SCIM with UMA

By: Ernst Arnold user 08 Jan 2017 at 5:47 p.m. CST

14 Responses
Ernst Arnold gravatar
Hi, I can use SCIM in test mode. Now in UMA mode I use the client that was registered by the gluu setup script 'SCIM Requesting Party Client', it's inum and it's JWKS. I can get the AAT: ``` resp_body: {"access_token"=>"2fa0466b-7364-43f4-8827-5dab09007c71", "token_type"=>"bearer", "expires_in"=>299, "scope"=>"uma_authorization"} ``` and the RPT: ``` resp_body: {"rpt"=>"abc0301a-adb3-4562-8077-4b22533e9805/9C27.1B77.9CC6.6049.D828.185B.98D5.EBFA"} ``` But when I use the RPT to do a SCIM user query I get ``` http_code: 403 body_format: JSON resp_body: {"ticket"=>"5af3c679-b634-42a5-923c-4dc2aa892ea7"} request.response.headers['error']: insufficient_scope ``` Not sure where to go from here: change the way I request the RPT or continue with the ticket (and how)? And the oxauth.log says: ``` 13:40:31,587 INFO [org.xdi.oxauth.auth.Authenticator] Authentication result for user '@!A81A.15E8.....5D8D', result: 'false' 13:40:31,590 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for Client: '@!A81A.15E8......5D8D' 13:40:34,635 INFO [org.xdi.oxauth.auth.Authenticator] Authentication result for user '@!A81A.15E8.....7EF2', result: 'false' 13:40:34,639 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for Client: '@!A81A.15E8....7EF2' ``` @!A81A.15E8....5D8D is 'SCIM Requesting Party Client' @!A81A.15E8....7EF2 is 'SCIM Resource Server Client' both configured by gluu setup script Many Thanks Ernst
U1404
closed

Answers

By Michael Schwartz Account Admin 08 Jan 2017 at 7:21 p.m. CST

Copy
Michael Schwartz gravatar
1. There is a SCIM scope... make sure you request this. 2. Check the custom authorization script for SCIM (under config/custom scripts). This is the policy that gets evaluated--you may need to add your client-id there.

By Ernst Arnold user 09 Jan 2017 at 7:02 p.m. CST

Copy
Ernst Arnold gravatar
Hi Michael, Yes I have seen the UMA scope 'SCIM Access' with id scim_access and Authorization Policy uma_authorization_policy I am a bit confused which scopes need to go where so I have now put all of "profile openid uma_authorization scim_access user_name phone mobile_phone address clientinfo uma_protection email" in the AAT request, the RPT request and the user query request. My client is written in Ruby and I use the same id as the one that was registeered during gluu setup presumably intended for the Java SCIM client. So uma_authorization_policy already allows my client inum. I still get the same result: 403 - insufficient_scope thanks Ernst

By Michael Schwartz Account Admin 09 Jan 2017 at 7:56 p.m. CST

Copy
Michael Schwartz gravatar
Can you include a screenshot of the client scopes section from oxTrust?

By Ernst Arnold user 09 Jan 2017 at 11:39 p.m. CST

Copy
Ernst Arnold gravatar
Attached some screenshots ("Video or screenshot link" below) And later I also have added a PDF to the linked GIST where I describe the requests sent to the GLUU server. Thanks
Video or screenshot link

By Ernst Arnold user 11 Jan 2017 at 3:05 p.m. CST

Copy
Ernst Arnold gravatar
Hi, I am a bit stuck as the error message 'insufficient scope' does not detail what is missing. Even if I remove the registered client as an allowed client from the authorization policy it still gives the same error message. I have not found much help in the logs. That is why in the "Video or screenshot link" of the previous post I have added also a PDF doc describing the request i am submitting to the gluu server. Thanks Ernst

By Michael Schwartz Account Admin 11 Jan 2017 at 3:13 p.m. CST

Copy
Michael Schwartz gravatar
Clients for both UMA and OpenID Connect are managed under OpenID Connect / Clients. Can you check the client that is calling the SCIM endpoint, and make sure it has the scim_access scope?

By Ernst Arnold user 12 Jan 2017 at 4:23 a.m. CST

Copy
Ernst Arnold gravatar
Do you mean that I should add scope scim_access at the GLUU server GUI to the registered client? That is page https://<my-gluu-server-domain>/identity/client/manage/update/%40%21A81A.1.... I cannot add it because the 'Add Scope' dialog lists the available scopes I could add. scim_access is not in that list! The client has only scope uma_authorization

By Ernst Arnold user 12 Jan 2017 at 4:44 a.m. CST

Copy
Ernst Arnold gravatar
So I created a new scope at OpenID Connect>Scopes>Add Scope ``` Display Name: scim_access Scope Type Default Scope: false Claims: none added ``` Then I can add that scope to the registered client But it still responds with error "insufficient_scope"

By Valentino Pecaoco user 12 Jan 2017 at 8:22 a.m. CST

Copy
Valentino Pecaoco gravatar
Hi Ernst, Have you tried looking into [SCIM-Client](https://github.com/GluuFederation/SCIM-Client) and see how it is doing it? [UmaScim2ClientImpl.java](https://github.com/GluuFederation/SCIM-Client/blob/master/src/main/java/gluu/scim2/client/auth/UmaScim2ClientImpl.java) [Get Scim2Client](https://github.com/GluuFederation/SCIM-Client/blob/master/src/main/java/gluu/scim2/client/Scim2Client.java#L41-L45) [Unit test](https://github.com/GluuFederation/SCIM-Client/blob/master/src/test/java/gluu/scim2/client/EmailSync2Tests.java#L34-L36)

By Ernst Arnold user 12 Jan 2017 at 6:27 p.m. CST

Copy
Ernst Arnold gravatar
Hi Valentino, I found out how to get the tokens from reading UmaScim2ClientImpl.java I will do some further study to see how the final request is done. But my doubts were whether there is something not right in how the client is registered on the gluu server. Initially I used the client that was already set up by the installation presumably for use by UmaScim2ClientImpl.java. But that did also result in insufficient scope. Will report next week how I go Regards Ernst

By Ernst Arnold user 22 Jan 2017 at 4:33 p.m. CST

Copy
Ernst Arnold gravatar
Hi Valentino, I am in the process of getting the java client to work, although we will need it to work in Ruby.

By Michael Schwartz Account Admin 22 Jan 2017 at 5:41 p.m. CST

Copy
Michael Schwartz gravatar
If you have budget, we can know a good ruby programmer.

By Ernst Arnold user 02 Feb 2017 at 6:37 a.m. CST

Copy
Ernst Arnold gravatar
Hi Valentino, You said: > Have you tried looking into SCIM-Client and see how it is doing it? > UmaScim2ClientImpl.java > Get Scim2Client > Unit test I have read the code and cannot see that anything would be wrong with my https requests. It must be the server config. Michael advised: > Can you check the client that is calling the SCIM endpoint, and make sure it has the scim_access scope No it has only scope uma_authorization I cannot add scim_access because the 'Add Scope' dialog does not show such a scope to pick. What can I do (gluu 2.4.4 SP1) ? Regards Ernst

By Ernst Arnold user 02 Feb 2017 at 6:41 a.m. CST

Copy
Ernst Arnold gravatar
Hi Michael, We do not have a budget. We have a number of quite experienced Ruby programmers volunteering their time. The problem is that we cannot configure the server with scim-access as you advised. Regards Ernst

Post an answer