By: Haam Tham user 29 Mar 2017 at 4:29 p.m. CDT

11 Responses
Haam Tham gravatar
I have Gluu server 3.0.1 installed in a CentOS 6.8 VM. SCIM API works fine in test mode, but I can't seem to get past UMA in non-test mode. I am using the SCIM-Client and am getting 403 when it tries to POST to /oxauth/seam/resource/restv1/requester/perm In addition, the password in oxtrust-config.json for scim-rp.jks appears to be incorrect. I cannot list the entries in scim-rp.jks (using keytool) with the storepass in oxtrust-config.json and had to resort to a hack to reset the password. I have enabled debug trace and everything seems OK until it calls the /perm endpoint to get another RPT. The short version, based on stuff I extracted from the logs, are as follows: ``` >> POST /oxauth/seam/resource/restv1/oxauth/token >> client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=client_credentials&scope=uma_authorization&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ijg3ZTZlZjRmLWQ1MzYtNGVhMi1iN2NiLWIyYzY3YzQ1MGJkMyJ9.eyJpc3MiOiJAIUFEQkIuOTU3Qi5GOUQ2LkE1OEQhMDAwMSE0NjhCLkQxOTkhMDAwOCEyRDZBLjE0RDMiLCJzdWIiOiJAIUFEQkIuOTU3Qi5GOUQ2LkE1OEQhMDAwMSE0NjhCLkQxOTkhMDAwOCEyRDZBLjE0RDMiLCJhdWQiOiJodHRwczovL2dsdXUudm0ubmV0L294YXV0aC9zZWFtL3Jlc291cmNlL3Jlc3R2MS9veGF1dGgvdG9rZW4iLCJqdGkiOiJiY2E0Yzk1NC0zMWY3LTRiMDQtOTU1My1iYTM2M2E2NTI2MjUiLCJleHAiOjE0OTA3NDg5MDIsImlhdCI6MTQ5MDc0ODYwMn0.V7RI3yh6jje8176MT3cHhkz9xZBva9wJA8EvusW_xOce686sQka_X8D5hiJeK9rN5SKDYNkAtJg9J3dKJ47Vv2FjQ1JNlBS9sdNxoMIFm1mMaw1aqxqQlbt7OI8qVSzGIFKi76rfB9oneOiKGQeE4cF9cgGYIhTUog8K7CFjTsYmx6xLBRVtdvC04nst7FdqODazIjLiKNLBXRlWrCozaiUsOT9m_ZOL4ab0JQfDVkHKxHm8b_ReN3kTti8yIRgHb3XAWFXnU_Ac5DGak453f9mIn1GhUhkSJGg3iPCtu6CdUu8SBx16vhjsXyaBnEtgGk7WCnKv_l48x8LN9kRuZw&client_id=%40%21ADBB.957B.F9D6.A58D%210001%21468B.D199%210008%212D6A.14D3 client_assertion.header={"typ":"JWT","alg":"RS256","kid":"87e6ef4f-d536-4ea2-b7cb-b2c67c450bd3"} client_assertion.claims={"iss":"@!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!2D6A.14D3","sub":"@!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!2D6A.14D3","aud":"https://gluu.vm.net/oxauth/seam/resource/restv1/oxauth/token","jti":"bca4c954-31f7-4b04-9553-ba363a652625","exp":1490748902,"iat":1490748602} << HTTP/1.1 200 OK << {"access_token":"3844b060-3803-42fc-905b-e3eee402a768","token_type":"bearer","expires_in":299,"scope":"uma_authorization"} >> POST /oxauth/seam/resource/restv1/requester/rpt >> Authorization: Bearer 3844b060-3803-42fc-905b-e3eee402a768 << HTTP/1.1 201 Created << {"rpt":"a041f140-89c9-4df1-a60d-544550484ba6/CA9F.E817.4424.060E.7416.ED55.9C05.BCFE"} >> GET /identity/seam/resource/restv1/scim/v2/Users/?filter=userName+eq+%22htham%22&startIndex=1&count=1&sortBy=&sortOrder=&attributes= >> Authorization: Bearer a041f140-89c9-4df1-a60d-544550484ba6/CA9F.E817.4424.060E.7416.ED55.9C05.BCFE << HTTP/1.1 403 Forbidden << error: insufficient_scope (** this is in the header **) << {"ticket":"21f842de-0459-4020-b333-083fc92781fa"} >> POST /oxauth/seam/resource/restv1/requester/perm >> Authorization: Bearer 3844b060-3803-42fc-905b-e3eee402a768 >> {"rpt":"a041f140-89c9-4df1-a60d-544550484ba6/CA9F.E817.4424.060E.7416.ED55.9C05.BCFE","ticket":"21f842de-0459-4020-b333-083fc92781fa","claims":null} << HTTP/1.1 403 Forbidden << {"error":"not_authorized_permission","error_description":"The requester is definitively not authorized for this permission according to user policy."