cf auth no longer works

[jandubois]

Command

$ cf version
cf version 6.29.1+d5129d651.2017-08-17

$ cf auth admin changeme
API endpoint: https://api.10.84.93.30.nip.io
Authenticating...
Credentials were rejected, please try again.
FAILED

This used to work with the previous versions of the CLI:

$ ./cf version
cf version 6.29.0+ff886fa93.2017-07-24

$ ./cf auth admin changeme
API endpoint: https://api.10.84.93.30.nip.io
Authenticating...
OK
Use 'cf target' to view or set your target org and space.

cf login still works:

$ cf login -u admin -p changeme
API endpoint: https://api.10.84.93.30.nip.io
Authenticating...
OK

Select an org (or press enter to skip):
1. suse
2. system

Org> ^C

CLI Version

$ cf version
cf version 6.29.1+d5129d651.2017-08-17

CC API Endpoint Version

$ cf api
api endpoint:   https://api.10.84.93.30.nip.io
api version:    2.84.0

CF Trace

$ cf -v auth admin changeme
REQUEST: [2017-08-21T17:01:45-07:00]
GET /v2/info HTTP/1.1
Host: api.10.84.93.30.nip.io
Accept: application/json
User-Agent: cf/6.29.1+d5129d651.2017-08-17 (go1.8.3; amd64 darwin)

RESPONSE: [2017-08-21T17:01:46-07:00]
HTTP/1.1 200 OK
Content-Length: 608
Content-Type: application/json;charset=utf-8
Date: Tue, 22 Aug 2017 00:01:46 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 3834842f-1d11-405d-65f5-d9c836b9964c
X-Vcap-Request-Id: ae13eed1-b2c1-4de0-6bc3-518c86110e40::5977433e-ed39-44cc-bcc1-1750bfdd97f4
{
  "api_version": "2.84.0",
  "app_ssh_endpoint": "ssh.10.84.93.30.nip.io:2222",
  "app_ssh_host_key_fingerprint": "cd:04:0d:b9:3d:aa:33:f6:6f:51:d0:13:61:cc:ab:f9",
  "app_ssh_oauth_client": "ssh-proxy",
  "authorization_endpoint": "https://scf.uaa.10.84.93.30.nip.io:2793",
  "build": "2.0.2",
  "description": "SUSE Cloud Foundry",
  "doppler_logging_endpoint": "wss://doppler.10.84.93.30.nip.io:4443",
  "min_cli_version": null,
  "min_recommended_cli_version": null,
  "name": "SCF",
  "routing_endpoint": "https://api.10.84.93.30.nip.io/routing",
  "support": "support@example.com",
  "token_endpoint": "https://scf.uaa.10.84.93.30.nip.io:2793",
  "version": 2
}


REQUEST: [2017-08-21T17:01:46-07:00]
GET /login HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
Accept: application/json
Connection: close
User-Agent: cf/6.29.1+d5129d651.2017-08-17 (go1.8.3; amd64 darwin)

RESPONSE: [2017-08-21T17:01:48-07:00]
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Tue, 22 Aug 2017 00:01:48 GMT
Server: Apache-Coyote/1.1
Set-Cookie: X-Uaa-Csrf=L1NQu5AwrLC2fje2KKY4Eb; Expires=Thu, 21-Sep-2017 00:01:48 GMT; Secure; HttpOnly
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
  "app": {
    "version": "3.14.0"
  },
  "commit_id": "git-metadata-not-found",
  "entityID": "scf.login.10.84.93.30.nip.io:2793",
  "idpDefinitions": {},
  "links": {
    "login": "https://login.10.84.93.30.nip.io:2793",
    "passwd": "/forgot_password",
    "register": "/create_account",
    "uaa": "https://scf.uaa.10.84.93.30.nip.io:2793"
  },
  "prompts": {
    "password": [
      "password",
      "Password"
    ],
    "username": [
      "text",
      "Email"
    ]
  },
  "timestamp": "2017-08-17T19:18:22+0000",
  "zone_name": "scf"
}


API endpoint: https://api.10.84.93.30.nip.io
Authenticating...
REQUEST: [2017-08-21T17:01:48-07:00]
POST /oauth/token HTTP/1.1
Host: login.10.84.93.30.nip.io:2793
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: cf/6.29.1+d5129d651.2017-08-17 (go1.8.3; amd64 darwin)
[PRIVATE DATA HIDDEN]

RESPONSE: [2017-08-21T17:01:49-07:00]
HTTP/1.1 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Date: Tue, 22 Aug 2017 00:01:49 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Www-Authenticate: Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
  "error": "unauthorized",
  "error_description": "Bad credentials"
}


Credentials were rejected, please try again.
FAILED

Platform & Shell Details

macOS 10.12.6 using iTerm, but I doubt it makes a difference...

Any other relevant information

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/150426426

The labels on this github issue will be updated when the story is started.

