Updating the OAuth2 Client that uses Other Authorization Grant Types

Before You Begin

This procedure uses the UAA Command Line Interface (UAAC). For more information on installing UAAC, see https://github.com/cloudfoundry/cf-uaac.

About This Task

Use these steps to update an OAuth2 client that uses any of the following authorization grants.

  • Authorization Code
  • Implicit
  • Resource Owner Password
  • Refresh Token

Procedure

  1. Specify your UAA instance as the intended target.
    uaac target <uaa_instance_url>

    <uaa_instance_url> is the URL to your trusted issuer, such as https://11fa0273-9e2a-37e2-9d06-2c95a1f4f5ea.predix-uaa.run.aws-usw02-pr.ice.predix.io. You can retrieve this URL from the VCAP_SERVICES environment variable after binding your UAA instance to an application.

  2. Log into UAAC using the administrative client.
    uaac token client get admin

    Specify the <client_secret> when prompted.

  3. Create the groups required for a platform service in UAA. 
    uaac group add <service_scope>

    Where <service_scope> is the group that you need to create for your service.

    Predix platform services require the following scopes:

    Service NameScopes
    Access Control
    • acs.policies.read
    • acs.policies.write
    • acs.attributes.read
    • acs.attributes.write
    • predix-acs.zones.<acs_instance_guid>.user
    Tenant Management
    • tms.tenant.read
    • tms.tenant.write
    • predix-tms.zones.<tms_instance_guid>.user
    Analytics Cataloganalytics.zones.<service_instance_guid>.user
    Analytics Runtimeanalytics.zones.<service_instance_guid>.user
    Assetpredix-asset.zones.<service_instance_guid>.user
    Time Series
    • Data ingestion
      • timeseries.zones.<Predix-Zone-Id>.user
      • timeseries.zones.<Predix-Zone-Id>.ingest
    • Data queries
      • timeseries.zones.<Predix-Zone-Id>.user
      • timeseries.zones.<Predix-Zone-Id>.query
    View
    • view.zones.<view_instance_ID>.user
    • views.admin.user
    • views/power.user
  4. Create a new user in UAA that can administer the platform service.
    Note: You can skip this step if the user already exists.
    uaac user add <user_name> -p [password] --emails <user_name>@example.com
  5. Assign membership to the required scopes. 
    uaac member add <service_scope> <user_name>

    You can specify multiple user names as a comma-separated list.

  6. Update the OAuth2 client with the scope required for a platform service.
    uaac client update <client_name> 
\ --scope <service_scopes>
\ --authorized_grant_types <grant_type> 
\ --authorities uaa.resource

    <grant_type> can be one or a combination of authorization_code, implicit, password, and refresh_token. You can specify multiple grant types as a comma-separated list.

  7. Log into UAAC as an administrator.
    uaac token owner get <service_client> <service_user>

    Specify the <client_secret> when prompted.

  8. To validate that the scopes were updated in the token, use the following command:
    uaac token decode