'cf oauth' authentication fails

[boyang9527]

Command

cf auth

What occurred

fails to authenticate non-uaa user since it is using token endpoint instead of authorization endpoint starting from v6.27

What you expected to occur

continue to use authorization endpoint

CLI Version

starting from 6.27

CF Trace

cf cli 6.29.0

REQUEST: [2017-07-31T15:46:17-07:00]
GET /v2/info HTTP/1.1
Host: api.ng.bluemix.net
Accept: application/json
User-Agent: cf/6.29.0+ff886fa93.2017-07-24 (go1.8.3; amd64 darwin)

RESPONSE: [2017-07-31T15:46:18-07:00]
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/json;charset=utf-8
Date: Mon, 31 Jul 2017 22:46:18 GMT
Server: nginx
X-Backside-Transport: OK OK
X-Content-Type-Options: nosniff
X-Global-Transaction-Id: 1169965387
{
  "api_version": "2.75.0",
  "app_ssh_endpoint": "ssh.ng.bluemix.net:2222",
  "app_ssh_host_key_fingerprint": "c7:1f:89:2a:62:3b:78:a9:08:c9:33:81:fb:39:26:da",
  "app_ssh_oauth_client": "ssh-proxy",
  "authorization_endpoint": "https://login.ng.bluemix.net/UAALoginServerWAR",
  "build": "253027",
  "description": "IBM Bluemix",
  "doppler_logging_endpoint": "wss://doppler.ng.bluemix.net:443",
  "logging_endpoint": "wss://loggregator.ng.bluemix.net:443",
  "min_cli_version": null,
  "min_recommended_cli_version": null,
  "name": "Bluemix",
  "support": "http://ibm.biz/bluemix-supportinfo",
  "token_endpoint": "https://uaa.ng.bluemix.net",
  "version": 0
}


API endpoint: https://api.ng.bluemix.net
Authenticating...
REQUEST: [2017-07-31T15:46:18-07:00]
POST /oauth/token HTTP/1.1
Host: uaa.ng.bluemix.net
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: cf/6.29.0+ff886fa93.2017-07-24 (go1.8.3; amd64 darwin)
[PRIVATE DATA HIDDEN]

RESPONSE: [2017-07-31T15:46:19-07:00]
HTTP/1.1 401 Unauthorized
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=UTF-8
Date: Mon, 31 Jul 2017 22:46:19 GMT
Expires: Mon, 31 Jul 2017 22:46:19 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Www-Authenticate: Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials"
X-Backside-Transport: FAIL FAIL
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Global-Transaction-Id: 1581320545
X-Xss-Protection: 1; mode=block
{
  "error": "unauthorized",
  "error_description": "Bad credentials"
}


Credentials were rejected, please try again.
FAILED

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/149828022

The labels on this github issue will be updated when the story is started.

[boyang9527]

cf cli 6.26.0

REQUEST: [2017-07-31T16:33:03-07:00]
GET /UAALoginServerWAR/login HTTP/1.1
Host: login.ng.bluemix.net
Accept: application/json
Connection: close
Content-Type: application/json
User-Agent: go-cli 6.26.0+9c9a261fd.2017-04-06 / darwin



RESPONSE: [2017-07-31T16:33:04-07:00]
HTTP/1.1 200 OK
Connection: close
Content-Length: 588
Cache-Control: max-age=0, no-cache, no-store
Content-Language: en-US
Content-Security-Policy: default-src 'self' www.ibm.com 'unsafe-inline';
Content-Type: application/json;charset=UTF-8
Date: Mon, 31 Jul 2017 23:33:04 GMT
Expires: Mon, 31 Jul 2017 23:33:04 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: X-Uaa-Csrf=Kq0fcFwf3vL84OrX9XB2uL; Expires=Wed, 30-Aug-2017 23:33:04 GMT; HttpOnly
Strict-Transport-Security: max-age=31536000
X-Backside-Transport: OK OK,OK OK
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Global-Transaction-Id: 539461471
X-Powered-By: Servlet/3.1
X-Xss-Protection: 1; mode=block

{"app":{"version":"3.12.0"},"links":{"uaa":"https://uaa.ng.bluemix.net","passwd":"/forgot_password","login":"https://login.ng.bluemix.net/UAALoginServerWAR","passcode":"https://login.ng.bluemix.net/UAALoginServerWAR/passcode","register":"/create_account"},"zone_name":"uaa","entityID":"login.ng.bluemix.net","commit_id":"git-metadata-not-found","idpDefinitions":{},"prompts":{"password":["password","Password"],"passcode":["password","One Time Code (Get one at https://login.ng.bluemix.net/UAALoginServerWAR/passcode)"],"username":["text","Email"]},"timestamp":"2017-06-06T16:04:21+0000"}
API endpoint: https://api.ng.bluemix.net
Authenticating...

REQUEST: [2017-07-31T16:33:04-07:00]
POST /UAALoginServerWAR/oauth/token HTTP/1.1
Host: login.ng.bluemix.net
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: go-cli 6.26.0+9c9a261fd.2017-04-06 / darwin

grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=xxxxxxxx

RESPONSE: [2017-07-31T16:33:06-07:00]
HTTP/1.1 200 OK
Connection: close
Content-Length: 1831
Cache-Control: max-age=0, no-cache, no-store
Content-Language: en-US
Content-Security-Policy: default-src 'self' www.ibm.com 'unsafe-inline';
Content-Type: application/json;charset=UTF-8
Date: Mon, 31 Jul 2017 23:33:06 GMT
Expires: Mon, 31 Jul 2017 23:33:06 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=2592000 ; includeSubDomains
X-Backside-Transport: OK OK,OK OK
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Global-Transaction-Id: 3371730649
X-Powered-By: Servlet/3.1
X-Xss-Protection: 1; mode=block

{"access_token":"[PRIVATE DATA HIDDEN]","token_type":"[PRIVATE DATA HIDDEN]","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":1209599,"scope":"openid uaa.user cloud_controller.read password.write cloud_controller.write","jti":"e02b6cc07c2046e38be5ffdc16435c4e"}
OK
Use 'cf target' to view or set your target org and space

[dkoper]

We have fixed this in cf CLI 6.29.1. Thanks again for the report.
https://github.com/cloudfoundry/cli#downloads

Cheers,
Dies Koper
CF CLI PM