unity-idm-discuss

[Unity-idm-discuss] OAuth authgenticator for SCIM API

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I spend some further time to set up the SCIM API using tokens. I
created an authenticator for verifying local tokens (config in
screenshot). But when I try to qquery the API using this command

curl https://login-dev.helmholtz.de/scim/Me -H "Authorization: Bearer
$TOKEN" -H "Authorization: Basic $CLIENT"

I got:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":403
,"detail":"Forbidden"} as response and the log shows

DEBUG unity.server.scim.EngineExceptionMapper: Access denied for SCIM
API client
pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user
name, credential or external authentication failed.

The client which requested the token is the same like the one who calls
the SCIM API. It also requested the scope sys:scim:read_profile to be
able to query the SCIM API.

Did I miss something?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] OAuth authgenticator for SCIM API

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 25.06.2024 o 12:48, Sander Apweiler pisze:
> Hi Krzysztof,
> I spend some further time to set up the SCIM API using tokens. I
> created an authenticator for verifying local tokens (config in
> screenshot). But when I try to qquery the API using this command
>
> curlhttps://login-dev.helmholtz.de/scim/Me  -H "Authorization: Bearer
> $TOKEN" -H "Authorization: Basic $CLIENT"
>
> I got:
> {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":403
> ,"detail":"Forbidden"} as response and the log shows
>
> DEBUG unity.server.scim.EngineExceptionMapper: Access denied for SCIM
> API client
> pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user
> name, credential or external authentication failed.
>
> The client which requested the token is the same like the one who calls
> the SCIM API. It also requested the scope sys:scim:read_profile to be
> able to query the SCIM API.
>
> Did I miss something?


Can you try:

curl https://login-dev.helmholtz.de/scim/Me 
<https://login-dev.helmholtz.de/scim/Me>-H "Authorization: Basic 
$CLIENT,Bearer $TOKEN"

?

If it still doesn't work, please provide server logs from 
authentication, at least on debug and perfectly on TRACE level.

HTH,
Krzysztof