Configuring Concourse 4.0.0 Cloud Foundry Authentication Provider


I’m trying to configure UAA authentication with Pivotal Cloud Foundry. I’m already running an instance of Concourse 3.14.1 on which I configured UAA authentication as follows:

fly -t main set-team -n "myteam" --uaa-auth-client-id concourse \
     --uaa-auth-client-secret '********' \
     --uaa-auth-auth-url \
     --uaa-auth-token-url \
     --uaa-auth-cf-url \
     --uaa-auth-cf-space "********-****-****-****-************"

The uaa client:

uaac client get concourse
  client_id: concourse
  resource_ids: none
  authorized_grant_types: refresh_token client_credentials authorization_code
  redirect_uri: https://concourse.external.url/auth/uaa/callback
  autoapprove: true
  authorities: cloud_controller.admin
  name: concourse
  lastmodified: 1503505279000

With Concourse 3.14.1, everything is working as expected. Now, I installed Concourse 4.2.1 with the following setup.

The uaa client:

uaac client add concourse \
 --name concourse \
 --scope "openid," \
 --authorized_grant_types "authorization_code,refresh_token" \
 --access_token_validity 3600 \
 --refresh_token_validity 3600 \
 --secret ******** \
 --redirect_uri https://concourse.external.url/sky/issuer/callback \
 --autoapprove true

I added the following parameters to the atc instance:

--cf-client-id concourse
--cf-client-secret ******** 

I create a team and associated it with a Cloud Foundry space in which I am a SpaceDeveloper:

fly -t main set-team -n productx --cf-space=ProductX:dev
Team Name: productx

- none

- cf:productx:dev

apply configuration? [yN]: y
team created

I’m able to authenticate to the main team with a local user but when I’m trying to authenticate to the “productx” team with cf auth, it’s not working. Here is what happens:

  1. In the UI, I click on login.
  2. I click on the CloudFoundry auth button.
  3. I am being redirected to the uaa login page.
  4. I enter my account information.
  5. The authentication is then delegated to the enterprise authentication manager and the user profile is retreived.
  6. At this point, the UUA would be supposed to try to request a token to Concourse but it did completely lost track of the request state. I don’t have anything in the atc log.
  7. Concourse is never called back and I land on the Pivotal Cloud Foundry account page (

Did I missed something?