Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Cloudbreak Oauth Token generated but always rejected by Cloudbreak API

Solved Go to solution
Highlighted

Cloudbreak Oauth Token generated but always rejected by Cloudbreak API

Guru

On CB version 1.16.4, attempting to obtain Oauth token to access the rest API. (SSL Cert in place but wrong hostname)

Call to UAA:

curl -iX POST -H "accept: application/x-www-form-urlencoded" -d 'credentials={"username":"admin@example.com","password":"cloudbreak"}' "http://***:8089/oauth/authorize?response_type=token&client_id=cloudbreak_shell"

Response:

HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: no-store X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Location: http://cloudbreak.shell#token_type=bearer&access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlb... Content-Language: en Content-Length: 0

Store TOKEN in ENV

export TOKEN=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJkZDVmMWUwMDNmNTQ0MzY2OTM1ODMzNTdiMTBhYjcwYyIsInN1YiI6IjIwOTllZGRjLThhMjktNDlhOC1iN2E1LTYzY2RlYTViNTVhZCIsInNjb3BlIjpbImNsb3VkYnJlYWsubmV0d29ya3MucmVhZCIsInBlcmlzY29wZS5jbHVzdGVyIiwiY2xvdWRicmVhay51c2FnZXMudXNlciIsImNsb3VkYnJlYWsucmVjaXBlcyIsImNsb3VkYnJlYWsudXNhZ2VzLmdsb2JhbCIsIm9wZW5pZCIsImNsb3VkYnJlYWsucGxhdGZvcm1zIiwiY2xvdWRicmVhay50ZW1wbGF0ZXMucmVhZCIsImNsb3VkYnJlYWsudXNhZ2VzLmFjY291bnQiLCJjbG91ZGJyZWFrLmV2ZW50cyIsImNsb3VkYnJlYWsuc3RhY2tzLnJlYWQiLCJjbG91ZGJyZWFrLmJsdWVwcmludHMiLCJjbG91ZGJyZWFrLm5ldHdvcmtzIiwiY2xvdWRicmVhay50ZW1wbGF0ZXMiLCJjbG91ZGJyZWFrLnNzc2Rjb25maWdzIiwiY2xvdWRicmVhay5wbGF0Zm9ybXMucmVhZCIsImNsb3VkYnJlYWsuY3JlZGVudGlhbHMucmVhZCIsImNsb3VkYnJlYWsuc2VjdXJpdHlncm91cHMucmVhZCIsImNsb3VkYnJlYWsuc2VjdXJpdHlncm91cHMiLCJjbG91ZGJyZWFrLnN0YWNrcyIsImNsb3VkYnJlYWsuY3JlZGVudGlhbHMiLCJjbG91ZGJyZWFrLnJlY2lwZXMucmVhZCIsImNsb3VkYnJlYWsuc3NzZGNvbmZpZ3MucmVhZCIsImNsb3VkYnJlYWsuYmx1ZXByaW50cy5yZWFkIl0sImNsaWVudF9pZCI6ImNsb3VkYnJlYWtfc2hlbGwiLCJjaWQiOiJjbG91ZGJyZWFrX3NoZWxsIiwiYXpwIjoiY2xvdWRicmVha19zaGVsbCIsInVzZXJfaWQiOiIyMDk5ZWRkYy04YTI5LTQ5YTgtYjdhNS02M2NkZWE1YjU1YWQiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJhZG1pbkBleGFtcGxlLmNvbSIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20iLCJhdXRoX3RpbWUiOjE1MDk0ODM3NTUsInJldl9zaWciOiJjNjk1OWFhIiwiaWF0IjoxNTA5NDgzNzU2LCJleHAiOjE1MDk1MjY5NTYsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiY2xvdWRicmVha19zaGVsbCIsImNsb3VkYnJlYWsucmVjaXBlcyIsIm9wZW5pZCIsImNsb3VkYnJlYWsiLCJjbG91ZGJyZWFrLnBsYXRmb3JtcyIsImNsb3VkYnJlYWsuYmx1ZXByaW50cyIsImNsb3VkYnJlYWsudGVtcGxhdGVzIiwiY2xvdWRicmVhay5uZXR3b3JrcyIsInBlcmlzY29wZSIsImNsb3VkYnJlYWsuc3NzZGNvbmZpZ3MiLCJjbG91ZGJyZWFrLnVzYWdlcyIsImNsb3VkYnJlYWsuc2VjdXJpdHlncm91cHMiLCJjbG91ZGJyZWFrLnN0YWNrcyIsImNsb3VkYnJlYWsuY3JlZGVudGlhbHMiXX0.Kae0YSVvVzyno1H-DcsCkjb88-UCTgVKeiseTezeRyo

