Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication provider errors after upgrading to SCDF 2.10.0 #5166

Closed
DanFrei opened this issue Dec 20, 2022 · 14 comments
Closed

Authentication provider errors after upgrading to SCDF 2.10.0 #5166

DanFrei opened this issue Dec 20, 2022 · 14 comments
Assignees
Labels
status/need-triage Team needs to triage and take a first look

Comments

@DanFrei
Copy link

DanFrei commented Dec 20, 2022

Description:
After upgrading from SCDF server 2.9.4 to 2.9.10, any attempt to access the SCDF was no longer possible as any sent requests are being denied with error 401.
When checking the logs, the following error message is shown:
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken

After downgrading backwards to the previous version, everything was ok.
Besides upgrading SCDF's version nothing was changed and the configuration remained the same.
We configure the Authentication Provider and all the relevant creds and properties as it should be done the - "spring-security way" per the guidelines in the documentation (and as stated previously, the configuration was not changed and after downgrading back the version, it returned working again).
We pass all the aforementioned properties via SCDF'S manifest.yml as follows (bellow please see a screenshot of the relevant section in the manifest.yml. Also, see manifest.yml attached):

uas-dataflow-server-manifest-template.txt

Screenshot 2022-12-20 at 15 12 53

I currently can't tell if it's a bug or rather something has been changed in the way oAuth providers should be configured (at least in the documentation I haven't noticed any news) .
** I did notice that in V2.10.0 the dependency of the deprecated spring-security-oauth2 has been removed but I don't know for certain if this change had anything to do with the problem we're facing.
Your kind assistance is highly appreciated!

Release versions:
2.10.0

https://github.com/spring-cloud/spring-cloud-dataflow/releases/tag/v2.10.0

Steps to reproduce:

  1. upgrade to SCDF 2.10.0
  2. configure the authentication properties per the description above (kindly use similar oauth configuration with (see 'env' section in the yml)

Error & Stacktrace
o.s.c.c.s.OAuthSecurityConfiguration : An authentication failure event occurred while accessing a REST resource that requires authentication. 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:234) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:195) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:178) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:221) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.cloudfoundry.router.ClientCertificateMapper.doFilter(ClientCertificateMapper.java:79) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 2022-12-20T05:57:53.31+0000 [APP/PROC/WEB/0] OUT at java.lang.Thread.run(Thread.java:750)

Screenshots:

Screenshot 2022-12-20 at 15 03 05

@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Dec 20, 2022
@DanFrei
Copy link
Author

DanFrei commented Dec 20, 2022

Attached maifest.yml template (in order to upload it, I attched it as txt rather than yml:
uas-dataflow-server-manifest-template.txt

@onobc onobc assigned onobc and corneil and unassigned onobc Dec 20, 2022
@onobc
Copy link
Contributor

onobc commented Dec 20, 2022

Thanks for the report @DanFrei

We will take a look as soon as possible. Most of us are on PTO until beginning of the year so not sure if we will look before then. I just wanted to let you know we see the report and will get to it asap.

@markpollack markpollack added this to the 2.10.1 milestone Jan 5, 2023
@corneil
Copy link
Contributor

corneil commented Jan 17, 2023

@DanFrei The "documentation" you linked to is for an older version of SCDF, namely 2.3.
Here is a typical set of properties when using UAA:

      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.map-oauth-scopes=true
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_CREATE=dataflow.create
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_DEPLOY=dataflow.deploy
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_DESTROY=dataflow.destroy
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_MANAGE=dataflow.manage
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_MODIFY=dataflow.modify
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_SCHEDULE=dataflow.schedule
      - spring.cloud.dataflow.security.authorization.provider-role-mappings.uaa.role-mappings.ROLE_VIEW=dataflow.view
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_REDIRECT_URI={baseUrl}/login/oauth2/code/{registrationId}
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_AUTHORIZATION_GRANT_TYPE=authorization_code
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_CLIENT_ID=dataflow
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_CLIENT_SECRET=secret
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_SCOPE=openid,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view
      - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_JWK_SET_URI=http://localhost:8080/uaa/token_keys
      - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_TOKEN_URI=http://localhost:8080/uaa/oauth/token
      - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_USER_INFO_URI=http://localhost:8080/uaa/userinfo
      - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_USER_NAME_ATTRIBUTE=user_name
      - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_AUTHORIZATION_URI=http://localhost:8080/uaa/oauth/authorize
      - SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_INTROSPECTION_URI=http://localhost:8080/uaa/introspect
      - SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT_ID=dataflow
      - SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT_SECRET=secret
      - SPRING_SECURITY_OAUTH2_AUTHORIZATION_CHECK_TOKEN_ACCESS=isAuthenticated()