} ``` I can provide the full logs. Basically, it looks like the client got an access token from the oxauth/token endpoint by authenticating as the scim_rp_client. It gets an initial RPT from the requester/rpt endpoint and hits the /scim/v2/Users endpoint with the RPT as a bearer token. That results in a 403, and the client then tries to get another RPT from the /requester/perm endpoint, using the access token it got from authentication as a bearer token. That's when the whole thing stops - the /requester/perm endpoint rejects the request with a not_authorized_permission. What am I doing wrong? I am simply using the SCIM-Client example program and following the instructions in the docs. Also, where can I find the correct storepass for scim-rp.jks? The one listed in oxtrust-config.json does not work. The test client is as follows: ``` package com.radiumone.scim; import java.io.IOException; import gluu.scim.client.ScimResponse; import gluu.scim2.client.Scim2Client; public class TestUser1 { public static void main(String[] args) throws Exception { final String domain = "https://gluu.vm.net/identity/seam/resource/restv1"; final String umaMetaDataUrl = "https://gluu.vm.net/.well-known/uma-configuration"; final String umaAatClientId = "@!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!2D6A.14D3"; final String umaAatClientJksPath = "/Users/htham/Documents/workspace/scim-uma-test/target/classes/scim-rp.jks"; //final String umaAatClientJksPassword = "E00xUHDtNNj874yQ33/ZXQ=="; final String umaAatClientJksPassword = "secret"; final String umaAatClientKeyId = ""; TestUser1 test = new TestUser1(); test.readUser("htham", domain, umaMetaDataUrl, umaAatClientId, umaAatClientJksPath, umaAatClientJksPassword, umaAatClientKeyId); } public TestUser1() { } private void readUser(String userName, String domain, String umaMetaDataUrl, String umaAatClientId, String umaAatClientJksPath, String umaAatClientJksPassword, String umaAatClientKeyId) throws IOException { final Scim2Client scim2Client = Scim2Client.umaInstance(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJksPath, umaAatClientJksPassword, umaAatClientKeyId); String filter = "userName eq \"" + userName + "\""; ScimResponse response = scim2Client.searchUsers(filter, 1, 1, "", "", null); System.out.println("SCIM2: " + response.getResponseBodyString()); } } ``` I am using the scim_rp_client_id: ``` # cat setup.properties.last | grep "scim_rs_client_id\|scim_rp_client_id" scim_rs_client_id=@!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!E93C.941A scim_rp_client_id=@!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!2D6A.14D3 ``` and the relevant entries from oxtrust-config.json are: ``` # fgrep -i scim oxtrust-config.json "scimUmaClientId":"@!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!E93C.941A", "scimUmaClientKeyId":"", "scimUmaResourceId":"1447184268430", "scimUmaScope":"https://gluu.vm.net/oxauth/seam/resource/restv1/uma/scopes/scim_access", "scimUmaClientKeyStoreFile":"/etc/certs/scim-rs.jks", "scimUmaClientKeyStorePassword":"E00xUHDtNNj874yQ33/ZXQ==", "scimTestMode":false, "scimTestModeAccessToken":"", ```

By Michael Schwartz Account Admin 29 Mar 2017 at 6 p.m. CDT

Michael Schwartz gravatar
Can you check Custom Script / Authorization ... and make sure the client is authorized?