[n4wei]

@jandubois this could be because your password contains special characters that are evaluated by your shell during the cf auth non-interactive flow. Do you still encounter this error with single quotes around the password string?

[jandubois]

@nickwei84 This was just a test setup, with the password literally being changeme. Those are all lowercase alpha characters that have no meta functionality in the shell.

I don't have easy access to that cluster right now, but I think it is still running. I could try this later tonight, but I don't see how adding quotes around changeme could make any difference.

[n4wei]

@jandubois I'll look more into the error.

[jandubois]

I found a different VPN route to the cluster, so I can give you also a CF_TRACE with the working 6.29.0 version for comparison:

$ ./cf -v auth admin changeme
REQUEST: [2017-08-22T14:23:55-07:00]
GET /v2/info HTTP/1.1
Host: api.10.84.93.30.nip.io
Accept: application/json
User-Agent: cf/6.29.0+ff886fa93.2017-07-24 (go1.8.3; amd64 darwin)

RESPONSE: [2017-08-22T14:23:56-07:00]
HTTP/1.1 200 OK
Content-Length: 608
Content-Type: application/json;charset=utf-8
Date: Tue, 22 Aug 2017 21:23:56 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 182a50ba-9150-424e-521d-6e401987e79f
X-Vcap-Request-Id: 358c4e5b-f635-414a-6b77-cb7bb7893a13::39c891a6-1cc7-4cd8-aeb9-c6710eb5656b
{
  "api_version": "2.84.0",
  "app_ssh_endpoint": "ssh.10.84.93.30.nip.io:2222",
  "app_ssh_host_key_fingerprint": "cd:04:0d:b9:3d:aa:33:f6:6f:51:d0:13:61:cc:ab:f9",
  "app_ssh_oauth_client": "ssh-proxy",
  "authorization_endpoint": "https://scf.uaa.10.84.93.30.nip.io:2793",
  "build": "2.0.2",
  "description": "SUSE Cloud Foundry",
  "doppler_logging_endpoint": "wss://doppler.10.84.93.30.nip.io:4443",
  "min_cli_version": null,
  "min_recommended_cli_version": null,
  "name": "SCF",
  "routing_endpoint": "https://api.10.84.93.30.nip.io/routing",
  "support": "support@example.com",
  "token_endpoint": "https://scf.uaa.10.84.93.30.nip.io:2793",
  "version": 2
}


API endpoint: https://api.10.84.93.30.nip.io
Authenticating...
REQUEST: [2017-08-22T14:23:56-07:00]
POST /oauth/token HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: cf/6.29.0+ff886fa93.2017-07-24 (go1.8.3; amd64 darwin)
[PRIVATE DATA HIDDEN]

RESPONSE: [2017-08-22T14:23:58-07:00]
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Date: Tue, 22 Aug 2017 21:23:58 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
  "access_token": "[PRIVATE DATA HIDDEN]",
  "expires_in": 599,
  "jti": "367fb21f363c4495bc34f1c2db68afd2",
  "refresh_token": "[PRIVATE DATA HIDDEN]",
  "scope": "openid scim.read cloud_controller.admin uaa.user routing.router_groups.read cloud_controller.read password.write cloud_controller.write doppler.firehose scim.write",
  "token_type": "[PRIVATE DATA HIDDEN]"
}


OK
Use 'cf target' to view or set your target org and space.

[jandubois]

Comparing the 2 traces I see the the latest (failing) version does:

1. Add an additional /login call and then
2. Calls /oauth/token on the login URL instead of using the UAA URL:

$ ./cf -v auth admin changeme | grep -A 2 REQ
REQUEST: [2017-08-22T14:30:47-07:00]
GET /v2/info HTTP/1.1
Host: api.10.84.93.30.nip.io
--
REQUEST: [2017-08-22T14:30:48-07:00]
POST /oauth/token HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793

$ cf -v auth admin changeme | grep -A 2 REQ
REQUEST: [2017-08-22T14:30:53-07:00]
GET /v2/info HTTP/1.1
Host: api.10.84.93.30.nip.io
--
REQUEST: [2017-08-22T14:30:55-07:00]
GET /login HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
--
REQUEST: [2017-08-22T14:30:56-07:00]
POST /oauth/token HTTP/1.1
Host: login.10.84.93.30.nip.io:2793
Credentials were rejected, please try again.

[jandubois]

And here for another comparison, the trace from using cf login, which is still working in 6.29.1.

And the difference is indeed that cf login sends the /oauth/token request to the UAA URL and not the login one, just like the cf auth command in 6.29.0:

$ cf -v login -u admin -p changeme | grep -A 2 REQ
REQUEST: [2017-08-22T14:39:59-07:00]
GET /v2/info HTTP/1.1
Host: api.10.84.93.30.nip.io
--
REQUEST: [2017-08-22T14:40:00-07:00]
GET /login HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
--
REQUEST: [2017-08-22T14:40:01-07:00]
POST /oauth/token HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
--
REQUEST: [2017-08-22T14:40:04-07:00]
GET /v2/organizations?order-by=name HTTP/1.1
Host: api.10.84.93.30.nip.io
...

