Skip to content

Instantly share code, notes, and snippets.

@pburkholder

pburkholder/issue.md

Last active August 6, 2018 15:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pburkholder/4b96a7539da68f39f4804c4a63572e4a to your computer and use it in GitHub Desktop.
Save pburkholder/4b96a7539da68f39f4804c4a63572e4a to your computer and use it in GitHub Desktop.
Download ZIP
Demo UAA for cloud.gov
Raw
issue.md

The stated rationale for this project are:

Authenticating with cloud.gov can be challenging when developing an app:

  • It can be difficult or impossible to log in as multiple different users to manually test your application's functionality.
  • If you're offline or on a spotty internet connection, authenticating with cloud.gov may be challenging.
  • Because logging into cloud.gov usually involves 2 factor authentication, logging in can be slow and cumbersome, which can slow down development.
  • Registering the client ID, client secret, and callback URL in cloud.gov requires creating new identity providers, and you may want a lighter-weight approach for development.
  • Debugging problems with the OAuth2 handshake can be difficult because you don't have much visibility into cloud.gov's internal state.
  • The fake UAA is intended to solve these problems by making it easy to host your own UAA server on your local system. The simplicity of its implementation and its debugging messages allow developers to easily understand what's going on during the OAuth2 handshake. It also makes it dead simple to log in as multiple different users.

Most of issues can be addressed by running a real UAA server, especially since Docker makes running UAA pretty easy. As in:

docker run -d --name uaa-uaa -p 8080:8080 \
  -e UAA_CONFIG_URL=https://gist.githubusercontent.com/pburkholder/4b96a7539da68f39f4804c4a63572e4a/raw/e4533dc8894e7adafedb6f316c4b16ca86be913c/uaa.yml \
 hortonworks/cloudbreak-uaa:3.6.3

The above runs an hsqldb based UAA server pre-configured to authenticate the my-client-id app. Per the above criteria:

  • One can log in as multiple different users, paul or stefan
  • One can run this without cloud.gov being available (if you use a local uaa.yml and have already download the docker image)
  • One can skip 2-factor auth and just use user/password per your uaa.yml configuration
  • One can fully configure uaa.yml to mimic whatever features of cloud.gov auth that one wants
  • One can debug by connecting to the container and tailing the log file, e.g. docker exec uaa-uaa /usr/bin/tail -f /tomcat/logs/uaa.log

We should deprecate this project, remove references to it from cloud.gov, and instead provide guidance for developing with a dockerized UAA. The example-client.js can go into https://github.com/18F/cg-demos for demonstrating the cloud.gov identity provider.

Raw
uaa.yml
spring_profiles: hsqldb
oauth:
client:
override: true
autoapprove:
- my_client_id
clients:
my_client_id:
id: my_client_id
secret: my_client_secret
authorized-grant-types: authorization_code,refresh_token
scope: openid
authorities: uaa.none
redirect-uri: http://localhost:8000/auth/callback
scim:
username_pattern: '[a-z0-9+\-_.@]+'
users:
- paul|wombat|paul@test.org|Paul|Smith|openid,myresourceserver.scope1,myresourceserver.scope2
- stefan|wallaby|stefan@test.org|Stefan|Schmidt|openid,myresourceserver.scope1,myresourceserver.scope2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment