How to Change a Client Secret as a User in Pivotal Cloud Foundry
search cancel

How to Change a Client Secret as a User in Pivotal Cloud Foundry

book

Article ID: 297585

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

This article describes how to Change a Client Secret as a User in PCF.

 


Environment


Cause

UAA client secrets can only be changed by acquiring a token via the client_credentials grant. Typically this is done as the admin client account, or another account with administrative privileges like clients.write or clients.secret.

These steps are if you have policy reasons for which the administrative clients cannot be used, and you only have users with administrative credentials. This also assumes that you have the current client secret for the client you wish to change the secret for.

When using uaac secret set as a user with uaa.admin scope, the error message looks like this:

error response:

{
"error": "invalid_client",
"error_description": "Only a client can change client secret"
}

 

 

Resolution

Use the following steps to change the client secret:

1. As a user with uaa.admin, zone.uaa.admin, or clients.write, use UAAC to add client_credentials grant type and clients.secret authority to your client. Replace MY_TARGET_CLIENT, EXISTING_PERMISSIONS and EXISTING_GRANT_TYPES with the values already configured for your client.

$ uaac client update MY_TARGET_CLIENT --authorities clients.secret,EXISTING_PERMISSIONS \
 --authorized_grant_type client_credentials,EXISTING_GRANT_TYPES

 

You should see the following updates as part of the message returned:

client_id: MY_TARGET_CLIENT
authorized_grant_types: client_credentials EXISTING_GRANT_TYPES
authorities: clients.secret EXISTING_PERMISSIONS

2. Log in using the client_credentials grant via uaac to the client for which you wish to change the secret:

$ uaac token client get MY_TARGET_CLIENT -s <CURRENT_CLIENT_SECRET>

Successfully fetched token via client credentials grant.
Target: https://uaa.example.com
Context: MY_TARGET_CLIENT, from client MY_TARGET_CLIENT
 

3. Check that you have clients.secret while logged in as your target client:

$ uaac context

 [14]*[MY_TARGET_CLIENT]
 client_id: MY_TARGET_CLIENT
 access_token: <token>
 token_type: bearer
 expires_in: 43199
 scope: clients.secret <other permissions>
 jti: 463a94dc72de4b1c890972f9ef5584cb

 

4. Change the secret using uaac secret change:

$ uaac secret change
Current secret: <Enter current secret>
New secret: <Enter new secret>
Verify new secret: <Enter new secret>

 

If no error message appears, the secret changed successfully.

5. As a user with uaa.admin, zone.uaa.admin, or clients.write, use UAAC to remove client_credentials grant type and clients.secret authority from your client. Replace MY_TARGET_CLIENT, EXISTING_PERMISSIONS and EXISTING_GRANT_TYPES with the values already configured for your client. This is to clean up the client so that no other users can change the client secret.

$ uaac client update MY_TARGET_CLIENT --authorities EXISTING_PERMISSIONS \
    --authorized_grant_type EXISTING_GRANT_TYPES

 

You should see the following updates as part of the message returned:

client_id: MY_TARGET_CLIENT
authorized_grant_types: EXISTING_GRANT_TYPES
authorities: EXISTING_PERMISSIONS

 

Impact

Be sure to remove the grant types and scopes after changing the password so that no other users can change the client secret if they know the current client secret.

 


Additional Information

Changing secrets is an administrative command should be kept limited to administrators.

 


Powered by Wolken Software