Unable to logging UAA Admin PCF

Issue

We are installing the latest version of CJE tile for PCF. After successful installation, we are unable to login to the UI using UAA admin credentials. It throws the following error on the screen.

Caused by: java.lang.RuntimeException: Error making request [POST https://example.com/oauth/token HTTP/1.1]
at com.cloudfoundry.jenkins.cloudfoundryoauth.util.HttpClientUtils2.getResponseBodyForRequest(HttpClientUtils2.java:35)
at com.cloudfoundry.jenkins.cloudfoundryoauth.backends.UaaServerClient.requestTokenAsJson(UaaServerClient.java:111)
at com.cloudfoundry.jenkins.cloudfoundryoauth.backends.UaaServerClient.getUserAccessToken(UaaServerClient.java:129)
at com.cloudfoundry.jenkins.cloudfoundryoauth.CloudFoundryOAuthAuthorizer.getUaaAuthenticationToken(CloudFoundryOAuthAuthorizer.java:39)
at com.cloudfoundry.jenkins.cloudfoundryoauth.CloudFoundryOAuthLoginHandler.doFinishLogin(CloudFoundryOAuthLoginHandler.java:63)
at com.cloudfoundry.jenkins.cloudfoundryoauth.UaaSecurityRealm.doFinishLogin(UaaSecurityRealm.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
... 84 more
Caused by: java.lang.RuntimeException: Non-200 response (401) when requesting (https://example.com/oauth/token).
Headers:
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Cache-Control no-store
Content-Type application/json;charset=UTF-8
Date Wed, 20 Jul 2016 13:47:30 GMT
Expires 0
Pragma no-cache
Pragma no-cache
Server Apache-Coyote/1.1
Strict-Transport-Security max-age=31536000 ; includeSubDomains
Www-Authenticate Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials"
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Vcap-Request-Id 26fd1ed1-6794-41cf-7bae-12a3fb3dd264
X-Xss-Protection 1; mode=block
Content-Length 62
Body: {"error":"unauthorized","error_description":"Bad credentials"}
at com.cloudfoundry.jenkins.cloudfoundryoauth.util.HttpClientUtils2.getResponseBodyForRequest(HttpClientUtils2.java:30)
... 99 more

trying to use the UAA REST api and generate oauth token using jenkins and UAA admin client credentials. It failed with 401 error for jenkins but UAA admin client worked.

Environment

  • CloudBees Jenkins Platform
  • Pivotal Cloud Foundry

Resolution

It seems the ‘jenkins’ app exists, but maybe not with the credentials Jenkins is using to access it.
We suggest to re-create it:

export ADMIN_CLIENT_ID=admin
export ADMIN_CLIENT_SECRET=...
uaac token client get $ADMIN_CLIENT_ID --secret $ADMIN_CLIENT_SECRET

export CLIENT_ID=jenkins
export CLIENT_SECRET=...

uaac client delete $CLIENT_ID

uaac client add $CLIENT_ID --secret $CLIENT_SECRET \
  --no-interactive \
  --scope oauth.approvals,openid,scim.me,scim.userids,cloud_controller.read,cloud_controller.admin \
  --authorities scim.me,oauth.login,scim.userids,cloud_controller.admin \
  --authorized_grant_types authorization_code,client_credentials,refresh_token \
  --debug

then you can probably try

uaac token client get $CLIENT_ID --secret $CLIENT_SECRET

and see if you get a token.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.