@markpollack
Copy link
Contributor

issue for docs to improve created here - spring-io/dataflow.spring.io#478

@DanFrei
Copy link
Author

DanFrei commented Jan 24, 2023

Hello @corneil ,

Thanks you so much for the assistance!
I've tried adjusting the UAA configuration properties per your suggestion and yet the same problem remains.

UAA properties after ajustment:

SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_INTROSPECTION_URI: "${vcap.services.uas-xsuaa.credentials.url}/introspect"
      SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT_ID: "${vcap.services.uas-xsuaa.credentials.clientid}"
      SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT_SECRET: "${vcap.services.uas-xsuaa.credentials.clientsecret}"

      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_USER_NAME_ATTRIBUTE: user_name
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_USER_INFO_URI: "${vcap.services.uas-xsuaa.credentials.url}/userinfo"
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_AUTHORIZATION_URI: "${vcap.services.uas-xsuaa.credentials.url}/oauth/authorize"
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_TOKEN_URI: "${vcap.services.uas-xsuaa.credentials.url}/oauth/token"

      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_CLIENT_ID: "${vcap.services.uas-xsuaa.credentials.clientid}"
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_CLIENT_SECRET: "${vcap.services.uas-xsuaa.credentials.clientsecret}"
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_REDIRECT_URI: "{baseUrl}/login/oauth2/code/{registrationId}"

When reverting back to SCDF 2.9.6 everything works properly.
Any ideas?


Kind Regards,
Daniel.

      
 

@corneil
Copy link
Contributor

corneil commented Feb 7, 2023

Which version of UAA did you use?
Which version of TAS?

@corneil
Copy link
Contributor

corneil commented Feb 9, 2023

This setting was missing in your 2nd set:

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_AUTHORIZATION_GRANT_TYPE=authorization_code

And the following settings are not in your 1st set:

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_SCOPE=openid,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_JWK_SET_URI=http://localhost:8080/uaa/token_keys
SPRING_SECURITY_OAUTH2_AUTHORIZATION_CHECK_TOKEN_ACCESS=isAuthenticated()

Your original environmental variables had - (dash) in the names where it should be _(underscore), e.g. CLIENT-ID instead of CLIENT_ID

@corneil
Copy link
Contributor

corneil commented Feb 9, 2023

Your YAML updated:

---
context: (( &temporary ( merge ) ))

spring-application-yaml:
  <<<: (( &temporary ))
  spring.cloud.dataflow:
    task.platform.cloudfoundry.accounts:
      default:
        connection:
          url: (( .context.imports.cf.cc.srv_api_uri ))
          org: (( .context.product_config.uas_org "%UAS_DEV_SUFFIX%" ))
          space: (( .context.product_config.uas_space "%UAS_DEV_SUFFIX%" ))
          domain: (( .context.imports.cf.deprecated.app_domain ))
          username: CF_DATA_FLOW_USER
          password: ((!uas_dataflow_password))
          loginHint: (( .context.config.scdf_login_hint || "%7B%22origin%22%3A%22uaa%22%7D" ))
          skipSsValidation: false
        deployment:
          services: uas_credentials, uas-data-flow-server, uas-dataflow-postgres %OPTIONAL_BOUND_SERVICES%
          apiTimeout: 1200
    security.authorization.provider-role-mappings.uaa:
      map-oauth-scopes: true
      role-mappings:
        ROLE_CREATE: "%XSAPPNAME%.UAS.operations.read"
        ROLE_DEPLOY: "%XSAPPNAME%.UAS.operations.read"
        ROLE_DESTROY: "%XSAPPNAME%.UAS.operations.read"
        ROLE_MANAGE: "%XSAPPNAME%.UAS.operations.read"
        ROLE_MODIFY: "%XSAPPNAME%.UAS.operations.read"
        ROLE_SCHEDULE: "%XSAPPNAME%.UAS.operations.read"
        ROLE_VIEW: "%XSAPPNAME%.UAS.operations.read"

