0

I'm trying to get a micro-services environment working. I've already setup the config-server, eureka-server, zuul-server, and service. To handle security I have a Cloud Foundry's UAA server installed and running.

Following the docs on how to setup the UAA server there's the option to have Ldap Groups as Scopes which I have and I can see how they get created on the UAA Server logs, but they don't get into the JWT Token. Zuul is proxying correctly to the UAA Server, I do the authentication process on UAA and get the JWT Token on Zuul, and then zuul adds proxies it to the service behind it, but without the logged in user's groups/scopes only the openid scope that's on the client configuration. Am I missing something? Or this is how things work and I'll have to implement a workaround, which would be getting the user's username from the token and getting his access privileges on each request for each service?

Here's my uaa.yml:

spring_profiles: ldap,mysql

disableInternalUserManagement: true

zones:
  internal:
    hostnames:
      - sso.example.com

oauth:
  user:
    authorities:
      - openid
      - scim.me
      - password.write
      - scim.userids
      - uaa.user
      - approvals.me
      - oauth.approvals
  clients:
    sso:
      secret: changeme!
      authorized-grant-types: authorization_code, refresh_token
      # How do I add the user groups as scopes?
      # Is it possible with this grant type?
      scope: openid
      authorities: uaa.resource

ldap:
  profile:
    file: ldap/ldap-search-and-bind.xml
  base:
    url: ldap://ldap.example.com:389
    mailAttributeName: mail
    mailSubstitute: '{0}@example.com'
    mailSubstituteOverridesLdap: true
    userDn: 'CN=Example User,OU=Admins,DC=example,DC=com'
    password: 'changeme!'
    searchBase: 'dc=example,dc=com'
    searchFilter: 'sAMAccountName={0}'
  groups:
    file: ldap/ldap-groups-as-scopes.xml
    searchBase: 'dc=example,dc=com'
    groupRoleAttribute: cn
    searchSubtree: true
    groupSearchFilter: 'member={0}'
    maxSearchDepth: 1
    autoAdd: true
  attributeMappings:
    first_name: 'givenName'
    last_name: 'sn'

smtp:
  host: mail.example.com
  port: 25

database:
  url: jdbc:mysql://mysql.example.com/uaa
  username: uaa
  password: changeme!

jwt:
  token:
    verification-key: |
      -----BEGIN PUBLIC KEY-----
      -----END PUBLIC KEY-----
    signing-key: |
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----

login:
  url: https://sso.example.com/uaa/login
  branding:
    companyName: 'Example Company'
jdmr
  • 5
  • 2

1 Answers1

0

Your issue stems from the scopes not being configured on the client. Only scopes in that client's list of scopes can be present on the user JWT. Adding scopes to this list will not allow a user to obtain scopes they do not have, nor will it result in those scopes being present on the client credentials token for the client.

If you have groups-as-scopes configured, your client needs to have each scope you expect it to use configured in its list of allowed scopes.

Jeremy Coffield
  • 16
  • 1