forked from pivotal/cf-onboarding
-
Notifications
You must be signed in to change notification settings - Fork 0
/
authorization.prolific
55 lines (36 loc) · 3.55 KB
/
authorization.prolific
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
View your OAuth token
### What?
[OAuth](http://searchmicroservices.techtarget.com/definition/OAuth) is an open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords. Designed specifically to work with HTTP, OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
When you `cf login` via the command line, the cf CLI communicates with the [Cloud Foundry User Account and Authentication (UAA) Server](https://github.com/cloudfoundry/uaa) to exchange your credentials for a token. I was going to think of an explanation for why you'd want to see this token, but honestly it's just a good opportunity to think about OAuth.
### How?
1. Make sure you are logged in and run `cf oauth-token`
1. Visit **[jwt.io](https://jwt.io/)** and paste your token to view it's contents
### Expected Result
The [jwt.io](https://jwt.io/) site will say the token is invalid, but ignore that. You should now have a decoded header and payload!
Are the contents what you expected? What does the header mean? What do you think each of the keys does? (Hint: the links immediately below might help answer that).
### Resources
[Docs: A Note on UAA Tokens](https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-Tokens.md)
[Docs: Validating an ID token](https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken)
### Relevant Repos and Teams
**UAA:** [cloudfoundry/uaa](https://github.com/cloudfoundry/uaa)
**CLI:** [cloudfoundry/cli](https://github.com/cloudfoundry/cli)
L: security
---
Create an admin user in UAA using the uaac CLI
### What?
The UAA is the identity management service for Cloud Foundry. Its primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. In collaboration with the login server, it can authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
Administrators generally create users using the cf CLI, which creates user records in the UAA _and_ associates them with org and space roles in the CCDB. However, there are occasions where you'd want to bypass Cloud Controller and only create a user in UAA. When that need arises, you can use the uaac CLI.
### How?
Following **[these instructions](https://docs.cloudfoundry.org/adminguide/uaa-user-management.html)**, create a new admin user in UAA using the uaac CLI.
Your `target` will be _uaa.v3.pcfdev.io_. Your `client_secret` will be _admin-client-secret_.
### Expected Result
Potentially a new UAA user. Potentially an inability to use uaac due to an invalid token.
### Resources
[Docs: Creating and Managing Users with the UAA CLI (UAAC)](https://docs.cloudfoundry.org/adminguide/uaa-user-management.html)
[Docs: UAA SysAdmin Guide](https://github.com/cloudfoundry/uaa/blob/master/docs/Sysadmin-Guide.rst)
[Blog post: Introducing the UAA and Security for Cloud Foundry](https://blog.pivotal.io/pivotal-cloud-foundry/products/introducing-the-uaa-and-security-for-cloud-foundry) (written in '12)
### Relevant Repos and Teams
**UAA:** [cloudfoundry/cf-uaac](https://github.com/cloudfoundry/cf-uaac)
L: security
---
[RELEASE] Authorization ⇧