Call to CB API with TOKEN

curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://***/stacks/13
{
  "InvalidTokenException": {
    "error": [
      "invalid_token"
    ],
    "error_description": [
      "undefined"
    ]
  }
}

Get Cloudbreak Shell Token from CBD Utils

cbd util token
eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIwYWE4NmY2ZjgxMjA0OGVhYWQ5ZDg5NDFkZjllNzU2YSIsInN1YiI6IjIwOTllZGRjLThhMjktNDlhOC1iN2E1LTYzY2RlYTViNTVhZCIsInNjb3BlIjpbImNsb3VkYnJlYWsubmV0d29ya3MucmVhZCIsInBlcmlzY29wZS5jbHVzdGVyIiwiY2xvdWRicmVhay51c2FnZXMudXNlciIsImNsb3VkYnJlYWsucmVjaXBlcyIsImNsb3VkYnJlYWsudXNhZ2VzLmdsb2JhbCIsIm9wZW5pZCIsImNsb3VkYnJlYWsucGxhdGZvcm1zIiwiY2xvdWRicmVhay50ZW1wbGF0ZXMucmVhZCIsImNsb3VkYnJlYWsudXNhZ2VzLmFjY291bnQiLCJjbG91ZGJyZWFrLmV2ZW50cyIsImNsb3VkYnJlYWsuc3RhY2tzLnJlYWQiLCJjbG91ZGJyZWFrLmJsdWVwcmludHMiLCJjbG91ZGJyZWFrLm5ldHdvcmtzIiwiY2xvdWRicmVhay50ZW1wbGF0ZXMiLCJjbG91ZGJyZWFrLnNzc2Rjb25maWdzIiwiY2xvdWRicmVhay5wbGF0Zm9ybXMucmVhZCIsImNsb3VkYnJlYWsuY3JlZGVudGlhbHMucmVhZCIsImNsb3VkYnJlYWsuc2VjdXJpdHlncm91cHMucmVhZCIsImNsb3VkYnJlYWsuc2VjdXJpdHlncm91cHMiLCJjbG91ZGJyZWFrLnN0YWNrcyIsImNsb3VkYnJlYWsuY3JlZGVudGlhbHMiLCJjbG91ZGJyZWFrLnJlY2lwZXMucmVhZCIsImNsb3VkYnJlYWsuc3NzZGNvbmZpZ3MucmVhZCIsImNsb3VkYnJlYWsuYmx1ZXByaW50cy5yZWFkIl0sImNsaWVudF9pZCI6ImNsb3VkYnJlYWtfc2hlbGwiLCJjaWQiOiJjbG91ZGJyZWFrX3NoZWxsIiwiYXpwIjoiY2xvdWRicmVha19zaGVsbCIsInVzZXJfaWQiOiIyMDk5ZWRkYy04YTI5LTQ5YTgtYjdhNS02M2NkZWE1YjU1YWQiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJhZG1pbkBleGFtcGxlLmNvbSIsImVtYWlsIjoiYWRtaW5AZXhhbXBsZS5jb20iLCJhdXRoX3RpbWUiOjE1MDk0ODQxNDQsInJldl9zaWciOiJjNjk1OWFhIiwiaWF0IjoxNTA5NDg0MTQ0LCJleHAiOjE1MDk1MjczNDQsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiY2xvdWRicmVha19zaGVsbCIsImNsb3VkYnJlYWsucmVjaXBlcyIsIm9wZW5pZCIsImNsb3VkYnJlYWsiLCJjbG91ZGJyZWFrLnBsYXRmb3JtcyIsImNsb3VkYnJlYWsuYmx1ZXByaW50cyIsImNsb3VkYnJlYWsudGVtcGxhdGVzIiwiY2xvdWRicmVhay5uZXR3b3JrcyIsInBlcmlzY29wZSIsImNsb3VkYnJlYWsuc3NzZGNvbmZpZ3MiLCJjbG91ZGJyZWFrLnVzYWdlcyIsImNsb3VkYnJlYWsuc2VjdXJpdHlncm91cHMiLCJjbG91ZGJyZWFrLnN0YWNrcyIsImNsb3VkYnJlYWsuY3JlZGVudGlhbHMiXX0.xZgHAOTryXwbJN0DfaH_ISFU0IkLymTqlOmE2LZmKck

