-alive cache-control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&ticket=a78db646-c6b8-4e0a-a129-2df02bb3a9e6 ``` **RESPONSE** ``` { "pct": "dfa9e86a-2f4b-416d-85d5-1abd003eab56_B492.065C.C62E.0DBA.52BC.154E.0CBB.F001", "upgraded": false, "access_token": "addb3557-4a3e-4a97-a7e7-7863c1bdc97f_5E88.7CAD.CA03.B52E.38C6.4230.A173.64C8", "token_type": "Bearer" } ``` Now let's look to our `oxauth_script.log` to find the logged in user. ``` 2019-05-23 17:16:44,515 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - RPT Policy. Authorizing ... 2019-05-23 17:16:44,515 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - UmaRptPolicy. client_id = @!F130.6820.3ABD.FF13!0001!2FFA.0844!0008!D578.3A13.781E.DC2B 2019-05-23 17:16:44,516 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - UmaRptPolicy. Authorizing client 2019-05-23 17:16:44,516 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - UmaRptPolicy. Authenticated user = None ``` Unfortunately logged in user is none :(. Can anyone to help me to find my logged in user? For clarification I used my access token to get user info **REQUEST** ``` POST /oxauth/restv1/userinfo HTTP/1.1 Host: login.isb.az Content-Type: application/x-www-form-urlencoded Authorization: Bearer 524b3bd4-aa71-49f7-af02-68cbce12e371 User-Agent: PostmanRuntime/7.13.0 Accept: */* Cache-Control: no-cache Host: login.isb.az accept-encoding: gzip, deflate content-length: 49 Connection: keep-alive cache-control: no-cache access_token=524b3bd4-aa71-49f7-af02-68cbce12e371 ``` **RESPONSE** ``` { "sub": "@!F130.6820.3ABD.FF13!0001!2FFA.0844!0000!0D18.6B6A.33B0.4AF1", "updated_at": 1558084763692, "user_id": "BBB7777", "user_name": "terlan", "name": "Terlan Efendiyev", "given_name": "Terlan", "middle_name": "Hərbi", "family_name": "Efendiyev", "email": "efendiyev@gmail.com" } ```

By Michael Schwartz Account Admin 23 May 2019 at 10:23 a.m. CDT

Michael Schwartz gravatar
You will only see user claims if the user has been redirected to the claims gathering endpoint, and the ticket you are presenting was returned from that endpoint.

By Sakit Atakishiyev user 23 May 2019 at 10:36 a.m. CDT

Sakit Atakishiyev gravatar
Thanks Michael for you response. I read [this](https://gluu.org/docs/ce/3.1.5/admin-guide/uma/#uma-2-client-authentication) and think that using the `access_token` which my user obtained is enough. Now can I call `claims gathering endpoint` without interrupt my user?