Updating the OAuth2 Client that uses Other Authorization Grant Types
Before You Begin
This procedure uses the UAA Command Line Interface (UAAC). For more information on installing UAAC, see https://github.com/cloudfoundry/cf-uaac.
About This Task
Use these steps to update an OAuth2 client that uses any of the following authorization grants.
- Authorization Code
- Implicit
- Resource Owner Password
- Refresh Token
Procedure
- Specify your UAA instance as the intended target.
uaac target <uaa_instance_url>
<uaa_instance_url>
is the URL to your trusted issuer, such ashttps://11fa0273-9e2a-37e2-9d06-2c95a1f4f5ea.predix-uaa.run.aws-usw02-pr.ice.predix.io
. You can retrieve this URL from the VCAP_SERVICES environment variable after binding your UAA instance to an application. - Log into UAAC using the administrative client.
uaac token client get admin
Specify the
<client_secret>
when prompted. - Create the groups required for a platform service in UAA.
uaac group add <service_scope>
Where <service_scope> is the group that you need to create for your service.
Predix platform services require the following scopes:
Service Name Scopes Access Control - acs.policies.read
- acs.policies.write
- acs.attributes.read
- acs.attributes.write
- predix-acs.zones.<acs_instance_guid>.user
Tenant Management - tms.tenant.read
- tms.tenant.write
- predix-tms.zones.<tms_instance_guid>.user
Analytics Catalog analytics.zones.<service_instance_guid>.user Analytics Runtime analytics.zones.<service_instance_guid>.user Asset predix-asset.zones.<service_instance_guid>.user Time Series - Data ingestion
- timeseries.zones.<Predix-Zone-Id>.user
- timeseries.zones.<Predix-Zone-Id>.ingest
- Data queries
- timeseries.zones.<Predix-Zone-Id>.user
- timeseries.zones.<Predix-Zone-Id>.query
View - view.zones.<view_instance_ID>.user
- views.admin.user
- views/power.user
- Create a new user in UAA that can administer the platform service. Note: You can skip this step if the user already exists.
uaac user add <user_name> -p [password] --emails <user_name>@example.com
- Assign membership to the required scopes.
uaac member add <service_scope> <user_name>
You can specify multiple user names as a comma-separated list.
- Update the OAuth2 client with the scope required for a platform service.
uaac client update <client_name> \ --scope <service_scopes> \ --authorized_grant_types <grant_type> \ --authorities uaa.resource
<grant_type>
can be one or a combination ofauthorization_code
,implicit
,password
, andrefresh_token
. You can specify multiple grant types as a comma-separated list. - Log into UAAC as an administrator.
uaac token owner get <service_client> <service_user>
Specify the
<client_secret>
when prompted. - To validate that the scopes were updated in the token, use the following command:
uaac token decode