boxer-code commented 2 years ago

The Problem

My Setup

Insomnia, Git Bash

What I have done up front

I uncommented the relevant lines in scope_mapping.yml and registered a client with the an attribute like:

- key: omejdn
  value: admin

My clients.yml looks like this:

- client_id: 6A:63:8A:99:E6:80:13:AC:65:89:FC:19:C0:32:B7:17:A6:B4:43:74:keyid:6A:63:8A:99:E6:80:13:AC:65:89:FC:19:C0:32:B7:17:A6:B4:43:74
  name: admintest4
  redirect_uri: 
  allowed_scopes:
  - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
  - omejdn:admin
  - omejdn:read
  - omejdn:write
  attributes:
  - key: securityProfile
    value: idsc:BASE_SECURITY_PROFILE
  - key: referringConnector
    value: http://admintest4.demo
  - key: "@type"
    value: ids:DatPayload
  - key: "@context"
    value: https://w3id.org/idsa/contexts/context.jsonld
  - key: transportCertsSha256
    value: 4ae383afc44323720b151b7fdcc34f0014082ae3625db889e736c59d669bfd89
  - key: omejdn
    value: admin
  import_certfile: keys/admintest4.cert

Then i used the create_test_token.rb script with:

scripts/create_test_token.rb 6A:63:8A:99:E6:80:13:AC:65:89:FC:19:C0:32:B7:17:A6:B4:43:74:keyid:6A:63:8A:99:E6:80:13:AC:65:84:43:74 keys/admintest4.key idsc:IDS_CONNECTORS_ALL

and got this client assertion as an answer:

eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiI2QTo2Mzo4QTo5OTpFNjo4MDoxMzpBQzo2NTo4OTpGQzoxOTpDMDozMjpCNzoxNzpBNjpCNDo0Mzo3NDprZXlpZDo2QTo2Qzo2NTo4OTpGQzoxOTpDMDozMjpCNzoxNzpBNjpCNDo0Mzo3NCIsInN1YiI6IjZBOjYzOjhBOjk5OkU2OjgwOjEzOkFDOjY1Ojg5OkZDOjE5OkMwOjMyOkI3OjE3OjZBOjYzOjhBOjk5OkU2OjgwOjEzOkFDOjY1Ojg5OkZDOjE5OkMwOjMyOkI3OjE3OkE2OkI0OjQzOjc0IiwiZXhwIjoxNjQzMzc4MDA1LCJuYmYiOjE2NDMzNzQ0MDwiYXVkIjoiaWRzYzpJRFNfQ09OTkVDVE9SU19BTEwifQ.fPZVNoGURG4pjOMVpCUxBBfHhQpZ2xq6U1NEd3HH1jH-ZsSJ3-d3RxWkCKerX943Qvu2gJ4VfdXLxtsEoo-j4qo60-QGG1esOlEb3U2iCULHOG7dzWcDRjqtzYxgzxL6cbdDJOVrgtH43BeUM7bQzW8ZEkNnvjGCt0zaNCspgQ1__E9V1zqrgP1Um5a5OB1YqCz3tDqtzRt7r_ygJPtigXBGk289YILQUiEPI2mWe8vGfqBR1El0_d2BT9vndFUH7kNdtVwFluMcW2q6rpHB6cAuaH7G5f8hr2y85A

And used this to create an access token with:

curl localhost:4567/token --data "grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertio_assertion=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiI2QTo2Mzo4QTo5OTpFNjo4MDoxMzpBQzo2NTo4OTpGQzoxOTpDMDozMjpCNzoxNzpBNjpCNDo0Mzo3NDprZjo4MDoxMzpBQzo2NTo4OTpGQzoxOTpDMDozMjpCNzoxNzpBNjpCNDo0Mzo3NCIsInN1YiI6IjZBOjYzOjhBOjk5OkU2OjgwOjEzOkFDOjY1Ojg5OkZDOjE5OkMwOjc0OmtleWlkOjZBOjYzOjhBOjk5OkU2OjgwOjEzOkFDOjY1Ojg5OkZDOjE5OkMwOjMyOkI3OjE3OkE2OkI0OjQzOjc0IiwiZXhwIjoxNjQzMzc4MDA1LCJuYmYiOjE0MzM3NDQwNSwiYXVkIjoiaWRzYzpJRFNfQ09OTkVDVE9SU19BTEwifQ.fPZVNoGURG4pjOMVpCUxBBfHhQpZ2xq6U1NEd3HH1jH-ZsSJ3-d3RxWkCKerX943Qvu2gsc7HIzT6WWZoo-j4qo60-QGG1esOlEb3U2iCULHOG7dzWcDRjqtzYxgzxL6cbdDJOVrgtH43BeUM7bQzW8ZEkNnvjGCt0zaNCspgQ1__E9V1zqrgP1Um5a5OB1YqCDiRz7t3oi6b_ygJPtigXBGk289YILQUiEPI2mWe8vGfqBR1El0_d2BT9vndFUH7kNdtVwFluMcW2q6rpHB6cAuaH7G5f8hr2y85A
> &scope=idsc:IDS_CONNECTOR_ATTRIBUTES_ALL omejdn:admin omejdn:read omejdn:write"

And got an access token as response.

What I expected to happen

To get access to the API by using this access token.

What actually happened

I'm using Insomnia to send a GET Request to the API and used the access token as a bearer token but received a 403 Forbidden. grafik

The quest of trying to solve it

What is your best guess as to what might have happened?

That I forgot something in the configuration of the client or in the setup of the API.

Thanks in advance!

bellebaum commented 2 years ago

Hi! It seems like you were trying to access the User Selfservice API (/api/v1/user/*). This API is for giving user's the chance to change their attributes (Think phone number, address, password, etc.). You have authenticated your client using the client_credentials grant. Hence there is no user which the client is acting on behalf of.

I assume you want to make changes to either Omejdn or your client using an API? Since your client is registered as an admin, you could use the Admin API (/api/v1/config/*) to change the config files.

For more information on the relation between clients and users in OAuth 2.0, please refer to RFC 6749.