applications:
  - name: uas-dataflow-server%UAS_DEV_SUFFIX%
    memory: (( .context.product_config.deployment.level_3.uas_micro_services.uas_dataflow.memory ))
    instances: (( .context.product_config.deployment.level_3.uas_micro_services.uas_dataflow.instances ))
    timeout: 180
    path: uas-dataflow-server.jar
    services:
      (( .context.product_config.deployment.level_3.uas_micro_services.uas_dataflow.bindings ))
    routes:
      - route: (( "uas-dataflow-server%UAS_DEV_SUFFIX%." .context.imports.cf.deprecated.app_domain ))
    buildpacks:
      - uas_dataflow_server_buildpack%UAS_DEV_SUFFIX%
      - java_buildpack
    env:
      JAVA_OPTS: '-XX:MaxDirectMemorySize=1500M'
      SPRING_CLOUD_DATAFLOW_FEATURES_SCHEDULES_ENABLED: false
      SPRING_CLOUD_DATAFLOW_FEATURES_STREAMS_ENABLED: false
      SPRING_PROFILES_DEFAULT: cloud
      JBP_CONFIG_SPRING_AUTO_RECONFIGURATION: '{enabled: false}'

      SPRING_CLOUD_SKIPPER_CLIENT_SERVER_URI: (("https://uas-skipper-server%UAS_DEV_SUFFIX%." .context.imports.cf.deprecated.app_domain "/api" ))
      SPRING_CLOUD_DATAFLOW_SERVER_URI: (("https://uas-dataflow-server%UAS_DEV_SUFFIX%." .context.imports.cf.deprecated.app_domain ))
      SPRING_CLOUD_DATAFLOW_APPLICATIONPROPERTIES_TASK_SPRING_DATASOURCE_HIKARI_MAXIMUMPOOLSIZE: 2
      SPRING_CLOUD_DATAFLOW_APPLICATIONPROPERTIES_TASK_SPRING_DATASOURCE_HIKARI_MINIMUMIDLE: 1
      SPRING_DATASOURCE_HIKARI_MAXIMUMPOOLSIZE: 10
      SPRING_DATASOURCE_HIKARI_MINIMUMIDLE: 2

      SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_INTROSPECTION-URI: "${vcap.services.uas-xsuaa.credentials.url}/introspect"
      SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT-ID: "${vcap.services.uas-xsuaa.credentials.clientid}"
      SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT-SECRET: "${vcap.services.uas-xsuaa.credentials.clientsecret}"

      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_USER_NAME_ATTRIBUTE: user_name
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_USER_INFO_URI: "${vcap.services.uas-xsuaa.credentials.url}/userinfo"
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_AUTHORIZATION_URI: "${vcap.services.uas-xsuaa.credentials.url}/oauth/authorize"
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_TOKEN_URI: "${vcap.services.uas-xsuaa.credentials.url}/oauth/token"

      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_CLIENT_ID: "${vcap.services.uas-xsuaa.credentials.clientid}"
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_CLIENT_SECRET: "${vcap.services.uas-xsuaa.credentials.clientsecret}"
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_REDIRECT_URI: "{baseUrl}/login/oauth2/code/{registrationId}"
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_AUTHORIZATION_GRANT_TYPE: authorization_code
      # new environmental variables
      SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_SCOPE: 'openid,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view'
      SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_UAA_JWK_SET_URI: "${vcap.services.uas-xsuaa.credentials.url}/token_keys"
      SPRING_SECURITY_OAUTH2_AUTHORIZATION_CHECK_TOKEN_ACCESS: 'isAuthenticated()'

      SPRING_APPLICATION_JSON: (( asjson(.spring-application-yaml) ))

@DanFrei
Copy link
Author

DanFrei commented Feb 12, 2023

Hello @corneil

Thanks again for your kind assistance.
Unfortunately, after adding the allegedly missing properties, I'm still not able to login to the SCDF server as I'm retrieved with the same exception:

e that requires authentication. 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:234) 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:195) 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) 2023-02-12T23:36:03.28+0000 [APP/PROC/WEB/1] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)

I've tried also changing the environmental variables so it won't have 'dash' in the names where it should be with an 'underscore' and yet it haven't worked (actually I've also tried setting each env property once with a dash and additionally with an underscore for just in case but that didn't help either - kindly see attachment).