Store TOKEN in ENV

export TOKEN=[token from above]

Call to CB API with TOKEN

curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://***/stacks/13
{
  "InvalidTokenException": {
    "error": [
      "invalid_token"
    ],
    "error_description": [
      "undefined"

This worked fine in CB 1.14.x. Has something changed in terms of how UAA issues tokens or what those tokens have access to?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cloudbreak Oauth Token generated but always rejected by Cloudbreak API

Rising Star

Hi @Vadim Vaks

I tested with latest version of Cloudbreak and the "cbd util token" command is still works for me. But if you use the address of the proxy server that provides the SSL then you should use the "/cb" sub-path to send requests to the API and the endpoints could be found under "/api/v1" path like:

curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.99.100/cb/api/v1/stacks/user

On the other hand your curl command is not parameterized properly. The URL would look like:

http://192.168.99.100:8089/oauth/authorize?response_type=token&client_id=cloudbreak_shell&scope.0=op...

Br,
Tamas

3 REPLIES 3

Re: Cloudbreak Oauth Token generated but always rejected by Cloudbreak API

Rising Star

Hi @Vadim Vaks

I tested with latest version of Cloudbreak and the "cbd util token" command is still works for me. But if you use the address of the proxy server that provides the SSL then you should use the "/cb" sub-path to send requests to the API and the endpoints could be found under "/api/v1" path like:

curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.99.100/cb/api/v1/stacks/user

On the other hand your curl command is not parameterized properly. The URL would look like:

http://192.168.99.100:8089/oauth/authorize?response_type=token&client_id=cloudbreak_shell&scope.0=op...

Br,
Tamas

Re: Cloudbreak Oauth Token generated but always rejected by Cloudbreak API

Guru

@Tamas Bihari

I had /cb/api/v1/stacks/user in my code but was calling /api/v1/stacks/user in my tests. Turns out it helps to call the correct API endpoint :)

The problem turned out to be the Invalid SSL Cert in mentioned above. I built a Spring application on top of Cloudbreak. I have an SSL context that trusts all certificates but was using default hostname verification. The previous instance I referred to had a valid certificate, so everything worked fine. When I installed the fresh instance of Cloudbreak, the generated certificate did not have the correct hostname. When I called the API, application threw Certificate exception but I was catching all Exceptions and handling it as if it was an auth token rejection. Added all trusting HostnameVerifier to resolve the exception.

Thanks for putting a second pair of eyes on this.

BTW...

Implicit grant does not seem to require query parameter to be formatted as client_id=cloudbreak_shell≻ope.0=openid&source=login&redirect_uri=http://cloudbreak.shell

The token obtained using:

curl -iX POST -H "accept: application/x-www-form-urlencoded" -d 'credentials={"username":"admin@example.com","password":"cloudbreak"}' "http://***:8089/oauth/authorize?response_type=token&client_id=cloudbreak_shell"

Seems to be valid.

Re: Cloudbreak Oauth Token generated but always rejected by Cloudbreak API

Rising Star
@Vadim Vaks

You are welcome and thanks for the minimized query parameters.