By Haam Tham user 29 Mar 2017 at 6:43 p.m. CDT

Haam Tham gravatar
Yes. Manage Custom Scripts / UMA Authorization Policies / uma_authorization_policy has 2 comma-separated inums for the allowed_clients property: @!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!2D6A.14D3, @!ADBB.957B.F9D6.A58D!0001!468B.D199!0008!121F.86EB The first one is SCIM Requesting Party Client, which is what I use for the umaAatClientId in my test program. The second is the Passport Requesting Party Client.

By Michael Schwartz Account Admin 29 Mar 2017 at 6:46 p.m. CDT

Michael Schwartz gravatar
Oh, why are you using the Passport Requesting Party? You should be using the SCIM Requesting Party... Passport is our social login component, and it uses oxTrust API's also.

By Haam Tham user 29 Mar 2017 at 7:10 p.m. CDT

Haam Tham gravatar
I am using the SCIM Requesting Party :-) I mentioned the Passport RP because it's the *other* inum listed in the policy.

By Michael Schwartz Account Admin 29 Mar 2017 at 7:26 p.m. CDT

Michael Schwartz gravatar
BTW, to get the jks passwords: ``` # grep jks /install/community-edition-setup/setup.properties.last | grep pass ``` I'll pass this on to a developer. Maybe the sample code needs to be updated.

By Haam Tham user 29 Mar 2017 at 7:38 p.m. CDT

Haam Tham gravatar
Ah, I see. Yep, those passwords works. Thanks, Michael. Might want to add a note in the doc about where to find the password for the scim-rp.jks file.

By Aliaksandr Samuseu staff 30 Mar 2017 at 9:10 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Haam. Just a little note about the password form used in `oxtrust-config.json`: ``` "scimUmaClientKeyStorePassword":"E00xUHDtNNj874yQ33/ZXQ==" ``` In our config files passwords are stored using reversible encryption. To get a clear-text of it, you need to do next: `# /opt/gluu/bin/encode.py -d E00xUHDtNNj874yQ33/ZXQ==`

By Shekhar L. staff 30 Mar 2017 at 1:42 p.m. CDT

Shekhar L. gravatar
HI Haam, You can get this scim-rp.jks file from location gluu-server-3.0.1/install/community-edition-setup/output/scim-rp.jks Thanks, Shekhar L.

By Haam Tham user 30 Mar 2017 at 1:48 p.m. CDT

Haam Tham gravatar
Thanks, Aliaksandr. It decrypts to the scim-rs.jks storepass. I'm not the only one who was confused by that. I see other folks on this forum were similarly confused too. Any ideas why POST to /requester/perm with an access token from authenticating as SCIM RP Client, plus a ticket and RPT will result in a not_authorized_permission? It seems to imply that the SCIM RP Client is not authorized to access the SCIM API. Yet, under Manage Custom Scripts / UMA Authorization Policies / uma_authorization_policy, the SCIM RP Client is the first of the two comma-separated inums in the allowed_clients property. Odd.

By Haam Tham user 30 Mar 2017 at 6:21 p.m. CDT

Haam Tham gravatar
I found the problem. I am now able to navigate UMA to access the SCIM endpoints. Turns out the custom scripts are not **_enabled_** by default. The UMA Authorization Policies script has to be enabled before UMA protected resources can be accessed. Once I enabled the UMA Authorization Policies script, the call to the /rpt endpoint went through and I was able to get a valid RPT for the /scim/* endpoints. May I suggest adding a mention of having to enable the UMA Authorization Policies script to the documentation under the section SCIM protected by UMA? I'm sure I am not the only one who will trip over this.

By Michael Schwartz Account Admin 30 Mar 2017 at 9 p.m. CDT

Michael Schwartz gravatar
Glad you got it working!