BTW -In my case, setting SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_UAA_SCOPE was possible only with value: 'openId' (els-wise, it will fail with bad scope error)

Screenshot 2023-02-13 at 1 56 51

@corneil
Copy link
Contributor

corneil commented Feb 13, 2023

@DanFrei Can you please provide the following:

  • Version of UAA.
  • Version of CloudFoundry.
  • Any information about how UAA is configured the may help.
  • Small reproducer application with relevant security configuration.

@onobc onobc modified the milestones: 2.10.1, Priority Backlog Feb 13, 2023
@dbahatSAP
Copy link
Contributor

Hi @corneil ,
We identified the root cause as spring-projects/spring-security#11440. Our version of UAA was prior to v74.0, which added support for url encoding in basic auth header.
Since it's a spring-security -> UAA compatibility issue, not sure there's much that can be done on SCDF side, so we'll close the issue.
Thanks for the help!

@markpollack
Copy link
Contributor

We will document the matrix of compatible components, e.g scdf/skipper with what version of UAA

@DanFrei DanFrei closed this as completed Feb 19, 2023
@juzerali
Copy link

Has anyone got it working with keycloak? I get following error on redirect with keycloak

[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 403 Forbidden: "error code: 1010"

image

server:
  extraEnvVars:
    - name:  spring.security.oauth2.resourceserver.opaquetoken.client-secret
      value: override-in-hcl
    - name:  spring.security.oauth2.client.registration.keycloak.client-secret
      value: override-in-hcl
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.map-oauth-scopes
      value: true
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_CREATE
      value: dataflow.create
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_DEPLOY
      value: dataflow.deploy
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_DESTROY
      value: dataflow.destroy
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_MANAGE
      value: dataflow.manage
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_MODIFY
      value: dataflow.modify
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_SCHEDULE
      value: dataflow.schedule
    - name: spring.cloud.dataflow.security.authorization.provider-role-mappings.keycloak.role-mappings.ROLE_VIEW
      value: dataflow.view
    - name: spring.security.oauth2.client.registration.keycloak.client-id
      value: helm-scdf
    - name:  spring.security.oauth2.client.registration.keycloak.redirect-uri
      value: '{baseUrl}/login/oauth2/code/{registrationId}'
    - name:  spring.security.oauth2.client.registration.keycloak.authorization-grant-type
      value: authorization_code
    - name:  spring.security.oauth2.client.registration.keycloak.scope
      value: openid,dataflow.create,dataflow.deploy,dataflow.destroy,dataflow.manage,dataflow.modify,dataflow.schedule,dataflow.view
    - name:  spring.security.oauth2.client.provider.keycloak.jwk-set-uri
      value: https://identity.codinglama.tech/realms/scdf/protocol/openid-connect/certs
    - name:  spring.security.oauth2.client.provider.keycloak.token-uri
      value: https://identity.codinglama.tech/realms/scdf/protocol/openid-connect/token
    - name:  spring.security.oauth2.client.provider.keycloak.user-info-uri
      value: https://identity.codinglama.tech/realms/scdf/protocol/openid-connect/userinfo
    - name:  spring.security.oauth2.client.provider.keycloak.user-name-attribute
      value: email
    - name:  spring.security.oauth2.client.provider.keycloak.authorization-uri
      value: https://identity.codinglama.tech/realms/scdf/protocol/openid-connect/auth
    - name:  spring.security.oauth2.resourceserver.opaquetoken.introspection-uri
      value: https://identity.codinglama.tech/realms/scdf/protocol/openid-connect/token/introspect
    - name:  spring.security.oauth2.resourceserver.opaquetoken.client-id
      value: helm-scdf
    - name: SPRING_SECURITY_OAUTH2_AUTHORIZATION_CHECK_TOKEN_ACCESS
      value: isAuthenticated()

Exception

org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:234)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201)
	at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:195)

@BradNut
Copy link

BradNut commented Mar 21, 2024

@juzerali Were you able to resolve this issue? I too get the same error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/need-triage Team needs to triage and take a first look
Projects
None yet
Development

No branches or pull requests

7 participants