I’m trying to configure UAA authentication with Pivotal Cloud Foundry. I’m already running an instance of Concourse 3.14.1 on which I configured UAA authentication as follows:
fly -t main set-team -n "myteam" --uaa-auth-client-id concourse \ --uaa-auth-client-secret '********' \ --uaa-auth-auth-url https://login.system.my.cf.fqdn/oauth/authorize \ --uaa-auth-token-url https://login.system.my.cf.fqdn/oauth/token \ --uaa-auth-cf-url https://api.system.my.cf.fqdn \ --uaa-auth-cf-space "********-****-****-****-************"
The uaa client:
uaac client get concourse scope: cloud_controller.read client_id: concourse resource_ids: none authorized_grant_types: refresh_token client_credentials authorization_code redirect_uri: https://concourse.external.url/auth/uaa/callback autoapprove: true authorities: cloud_controller.admin name: concourse lastmodified: 1503505279000
With Concourse 3.14.1, everything is working as expected. Now, I installed Concourse 4.2.1 with the following setup.
The uaa client:
uaac client add concourse \ --name concourse \ --scope "openid,cloud_controller.read" \ --authorized_grant_types "authorization_code,refresh_token" \ --access_token_validity 3600 \ --refresh_token_validity 3600 \ --secret ******** \ --redirect_uri https://concourse.external.url/sky/issuer/callback \ --autoapprove true
I added the following parameters to the atc instance:
--cf-client-id concourse --cf-client-secret ******** --cf-api-url https://api.system.my.cf.fqdn
I create a team and associated it with a Cloud Foundry space in which I am a SpaceDeveloper:
fly -t main set-team -n productx --cf-space=ProductX:dev Team Name: productx Users: - none Groups: - cf:productx:dev apply configuration? [yN]: y team created
I’m able to authenticate to the main team with a local user but when I’m trying to authenticate to the “productx” team with cf auth, it’s not working. Here is what happens:
- In the UI, I click on login.
- I click on the CloudFoundry auth button.
- I am being redirected to the uaa login page.
- I enter my account information.
- The authentication is then delegated to the enterprise authentication manager and the user profile is retreived.
- At this point, the UUA would be supposed to try to request a token to Concourse but it did completely lost track of the request state. I don’t have anything in the atc log.
- Concourse is never called back and I land on the Pivotal Cloud Foundry account page (https://account.system.my.cf.fqdn)
Did I missed something?