[n4wei]

@jandubois we may have found the cause of the bug. Thanks for all the trace output. It was very helpful. We're working on a fix now.

[dkoper]

@jandubois Can you try our edge release to see if our fix is working for you?
https://github.com/cloudfoundry/cli#edge-binaries

Thanks!

[jandubois]

@dkoper I've confirmed that the issue is fixed in the latest edge-binary:

$ ./cf -v auth admin changeme
REQUEST: [2017-08-24T15:29:28-07:00]
GET /v2/info HTTP/1.1
Host: api.10.84.93.30.nip.io
Accept: application/json
User-Agent: cf/6.29.2+3e2a6376f.2017-08-24 (go1.8.3; amd64 darwin)

RESPONSE: [2017-08-24T15:29:29-07:00]
HTTP/1.1 200 OK
Content-Length: 608
Content-Type: application/json;charset=utf-8
Date: Thu, 24 Aug 2017 22:29:29 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: b384afff-eb3c-491a-7df0-9d682c55a386
X-Vcap-Request-Id: 3c80fb2e-a61b-4e0d-62d2-8cab838817ae::62f37543-eef0-4ae4-8937-8211427b3bf3
{
  "api_version": "2.84.0",
  "app_ssh_endpoint": "ssh.10.84.93.30.nip.io:2222",
  "app_ssh_host_key_fingerprint": "cd:04:0d:b9:3d:aa:33:f6:6f:51:d0:13:61:cc:ab:f9",
  "app_ssh_oauth_client": "ssh-proxy",
  "authorization_endpoint": "https://scf.uaa.10.84.93.30.nip.io:2793",
  "build": "2.0.2",
  "description": "SUSE Cloud Foundry",
  "doppler_logging_endpoint": "wss://doppler.10.84.93.30.nip.io:4443",
  "min_cli_version": null,
  "min_recommended_cli_version": null,
  "name": "SCF",
  "routing_endpoint": "https://api.10.84.93.30.nip.io/routing",
  "support": "support@example.com",
  "token_endpoint": "https://scf.uaa.10.84.93.30.nip.io:2793",
  "version": 2
}


REQUEST: [2017-08-24T15:29:29-07:00]
GET /login HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
Accept: application/json
Connection: close
User-Agent: cf/6.29.2+3e2a6376f.2017-08-24 (go1.8.3; amd64 darwin)

RESPONSE: [2017-08-24T15:29:30-07:00]
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Thu, 24 Aug 2017 22:29:30 GMT
Server: Apache-Coyote/1.1
Set-Cookie: X-Uaa-Csrf=So4BI46jra9h4mxrgcC7cx; Expires=Sat, 23-Sep-2017 22:29:30 GMT; Secure; HttpOnly
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
  "app": {
    "version": "3.14.0"
  },
  "commit_id": "git-metadata-not-found",
  "entityID": "scf.login.10.84.93.30.nip.io:2793",
  "idpDefinitions": {},
  "links": {
    "login": "https://login.10.84.93.30.nip.io:2793",
    "passwd": "/forgot_password",
    "register": "/create_account",
    "uaa": "https://scf.uaa.10.84.93.30.nip.io:2793"
  },
  "prompts": {
    "password": [
      "password",
      "Password"
    ],
    "username": [
      "text",
      "Email"
    ]
  },
  "timestamp": "2017-08-17T19:18:22+0000",
  "zone_name": "scf"
}


API endpoint: https://api.10.84.93.30.nip.io
Authenticating...
REQUEST: [2017-08-24T15:29:30-07:00]
POST /oauth/token HTTP/1.1
Host: scf.uaa.10.84.93.30.nip.io:2793
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: cf/6.29.2+3e2a6376f.2017-08-24 (go1.8.3; amd64 darwin)
[PRIVATE DATA HIDDEN]

RESPONSE: [2017-08-24T15:29:32-07:00]
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Date: Thu, 24 Aug 2017 22:29:32 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
  "access_token": "[PRIVATE DATA HIDDEN]",
  "expires_in": 599,
  "jti": "edf82dce14a848a0be2a583dc9982c8a",
  "refresh_token": "[PRIVATE DATA HIDDEN]",
  "scope": "openid scim.read cloud_controller.admin uaa.user routing.router_groups.read cloud_controller.read password.write cloud_controller.write doppler.firehose scim.write",
  "token_type": "[PRIVATE DATA HIDDEN]"
}


OK
Use 'cf target' to view or set your target org and space.

Thanks!

[n4wei]

👍

[dkoper]

Fix was incorporated in our 6.29.2 release last week.