Username/password valid but not working on CLI

Question

Username/password valid but not working on CLI

will-gant opened this issue 7 years ago · 5 comments

will-gant commented 7 years ago

What version of the credhub server you are using?

BOSH release 1.9.1

What version of the credhub cli you are using?

1.7.5

If you were attempting to accomplish a task, what was it you were attempting to do?

We're trying to login to Credhub on the CLI with our username and password.

What did you expect to happen?

We expected to be able to login successfully.

What was the actual behavior?

$ credhub login
username: credhub-cli
password: ********************
The provided credentials are incorrect. Please validate your input and retry your request.

Despite this, the exact same credentials allow us to login to https://<concourse-web-node-IP>:8443/login

Here's the relevant chunk of the properties for the UAA job in our Concourse BOSH manifest:

        scim:
          users:
          - name: admin
            password: ((uaa-users-admin))
            groups:
            - scim.write
            - scim.read
            - bosh.admin
            - credhub.read
            - credhub.write
          - name: credhub-cli
            password: ((credhub_cli_password))
            groups:
            - credhub.read
            - credhub.write
        clients:
          credhub_cli:
            override: true
            authorized-grant-types: password,refresh_token,client_credentials
            scope: credhub.read,credhub.write
            authorities: uaa.resource,credhub.read,credhub.write
            access-token-validity: 30
            refresh-token-validity: 3600
            secret: ((credhub_cli_password))
          atc_to_credhub:
            override: true
            authorized-grant-types: client_credentials
            scope: ""
            authorities: credhub.read,credhub.write
            access-token-validity: 3600
            secret: ((uaa_clients_atc_to_credhub))

Please confirm where necessary:

[ X ] I have included a log output
[ X ] My log includes an error message
[ X ] I have included steps for reproduction

Thanks!

Answer 1 · 2018-05-24T11:48:07.000Z

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/157840359

The labels on this github issue will be updated when the story is started.

Answer 2 · 2018-05-24T13:42:24.000Z

We've done some additional digging into this. By building a local version of the CLI we changed this line to use the client secret for the credhub_cli client instead of the hardcoded empty string. This makes the login succeed.

According to the UAA API, client_secret is optional only if it isn't passed in the Authorization header. Either way it needs to be provided. What is the reason for setting it to "" here?

Is there a way to log in with the CLI using only the user credentials (and not the client ones)?

Answer 3 · 2018-05-24T16:38:08.000Z

@crsimmons @bruxelles86 is there a reason you added a password to the credhub_cli client? I think that is the root cause of your problems here. That CLI client exists and is password-less so that UAA can assign user tokens to it, but it is not meant to be used as a client with access to any resources on its own.

Answer 4 · 2018-05-24T17:49:32.000Z

@benmoss Removing the password from credhub_cli fixed our issue. Thanks!

As for why we did that, I guess we didn't realise the special usage for that client. We wanted to have both a user and a client (for env var programatic access). Changing credhub_cli to match the documentation and creating a different client resolves the problem.

Answer 5 · 2018-05-24T19:14:25.000Z

Awesome, glad we could figure that out :)