Closed obarat closed 4 years ago
Example vcap uaa:
"xsuaa": [
{
"label": "xsuaa",
"provider": null,
"plan": "broker",
"name": "uaa",
"tags": [
"xsuaa"
],
"instance_name": "uaa",
"binding_name": null,
"credentials": {
"tenantmode": "dedicated",
"sburl": "url.com",
"clientid": "clientId123",
"xsappname": "broker-app!123"
},
"syslog_drain_url": null,
"volume_mounts": []
}
]
Example token:
{
"jti": "123",
"ext_attr": {
"enhancer": "XSUAA",
"zdn": "tenant",
"serviceinstanceid": "tenantId"
},
"sub": "123",
"authorities": [
"our-app!123.Read"
],
"scope": [
"our-app!123.Read"
],
"aud": [
"our-app!123"
]
}
@obarat please provide me the content of your xs-security.json (this is the xsuaa configuration file, security model description).
Thanks!
@obarat
This "shortcut" with local scope checks hasAuthority("Read")
works only in case the scope which is provided by the JWT token (e.g. our-app!b123.Read
) begins with thexsuaa.credentials.xsappname
which you can find in your VCAP_SERVICES
(or in your xsuaa.xsappname
property).
Spring-xsuaa client lib allows by default to check global scopes (e.g. our-app!b123.Read). In this case you should NOT configure the converter with converter.setLocalScopeAsAuthorities(true) like in the sample app: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/spring-webflux-security-xsuaa-usage/src/main/java/sample/spring/webflux/xsuaa/SecurityConfiguration.java#L55
Furthermore the xsuaa.credentials.xsappname
in your VCAP_SERVICES matches the XSAPPNAME you've specified in your xs-security.json
file.
Hello,
We have an application that is bound to a service broker uaa. We are trying to implement the our Security Config according to the sample webflux application, but what we see is that
XsuaaServiceConfigurationDefault
pulls the service broker's appId. The scope that we check withhasAuthority("Read")
has a different xsappname so the authentication always fails with a403 Insufficient scope
error.I've confirmed that this is the cause of the authorization error because when I add our application's appId in the
xsuaa.xsappname
property in theapplication.properties
file, the authorization works.Is there a better way to define our application's appid as the prefix when checking for scope?