go-uaa uses oauth2 from standard go and this encodes authorization header according to standard
RFC, see
https://github.com/golang/oauth2/blob/master/internal/token.go#L195

However UAA as backend server does not handle this encoding, see existing issue on
cloudfoundry/uaa#778

I would like to have a direction for a fix, means, use non RFC complient encoding in go-uaa (uaa-cli) or fix UAA .
Problem now it, that uaa-cli (client) and uaa (server) are not working together if special characters in secret

e.g.
client_id: admin
client_secret: admin#secret

According to the docs, updating a user requires the 'If-Match' Header. But according to the current implementation, this header is not being added and therefore update user is failing.

{"error_description":"Missing If-Match for PUT","error":"scim","message":"Missing If-Match for PUT"}

Solution would be to add this header for the put calls for users and groups

https://github.com/cloudfoundry-community/go-uaa/releases/tag/v0.0.8 - Config + friends were removed.

These were used by https://github.com/cloudfoundry-incubator/uaa-cli/blob/master/config/config.go when you refactored go-uaa into uaa-cli; but now they are gone. How do you want uaa-cli to be refactored towards new API in go-uaa?

Perhaps can you help bring uaa-cli up to date and keep it in sync as a testbed for this library?

The example in the README doesn't compile, as the uaa.New signature is incorrect.

Consider https://github.com/cloudfoundry-community/go-uaa/blob/377005ac1e67d387c4e4ba66000fd3f2f35bda8b/api.go#L145-L148

The AuthenticatedClient object is built with client := &http.Client{Transport: http.DefaultTransport}, and so does not allow an opportunity for the caller of NewWithPasswordCredentials to setup an alternate client (say with custom root CAs).

Perhaps AuthenticatedClient and UnauthenticatedClient() should be functions that are built as needed using ContextClient()?

For similar reasons, perhaps we do away with API.SkipSSLValidation and instead encourage construction of explicit clients? e.g.:

tr := &http.Transport{
	TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
api.UnauthenticatedClient = &http.Client{Transport: tr}
me, err := api.GetMe()

Or

rootCAs, _ := x509.SystemCertPool()
if rootCAs == nil {
	rootCAs = x509.NewCertPool()
}
rootCAs.AppendCertsFromPEM([]byte(opts.UAACACert))
tr := &http.Transport{
	TLSClientConfig: &tls.Config{
		RootCAs: rootCAs,
	},
}
api.UnauthenticatedClient = &http.Client{Transport: tr}

Hi go-uaa team, it will be nice to have the functionality to
(1) update password of a user as per:
https://github.com/18F/cg-uaa/blob/master/docs/UAA-APIs.rst#change-password-put-usersidpassword

(2) Password Reset and Password Change as per:
https://github.com/18F/cg-uaa/blob/master/docs/UAA-APIs.rst#reset-password-flow
https://github.com/18F/cg-uaa/blob/master/docs/UAA-APIs.rst#post-password_change

See cloudfoundry/uaa-cli#62

Assuming this should be implemented it seems like go-uaa's curl function should support external hosts versus duplicating a bunch of the transport logic in the CLI.

This Curl function could be backwards compatible based off if the passed in url contains a host.

Tracking issue - PR incoming.

API.Curl uses the AuthenticatedClient directly and is missing a call to ensureTransport, so it is not possible to curl a UAA with a self signed certificate.

Checkmarx Security scan has caught a high priority security vulnerability in uaa_transport.go

From the report:
The application's func embeds untrusted data in the generated output with Printf, at line 42 of
server/uaa/uaa_transport.go. This untrusted data is embedded straight into the output without proper sanitization or
encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the output data by simply sending modified values in the user input Header, which is
read by the func method at line 15 of server/uaa/uaa_transport.go. This input then flows through the code, and written to
the console or STDOUT, without sanitization. In some scenarios, this output will also be sent back to the user's browser.
This can enable a Reflected Cross-Site Scripting (XSS) attack if the code's console output is used by the application as
part of a web-page, as often occurs with CGI scripts.

What is the proper way to sanitize this logging printf?

Hello,
When I try to create a client with "authorized_grant_types":["implicit"] the command fails, but if I change the authorized_grant_types to be client_credentials the command is successful. If I create the client with client_credentials and then replace the value with implicit - everything is ok. Can someone please help fixing this? We are using the latest version of the go-uaa client

I am using go-uaa module to make uaa calls, but the calls like
GetClient, GetUser, CreateClient gives out generic error message "return errors.Errorf("An error occurred while calling %s", url)". This message is not enough to write code to react to it.
For example in my code to delete a "client" I want to inform the user that the "client" you are trying to delete does not exist, and not error out :).
But this is not possible if I do not know what is the returned response from UAA which is hidden by UAA Client in not so nice way.

Hi,

Is it possible to release new version of go-uaa. When we vendor this package only latest release version is getting pulled. We would like some latest changes since the last release.

If my CLI captures the username/password from a user, and then use uaa.NewWithPasswordCredentials(..) to construct my uaa.API, how do I get the AccessToken/RefreshToken/TokenType from uaa.API so I can store it locally for later use (subsequent CLI commands) without needing to cache the username/password?

Hello, do we have a plan to add apis to support external group mapping so we can give a ldap group a scope? Thanks.