-
Notifications
You must be signed in to change notification settings - Fork 827
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UAA dropping the access token when being integerated with any IDPr #2916
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187740633 The labels on this github issue will be updated when the story is started. |
To be honest, I dont get your issue. |
Alright , let me detail out . Line 679 in 3164d36
Line 554 in 3164d36
So basically when uaa integerates with some IDP and that idp returns as per standard oidc spec access token , id token and refresh token how can uaa take in both the tokens when creating the session. |
Ok, thank you. Maybe I do some explains about the flow. The access_token is part of OAuth2 (OIDC includes OAuth2) but by default an access token is opaque and therefore hard to parse . With extra userinfo call an opaque access token could be converted into readable information and then yes groups could be read out there. So your request is, that the flow should use access_token in exchange instead of id_token ? May I ask what IdP you are using ? Most of IdPs have configurable Admin UI where you can configure the content of the id_token ( and / or access token) so that you can get groups or roles in id_token. |
Hi, I tested from one UAA to another UAA with this flow but finally it does not work, but because of minor things we could fix,
Because of assumption, that access_token is opaque the userinfo call is need and already there , e.g. |
SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to security@cloudfoundry.org
Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.
What version of UAA are you running?
77.10.0
Problem Statement
We are building multi provider multi tenant system where we are using 2 uaa , federating with each other using oidc , and there we want to have id_token and access_token both to be honored when creating the session in the uaa instance , by default uaa considers id_token coming from external identity provider .
The text was updated successfully, but these errors were encountered: