Have created an Asset service instance, binding the application to an asset service instance. When i see the application in browser view it shows the "Hello world" text, but what i want to do is either if i type application URI or UAA uri it should go to login screen then with the correct login credentials should enter then only it should go my application page.
Can you help me on the steps or docs for this
Real problem what am facing is, When entering this UAA URL of my hello world appliocation https://9a3a0e39-9c0c-417d-a7ee-0b649b2f4a8f.predix-uaa.run.aws-usw02-pr.ice.predix.io/login it's going to login screen but when i enter the credentials (gautham/guna) its not going to my app home screen. Instead of that it shows the error as "You should not see this page. Set up your redirect URI."
After successful login it should go to http://hello-world-jai.run.aws-usw02-pr.ice.predix.io/ app screen Kindly provide solution for this issue.
Answer by Greg Stroup · Mar 21, 2016 at 10:24 AM
Looks like you need to pass in the redirect_uri as a query string parameter to the UAA login page.
Here's an example from the RMD Reference app:
Answer by Om Soni · Mar 19, 2016 at 08:08 AM
Also, followed the directions here: https://www.predix.io/docs/?r=620185#uAyBrT9y
Following Creating an OAuth2 Client with Local UAA Identity Provider. When I hit UAA url and logs in, it won't redirect and gives me same message.
"You should not see this page. Set up your redirect URI."
Below are setup commands I executed:
C:\Users\cf-uaac\bin>uaac client add traj_client_id --authorities "ua a.resource" --scope "openid" --autoapprove "openid" --authorized_grant_types "authorization_code password client_credentials refresh_token" --redirect_uri ht tp://<>.run.aws-usw02-pr.ice.predix.io/ New client secret: Verify new client secret: scope: openid client_id: traj_client_id resource_ids: none authorized_grant_types: authorization_code client_credentials password refresh_token redirect_uri: http://<>.run.aws-usw02-pr.ice.predix.io/ autoapprove: openid action: none authorities: uaa.resource name: traj_client_id lastmodified: 1458354193928 id: traj_client_id
C:\Users\cf-uaac\bin>uaac user add traj_user --emails trajectory_suppo rt@ge.com --password <> user account successfully added
Answer by postQuantum · Mar 18, 2016 at 09:09 PM
This is a point of confusion where probably Predix docs could have done a better job.
See the following points.
Predix UAA is not an entry point for the your application
In order to access your application you need an OAuth client with an Identity provider
.
By default you have admin client
which uses a Local Auth provider
. It should be used to create another OAuth client. Admin client is useless for your application, it has to be used to do admin operations, like creating an application client for your application with limited access. Ref: Creating an OAuth2 Client with Local UAA Identity Provider Command line is fastest way to do this but if you want you can use this predix starter kit
After you have created the application specific client you can move to creating users.
This is probably most important point. A single client can have multiple redirect_uris. A redirect uri registration just specifies the valid redirections from your UAA. So that it doesn't redirect to any other web page like google.com.
In order to use your UAA you would have to create a hyperlink on your home page like Login: href="[uaa_instance_url]/oauth/authorize?client_id="[my_client]"&response_type=code&redirect_uri=[app_home_page]"
This will redirect user to the UAA page, where UAA will generate a form with the parameters that you have provided in the hyperlink. Default UAA /login
form doesn't have these parameters that why you see the UAA error page.
This is all that you have to do, after login in from here user should be redirected to the link that you have provided.
On your landing page (redirection URI) you application controller would have to validate the token provided by UAA during redirection in the Authorization header
. If the token is valid then you can go ahead and create a session for the user and store the token if you want to make some UAA service calls or need to use some other resource protected by the same UAA service. If token is invalid then you can again redirect the user to the login url in point 6.
Note: This redirect link must be registered with the OAuth client that you created first, other wise you'll get an error. Also make sure to create the client with limited privileges that it would actually need as chances are it's going to be exposed in the client side code.
If you would like to look at the code sample then here's a full fledged node js app using UAA.
Answer by Greg Stroup · Mar 18, 2016 at 01:55 PM
Are you building a UI Application with Java in a WAR file? We usually recommend building the UI application separately from the Java microservice projects. Then the Java services just return a 401 unauthorized error if the token is invalid. The UI application would intercept that 401 and redirect the user to the login page. Both the Starter Packs in the catalog demonstrate this pattern (RMD Reference app and Predix Seed app) I haven't seen the redirect logic implemented in a Java WAR project, but I'm sure it's possible.
Answer by Om Soni · Mar 18, 2016 at 01:33 PM
I think documentation is specific to node.js. Is there any documentation on how we can achieve the same for a WAR ?
Thanks, Om
Answer by Greg Stroup · Mar 18, 2016 at 09:58 AM
You have two options.
You can pass in the redirect URL from your application to UAA, then UAA will send the user back to that URL after authentication.
You can configure a redirect URL on your UAA Client. Then all requests to authenticate with that client will be redirected to the same URL.
The first option is recommended. See these tutorials for more info and sample code: Build a Basic Application
Can't set UAA service! 2 Answers
UAA: Not able to log in as admin using the security starter app 1 Answer
windows 10 user has problem with uaa-scirpts 1 Answer
uaa authentication error 2 Answers
pm-configure-uaa.sh error - missing argument: --secret 2 Answers