I am building a cloud foundry app that uses XSUAA authentication via IAS. The application runs well through the browser (when I authenticate myself with a username and password), but when I create a service key to perform remote calls I only get one scope (uaa.user) assigned and not the necessary authorization.
I tried setting the scope in the token request, but can only assign set uaa.user as valid scope.
Here are the questions:
1. When I issue a service key, which scope(s) or role templates are automatically assigned?
2. When requesting my token, should I be able to select any of the scopes defined in xs-security.json?
3. Is there a way to create a service key with a specific scope?
4. Is the first scope in the array always assigned to the service key request?
--- sample .http request to retrieve token
POST {{authentication_server}}/oauth/token HTTP/1.1
Authorization: Basic {{client_id}}:{{client_secret}}
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id={{client_id}}
≻ope={{requested_scope}}
--- my xs-security.json
{
"xsappname" : "riz-inno-unit-base",
"tenant-mode" : "dedicated",
"description": "Security profile of Unit Base Modules",
"scopes": [
{
"name": "uaa.user",
"description": "UAA"
},
{
"name": "$XSAPPNAME.standard",
"description": "Standard User"
}, {
"name": "$XSAPPNAME.admin",
"description": "Administrator"
}, {
"name": "$XSAPPNAME.noaccess",
"description": "No access"
}
],
"role-templates": [
{
"name": "Token_Exchange",
"description": "UAA",
"scope-references": [
"uaa.user", "$XSAPPNAME.standard"
]
},
{
"name": "riz_inno_unit_base_role_user",
"description": "Standard Role for Unit Base",
"scope-references": [
"uaa.user", "$XSAPPNAME.standard"
]
},
{
"name": "riz_inno_unit_base_role_admin",
"description": "Admin Role for Unit Base",
"scope-references": [
"uaa.user", "$XSAPPNAME.standard", "$XSAPPNAME.admin"
]
}
]
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.