Why does the CF UAA check_token endpoint need a clientId / clientSecret?
CloudFoundry UAA has a RemoteTokenServices class (part of Spring oauth2 too) that performs authorization token validation by navigating to the check_token endpoint of the UAA server. UAA has sample api and applications that serve as both resource server and client application respectively.
From the sample api spring-servlet.xml:
<bean id="tokenServices" class="org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${checkTokenEndpointUrl}" />
<property name="clientId" value="app" />
<property name="clientSecret" value="appclientsecret" />
</bean>
Do you know why this class (and the check_token endpoint that need these values encoded in the authorization header) requires a clientId and a clientSecret? It seems to me that it puts a dependency on the client application from the resource server. How can I use multiple client applications if one of the client secrets is "hardcoded" here?
source to share
I figured it out by reading the UAA documentation completely, and I still think it gets confused in the UAA application examples:
- The clientId and clientSecret values must be the api application client id / sector (api / apiclientsecret) in the sample as the resource server needs to authenticate... UAA server with basic authorization when invoking the check_token endpoint so that the UAA can verify that the request was made from a valid registered resource server.
- To do this, the resource server must also be registered as a client in UAA with client_credentials as an authorized grant type.
- The token to be verified is sent to the body of the POST request.
source to share